1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

http://4bf65,ilxt.info & about:blank

Discussion in 'Virus & Other Malware Removal' started by snoopy7384, Sep 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. snoopy7384

    snoopy7384 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    115
    Hello. I am new to this site and found that it helped many people and was wondering if you could help me. As for me I am really lost when it comes to computers but I need it for work. Lately When I try and run Internet Explorer or my internet on AOL I get continuous popups. All of them are from the website http://4bf65.ilxt.info. I also get my homepage redirected to about:blank. I have no idea what this is but I am guessing it's a virus. Just to let you know I am using a Windows 98 and the Interent Explorer 6.0. I was also advisedby family to us AdAware and Spy Hunter but sadly this hasn't worked. Any help with this would be greatly appreciated. ~Snoopy
     
  2. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Hello Snoopy. Welcome to the TSG

    This is what I suggest you do first. Be sure to read the instructions.

    Make sure you have the up-to-date versions of Spybot, Ad-aware and HijackThis. All are free and available bellow.

    Download Spybot, install and update. Then download Ad-aware, install, and update.

    Spybot:
    Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

    Close ALL windows except Spybot S&D
    Click the button to "Search for Updates" and download and install the Updates.
    Next click the button "Check for Problems"
    When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
    Put a check mark beside the RED (RED) entries ONLY.
    Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

    Ad-Aware FULL SCAN:

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Before restart, Empty Recycle Bin.

    Restart your computer.

    Download HijackThis from link in my signature. Save it to a permanent folder (I create a new folder in C:\ named HJT). Open and hit scan, then save log. Once it is saved it will open in notepad. Select all from the edit button, copy and paste the results here. Don't fix anything with it yet! Someone experienced with the logs will advise you.
     
  3. snoopy7384

    snoopy7384 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    115
    Here is my result from Hijack this. I hope this info is what you needed to help my computer with this problem. Could any of this info also explain other information like why my computer runs very slow or why some applications may be run a little "shotty"?
    Thanks for all your help with this problem because it is driving me insane :)

    ~Snoopy

    Logfile of HijackThis v1.98.2
    Scan saved at 11:40:32 PM, on 9/4/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.topfivesearch.com/search.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.101/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
    O1 - Hosts: 64.14.40.138 www.searchalot.com
    O1 - Hosts: 64.14.40.138 searchalot.com
    O1 - Hosts: 64.4.43.7 www.hotmail.com
    O1 - Hosts: 64.4.52.7 hotmail.com
    O1 - Hosts: 205.188.160.121 aol.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL (file missing)
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
    O2 - BHO: Zedd4Proj.clsUnoOne - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINDOWS\SYSTEM\ZEDD4.DLL
    O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - C:\PROGRA~1\SYSTEM\MISC\MBH19.DLL
    O2 - BHO: (no name) - {5EF16CC1-FB52-11D8-BC30-0004724BE864} - C:\WINDOWS\SYSTEM\MSDOH.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AMERICA ONLINE 8.0\AIM95\AIM.EXE
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
    O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/HearMeAutoInstaller.exe
    O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://directplugin.com/dialers/109446.exe
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/1w2fcksh.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://movie-browser.com/tl4000.dll
    O16 - DPF: {2AEBF56B-88C4-7EC4-3B3F-24F1B5AD40FF} - http://public.searchbarcash.com/cab/006/asqkfkgw.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.colorphotomix.biz/server.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O18 - Filter: text/html - {5EF16CC0-FB52-11D8-BC30-00041D074DFF} - C:\WINDOWS\SYSTEM\MSDOH.DLL
    O18 - Filter: text/plain - {5EF16CC0-FB52-11D8-BC30-00041D074DFF} - C:\WINDOWS\SYSTEM\MSDOH.DLL
    O19 - User stylesheet: (file missing)
     
  4. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    I suggest you do this:
    As much as needs fixed, I don't think you're going to have much left :eek:

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.topfivesearch.com/search.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.101/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
    O1 - Hosts: 64.14.40.138 www.searchalot.com
    O1 - Hosts: 64.14.40.138 searchalot.com
    O1 - Hosts: 64.4.43.7 www.hotmail.com
    O1 - Hosts: 64.4.52.7 hotmail.com
    O1 - Hosts: 205.188.160.121 aol.com

    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL (file missing)
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
    O2 - BHO: Zedd4Proj.clsUnoOne - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINDOWS\SYSTEM\ZEDD4.DLL
    O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - C:\PROGRA~1\SYSTEM\MISC\MBH19.DLL
    O2 - BHO: (no name) - {5EF16CC1-FB52-11D8-BC30-0004724BE864} - C:\WINDOWS\SYSTEM\MSDOH.DLL
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/HearMeAutoInstaller.exe
    O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://directplugin.com/dialers/109446.exe
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...ab/1w2fcksh.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://movie-browser.com/tl4000.dll
    O16 - DPF: {2AEBF56B-88C4-7EC4-3B3F-24F1B5AD40FF} - http://public.searchbarcash.com/cab/006/asqkfkgw.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.colorphotomix.biz/server.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O18 - Filter: text/html - {5EF16CC0-FB52-11D8-BC30-00041D074DFF} - C:\WINDOWS\SYSTEM\MSDOH.DLL
    O18 - Filter: text/plain - {5EF16CC0-FB52-11D8-BC30-00041D074DFF} - C:\WINDOWS\SYSTEM\MSDOH.DLL
    O19 - User stylesheet: (file missing)

    Restart your computer.

    Press the F8 key until the startup menu appears.

    Choose the Safe Mode option then press Enter.

    Double-click the My Computer icon on the Windows desktop.
    Click the View menu, and then click Options or Folder Options.
    Click the View tab.
    In the Advanced settings box, under the "Hidden files" folder, select Show all files.
    Click Apply, and then click OK.


    C:\WINDOWS\SYSTEM\ZEDD4.DLL <---Delete File
    C:\PROGRA~1\SYSTEM\MISC\MBH19.DLL <---Delete File
    C:\WINDOWS\SYSTEM\MSDOH.DLL <---Delete File

    1. Open My Computer
    2. Right click on your hard drive that you wish to clean (C drive, for example)
    3. In the context menu that opens, select properties
    4. Under the general tab you should select Disk Cleanup
    5. Windows will scan your drive which will take a few seconds/minutes
    6. A box will display the various files you can remove. Here are some safe examples:

    Temporary Internet Files
    Recycle Bin
    Temporary Files
    7. Click OK and windows will comply.

    Post a new HijackThis log
     
  5. snoopy7384

    snoopy7384 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    115
    hey. I did everything you said except you told me to delete these however I dont know where to find, or how to delete, these:
    C:\WINDOWS\SYSTEM\ZEDD4.DLL <---Delete File
    C:\PROGRA~1\SYSTEM\MISC\MBH19.DLL <---Delete File
    C:\WINDOWS\SYSTEM\MSDOH.DLL <---Delete File

    Once I get rid of these I'll send you the hijack This log.

    Thanks ~snoopy
     
  6. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    You can do a search for them:
    I think in W98 you do Start> Find> type in the file like ZEDD4.DLL if it finds it just Right Click on it and select delete. Do this for all three.

    Empty Recycle Bin before restarting.
     
  7. snoopy7384

    snoopy7384 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    115
    For all three they kept saying file not find, so I guess it I dont have it on my computer. Here is the new HJT Log:



    Logfile of HijackThis v1.98.2
    Scan saved at 12:16:26 PM, on 9/5/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\HJT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AMERICA ONLINE 8.0\AIM95\AIM.EXE
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
     
  8. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O10 - Hijacked Internet access by New.Net

    Go here for the instructions on removing this one.
    New.net

    Empty Recycle Bin

    Post a new HJT log
     
  9. snoopy7384

    snoopy7384 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    115
    New HJT log post.....Thanks, yet again
    ~Snoopy

    Logfile of HijackThis v1.98.2
    Scan saved at 1:17:45 AM, on 9/6/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\HJT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AMERICA ONLINE 8.0\AIM95\AIM.EXE
    O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  10. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    Yesterday 08:02 PM

    Empty Recycle Bin

    Open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link bellow for SpywareBlaster, download, install and update. Check for updates weekly. Still in Spybot, click tools in the left pane, then click IE tweaks and at least lock the HOSTS file. Then download and install IESpyads.

    That will give you an added layer of protection against unwanted parasites.

