1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IE/Outlook Express:

Discussion in 'Virus & Other Malware Removal' started by referee07, Sep 30, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. referee07

    referee07 Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    1,364
    My IE/Outlook Express has gone psychotic. It does things on its own, e.g., goes to caps and back again and freezes. Anyone out there have any ideas? Thanks in advance.

    :confused:
     
  2. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    What operating system do you have, and which version of OE ?
     
  3. referee07

    referee07 Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    1,364
    Windows XP (Home Edition); OE: 6.
    Thanks.
     
  4. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    Ok we need to try and eliminate any problems caused by spyware/adware first, so please do the following.

    First Delete Temp files, Cookies and offline content.To do this,
    Open Internet Explorer/Tools/Internet Options/delete cookies/delete files
    select off-line content/clear history.


    Download cwshredder from here

    http://www.spywareinfo.com/~merijn/files/cwshredder.zip

    Close all browser windows (including minimized windows)
    Run cwshredder

    When it is finished Reboot your computer.

    Download Adaware from here

    Go here http://www.lavasoftusa.com/software/adaware/

    Make sure you select "Check for updates now" and get the latest reference files.

    Run Adaware and hit the Scan now button, make sure Activate indepth scan is selected and then
    hit next. After the scan has completed delete everything it finds.

    Restart your computer.

    Then Download Spybot search & destroy from here. Read the instructions while you're there.

    http://tomcoyote.org/SPYBOT/index1.html

    Install the program (Close all browser windows) and run it.

    Before scanning press "Online" and "Search for Updates"

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds in red.

    Restart your computer.

    Download "Hijack this" from here

    http://www.tomcoyote.org/hjt/


    Once you have unzipped it and have it running, Hit the scan button, when the scan is finished the button will change to a save log button, click it and then a notepad window will open, you need to copy and paste all of the log contents in here and someone will look at it for you.
     
  5. referee07

    referee07 Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    1,364
    Thanks. Will do. (y)
     
  6. referee07

    referee07 Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    1,364
    I checked my system with Adaware6 and Spybot. Below is the result of my scan with Hijack This. BTW, how can I keep from being infested with Gator? I had a lot of Gator files found with Adaware and Spybot? Thanks.

    Logfile of HijackThis v1.97.1
    Scan saved at 10:25:22 AM, on 9/30/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QUICKENW\QAGENT.EXE
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\Program Files\PestPatrol\PPControl.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\WINDOWS\System32\KzgPN.exe
    C:\WINDOWS\System32\EsdH.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\SpyBlocker Software\spyblocker.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Documents and Settings\Carl Neighbors\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [5BGB87A2Y5ZCER] C:\WINDOWS\System32\LhoK8W3.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37894.2688078704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  7. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    Ok run Hijack This again and check the following entries:

    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?

    Close all browser windows and then select Fix/Checked

    Then reboot into safe mode and delete the following folder.

    C:\Program Files\AWS [folder]

    Repost a new log when done.
     
  8. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    Someone more experienced with logs may see something I have missed ? If so please feel free to butt in ;)
     
  9. referee07

    referee07 Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    1,364
    Quick qustion: will I lose Weatherbug if I delete these files. Also, Weatherbug is very informative but... is is a great source for spyware? If so, and I delete all traces of Weatherbug, is there a better weather (nonspyware) program out there? Thanks.
     
  10. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    Yes you will lose Weatherbug.
    The Jury is still out on whether this is spyware or not, however it is definately adware and will slow your browser and send you unwanted pop ups.
    I don't know of any alternatives to Weatherbug, someone else may know though.
     
  11. referee07

    referee07 Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    1,364
    Evile-Ey, much thanks. Below is the result of my last scan using Hijack This. Also, I think I had better call Steven Speleberg (sp?) because I think my computer has polderguists. When I am typing, all of a sudden the curser disapears and I can't get it back and the mouse doesn't work at all. Also, I frequently hear a dull, "plunking" sound whenever this happens. Just recently, the Microsoft Search Companion (complete with cute dog) came up on its own. And, for no apparent reason, the blue border at the top of the screen that now says, "IE/Outlook Express: - Tech Support Guy forums - Microsoft ENternet Explorer" will go from dark blue to light blue at which time I lose the ability to use the mouse and the curser. I expect the monitor to begin spinning and spitting pea soup at any time. Is this a viris or maybe a polderguist. (I kind of hope it is a polderguist. That way I can call the National Inquirer and really retire. 8~).

    Logfile of HijackThis v1.97.1
    Scan saved at 10:48:12 AM, on 10/1/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QUICKENW\QAGENT.EXE
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\Program Files\PestPatrol\PPControl.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\WINDOWS\System32\Ccbt.exe
    C:\WINDOWS\System32\FnwN9.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\SpyBlocker Software\spyblocker.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Carl Neighbors\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [5BGB87A2Y5ZCER] C:\WINDOWS\System32\MtyJ62F.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37894.2688078704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  12. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    I have requested this post be moved to the security forum as I am sure you have something on your system that shouldn't be there.
     
  13. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    O4 - HKLM\..\Run: [5BGB87A2Y5ZCER] C:\WINDOWS\System32\MtyJ62F.exe

    That is definitely the baddie there, I think if you fix that, then do a search for that file name and delete it......
     
  14. referee07

    referee07 Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    1,364
    I have deleted MtyJ62F.exe and below is my latest scan using Hijack This. What was this MtyJ62F.exe? Also, I have a Windows folder entitled "Prefetch." What is this? It seems to contain many "buggers" that have the potential to harm my computer.
    Many thanks.

    Logfile of HijackThis v1.97.1
    Scan saved at 9:00:45 PM, on 10/1/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\SpyBlocker Software\spyblocker.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\Program Files\QUICKENW\QAGENT.EXE
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\Program Files\PestPatrol\PPControl.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\ZhdNmV4l.exe
    C:\WINDOWS\System32\OqxOq.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Carl Neighbors\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [5BGB87A2Y5ZCER] C:\WINDOWS\System32\LhoK8W3.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37894.2688078704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  15. referee07

    referee07 Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    1,364
    What is: 04 - HKLM\..\Run: [5BGB87A2Y5ZCER] C:\WINDOWS\System32\LhoK8W3.exe?
    This is an "exe" program, and I am thinking
    maybe it doesn't belong on my computer.
    Thanks again.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168508

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice