Unlock Browser settings???

Discussion in 'adware, spyware & hijack cleaning' started by marchiafava, Dec 14, 2003.

Thread Status:
Not open for further replies.
  1. marchiafava
    Offline

    marchiafava Registered Member

    My original problem was my web browser is constantly be redirected to INTERNET OPTIMIZER by YOOGEE. DNS ERROR "ads.msn.com" cannot be found.

    Does anyone know how to unlock browser settings?
    Internet Options is locked "see administrator". I am the administrator - this is my personal PC.

    I have a Mcafee Firewall. I have recently ran SPYBOT search and destroy to try to solve the problem. I have also installed spyware blaster.

    PLEASE HELP.
  2. Q Section
    Offline

    Q Section Registered Member

    Hello marchiafava

    Please download HijackThis and run "Scan". Do not fix anything yet. Most of what it shows is either harmless or necessary. After the scan finishes - the scan button turns into a "Save Log" button. Save the log and post it here and some expert will advise you on what to do next.
  3. marchiafava
    Offline

    marchiafava Registered Member

    Thanks, but the link you put on your message will not work either. It does not lead anywhere? I then foun the web site by search, but when I pressed the download button it directed me to a blank MSN search pageo_O
  4. DolfTraanberg
    Offline

    DolfTraanberg Registered Member

  5. Q Section
    Offline

    Q Section Registered Member

    Yes the link does work. We just tried it from the post page. It sounds like you may have a major browser hijack going on. We then recommend another site for the file here.
  6. DolfTraanberg
    Offline

    DolfTraanberg Registered Member

    try to cut and paste the url in explorer instead of internet explorer
    Dolf
  7. marchiafava
    Offline

    marchiafava Registered Member

    Here's the log!!




    Logfile of HijackThis v1.97.7
    Scan saved at 2:10:13 AM, on 12/14/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSER~1.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\WINDOWS\hh.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM215.DLL
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - Startup: Resume Windows Update Installation.lnk.disabled
    O4 - Global Startup: InControl Desktop Manager.lnk.disabled
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  8. Paul Wilders
    Offline

    Paul Wilders Administrator

    I've moved this thread to the appropriate forum ;)

    regards.

    paul
  9. Q Section
    Offline

    Q Section Registered Member

    marchiafava

    Have HijackThis fix the following by placing a check in the appropriate boxes and hitting 'Fix Checked'. Make sure all browser and all Windows Explorer windows are closed before fixing. Reboot when done.

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM215.DLL

    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL


    Afterwords rerun Spybot S&D and update, scan, and hit "Check for Problems". Have Spybot S&D fix all RED items it finds if any. Reboot when finished.

    Best wishes.
  10. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi marchiafava,

    Also have HijackThis Fix:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    which will solve the problem you originally posted about.

    Regards,

    Pieter
  11. marchiafava
    Offline

    marchiafava Registered Member

    I did all of the above. Still all my page links in e-mails are dead and "ads.msn.com" cannot be found. MSN support sent me an e-mail with a link to Brown University for a "Trojan Ghost" program, but the link to download the program won't worko_O Any further suggestions? Can I try to save a new copy of ie6 in my documents, then uninstall all the old stuff, then load the new ie6o_O
  12. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi marchiafava,

    Seeing that you have not yet installed SP1 for IE6, I would try that first. A lot of files will be replaced by newer versions, which might solve your problem.

    Choose the correct language here: http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp before you proceed.

    Regards,

    Pieter
  13. marchiafava
    Offline

    marchiafava Registered Member

    Thanks, I'll try that. Also the link in your response leads me nowhere. I will try to get to the site by typing it into the address bar on my browser.

    Thanks again



    I have tried this when the problems started. I just tried it again a couple of times. I have closed all apps and still get a message - " setup was unable to install all of the components. Please close all applications and try again"o_O
  14. ellison64
    Online

    ellison64 Registered Member

    I believe your problem is with an option you have enabled with spybot itself.Go to immunise section of spybot and untick "lock ie control panel against opening from within ie (current user)"
    me
  15. marchiafava
    Offline

    marchiafava Registered Member

    Thanks for your help. I will check that again, but I did uncheck that once. I'll check that and try again.

    Thanks
  16. marchiafava
    Offline

    marchiafava Registered Member

    I did check it and the only one checked is " Lock hosts file read-only as protection against hijackers"o_O Is that OKo_O
  17. ellison64
    Online

    ellison64 Registered Member

    i dont use any hosts files , to block ads etc as i blobk with other apps ,however it wont hurt to untick for now and see if that makes a difference.The initial problem does seem very much like the ie lock option being ticked ,though its now unticked Maybe worth ticking it and then trying to access the internet options , then untick it again and try.
    me
  18. marchiafava
    Offline

    marchiafava Registered Member

    I'll try anything.
    THANKS
  19. ellison64
    Online

    ellison64 Registered Member

    heres what happens when that options ticked (onw9:cool:
    see attach
    me

    Attached Files:

  20. marchiafava
    Offline

    marchiafava Registered Member

    Thanks for the visuals. That was exactly what I was getting yesterday when I tried to access my internet options toolbar, but I got that fixed last night. I have checked and unchecked all the options in "immunize", still gots problems. I think my biggest problem is that the webpage "ads.msn.com" has been blocked or rerouted somehow. Maybe even by me. I did block a bunch of stuff in McAfee Firewall, but I think I unblocked everything. The problems began before I blocked anything.

    Anyway, thanks for the help.


    Still willing to try anything!!!
  21. Dan Perez
    Offline

    Dan Perez Retired Moderator

    Hey marchiafava ;)

    Can you please post a fresh HijackThis log so we can get a better sense of whether changes made were kept out or reintroduced?

    Thanks :)
  22. marchiafava
    Offline

    marchiafava Registered Member

    Thanks Dan,

    Here's the log.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:33:57 PM, on 12/14/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MpfTray.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSER~1.EXE
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ads.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - Startup: Resume Windows Update Installation.lnk.disabled
    O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
    O4 - Global Startup: InControl Desktop Manager.lnk.disabled
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  23. Dan Perez
    Offline

    Dan Perez Retired Moderator

    Okay,

    can you please close out of all applications/windows and select and fix the following;

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ads.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Then reboot and continue on with your apparently incomplete update of IE and let us know how it goes once that update is complete.

    Thanks
  24. marchiafava
    Offline

    marchiafava Registered Member

    Hey Dan,

    I did the same thing with the same results. Incomplete installation. Rebooted. Still dead end surfing. Here is a new log from HijackThis.

    10:50 PM 12/14/2003Logfile of HijackThis v1.97.7
    Scan saved at 10:50:28 PM, on 12/14/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSER~1.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\unzipped\hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - Startup: Resume Windows Update Installation.lnk.disabled
    O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
    O4 - Global Startup: InControl Desktop Manager.lnk.disabled
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  25. Dan Perez
    Offline

    Dan Perez Retired Moderator

    Have you tried disabling McAfee Firewall to see if the browse/link problem goes away? Also, have you tried a non-IE browser such as Firebird or Opera?

    Not thinking of these as a workaround but merely to help show the extent of the issue and maybe to help isolate the source.
Thread Status:
Not open for further replies.