    You should be good to go after his.
    Post one last HJT log.
     
  11. snoopy7384

    snoopy7384 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    115
    Looks like the problem is fixed. It also appears the computer boots up faster as well. I want to thank you very much for the time and efficiency in the website and with your help. I thank you very much and I know where to turn if the computer starts acting crazy again. Thanks so much for everything...and here is, hopefully :), the last HJT log file!
    ~Snoopy


    Logfile of HijackThis v1.98.2
    Scan saved at 2:23:19 PM, on 9/6/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\HJT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AMERICA ONLINE 8.0\AIM95\AIM.EXE
    O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
     
  12. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Good job....Be sure to do this:

    Open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link bellow for SpywareBlaster, download, install and update. Check for updates weekly. Still in Spybot, click tools in the left pane, then click IE tweaks and at least lock the HOSTS file. Then download and install IESpyads.

    That will give you an added layer of protection against unwanted parasites.

    You should be good to go after his.
     
  13. snoopy7384

    snoopy7384 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    115
    Hello snoopy here again. Today when I double clicked on internet explorer a message that said it ran an illegal operations and would be shut down. It said if this happens restart my computer. I restarted it 5 times and I got the same page. I did the spybot and that did not work, but I want to see if the HJT gave me anything new and it had a huge list again. I was having trouble using the iespyads and am confused on how to use it. Well here is my HJT log. please assist me one more time. Thanks again
    ~snoopy


    Logfile of HijackThis v1.98.2
    Scan saved at 8:56:29 PM, on 9/8/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\WINAD CLIENT\WINCLT.EXE
    C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {4EDC8C38-5D69-92AC-1EE3-CC367C3A2315} - C:\WINDOWS\SYSTEM\APIXW32.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AMERICA ONLINE 8.0\AIM95\AIM.EXE
    O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O15 - Trusted Zone: *.scoobidoo.com
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  14. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Print this out.

    Please download this tool called 'About:Buster':

    http://www.downloads.subratam.org/AboutBuster.zip

    'About:Buster':

    Important steps to getting this tool to work properly:

    First unzip all files from the zip folder to a folder or your desktop. Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it says it found an update hit Download Updates. If it doesnt it will automatically tell you and exit.

    Now, boot in to safe mode. Instructions on how to do so are in the following link:

    http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

    (Follow the instructions revelant to your operating system. In this case it is either Windows 2000 or XP)

    DO NOT relaunch Internet Explorer at any point during this. Stay Offline Until finished.

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kxslc.dll/sp.html#37049
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {4EDC8C38-5D69-92AC-1EE3-CC367C3A2315} - C:\WINDOWS\SYSTEM\APIXW32.DLL
    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE

    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


    Did you put this in your Trusted Zone? If not, fix also with HijackThis
    O15 - Trusted Zone: *.scoobidoo.com

    If still there delete this file and the winad folder

    C:\WINDOWS\SYSTEM\APIXW32.DLL <---Delete File
    C:\PROGRAM FILES\WINAD CLIENT <---Delete Folder


    Before restarting run aboutbuster. Again remain offline. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    Once the tool is done scanning, copy the log and save it to paste back here in your thread.

    Restart your computer,

    Now run about:Buster again just to be sure it got everything.

    Make a copy of the log it creates again.

    Reboot and post the 2 about buster logs and a fresh HijackThis log.
     
  15. snoopy7384

    snoopy7384 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    115
    Here are the 2 Buster logs. Thanks

    Scanned at: 12:33:45 AM on: 9/9/04


    -- Scan 1 ---------------------------
    About:Buster Version 3.0
    Reference List : 15


    ADS not scanned System(FAT)
    Removed! : C:\WINDOWS\SYSTEM\sdklh32.exe
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!

    -- Scan 1 ---------------------------
    About:Buster Version 3.0
    Reference List : 15


    ADS not scanned System(FAT)
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    And Here is the New HJT log

    Logfile of HijackThis v1.98.2
    Scan saved at 12:42:00 AM, on 9/9/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    C:\PROGRAM FILES\WINAD CLIENT\WINCLT.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\HJT\HIJACKTHIS.EXE

    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AMERICA ONLINE 8.0\AIM95\AIM.EXE
    O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269399

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice