More Browser Problems

Discussion in 'adware, spyware & hijack cleaning' started by poconnor16, Apr 22, 2004.

Thread Status:
Not open for further replies.
  1. poconnor16

    poconnor16 Registered Member

    Joined:
    Apr 20, 2004
    Posts:
    12
    Hi all, My system keeps spwaning new browser windows. So many that if I leave it on over night the system will freeze. I have ran Adaware and Spybot search and destroy. Here is my hijack this log. Any help would be greatly appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:31:46 AM, on 4/22/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.paylolita.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: ) {
    O1 - Hosts: myRepeatArray[ID]--;
    O1 - Hosts: setTimeout("sendExternalUrl(" + ID + ",'" + Url + "', 0, 'FALSE')", Timeout);
    O1 - Hosts: setTimeout("sendExternalUrl(" + ID + ",'" + Url + "', " + Timeout + ", '" + Repeat + "')", Timeout);
    O1 - Hosts: }
    O1 - Hosts: }
    O1 - Hosts: else {
    O1 - Hosts: if (!Timeout) {
    O1 - Hosts: window.document.getElementById('myScript').src = "";
    O1 - Hosts: window.document.getElementById('myScript').src = Url;
    O1 - Hosts: }
    O1 - Hosts: else setTimeout("sendExternalUrl(" + ID + ",'" + Url + "', 0, '" + Repeat + "')", Timeout);
    O1 - Hosts: }
    O1 - Hosts: }
    O1 - Hosts: myRepeatArray[3] = "10";
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O1 - Hosts: D8-9265-0020780621A5}&mSkip=1&rnd=14476", 185000, "FALSE");
    O1 - Hosts: myRepeatArray[2] = "3";
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O1 - Hosts: tnet.com');
    O1 - Hosts: serted by Spybot - Search & Destroy
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.4684953704
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

    Thanks

    Paul O'Connor
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi poconnor16,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will end up on your desktop now.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.paylolita.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing

    O1 - Hosts: ) {
    O1 - Hosts: myRepeatArray[ID]--;
    O1 - Hosts: setTimeout("sendExternalUrl(" + ID + ",'" + Url + "', 0, 'FALSE')", Timeout);
    O1 - Hosts: setTimeout("sendExternalUrl(" + ID + ",'" + Url + "', " + Timeout + ", '" + Repeat + "')", Timeout);
    O1 - Hosts: }
    O1 - Hosts: }
    O1 - Hosts: else {
    O1 - Hosts: if (!Timeout) {
    O1 - Hosts: window.document.getElementById('myScript').src = "";
    O1 - Hosts: window.document.getElementById('myScript').src = Url;
    O1 - Hosts: }
    O1 - Hosts: else setTimeout("sendExternalUrl(" + ID + ",'" + Url + "', 0, '" + Repeat + "')", Timeout);
    O1 - Hosts: }
    O1 - Hosts: }
    O1 - Hosts: myRepeatArray[3] = "10";
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O1 - Hosts: D8-9265-0020780621A5}&mSkip=1&rnd=14476", 185000, "FALSE");
    O1 - Hosts: myRepeatArray[2] = "3";
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O1 - Hosts: tnet.com');
    O1 - Hosts: serted by Spybot - Search & Destroy

    Download LSPfix here: http://www.cexx.org/lspfix.htm
    Launch the application, and click the "I know what I'm doing" checkbox.
    Check all instances of inetadpt.dll (and nothing else), and move them to the "Remove" pane.
    Then click Finish.

    Then reboot and copy&paste the bold into an Internet Explorer Address Bar.
    javascript:navigator.userAgent
    Post the result that appears in the IE screen please.

    Regards,

    Pieter
     
  3. poconnor16

    poconnor16 Registered Member

    Joined:
    Apr 20, 2004
    Posts:
    12
    Here is what came up:

    Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; {EBB538E0-2CFD-11D8-9265-0020780621A5})

    Here is my Hijack This log now:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:12:17 AM, on 4/22/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.4684953704
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab


    Thanks for your help so far

    Paul O'Connor
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Paul,

    That is what I was afraid of.

    Before you follow these instructions I have to warn you that they are experimental.
    I will try to repair any damages it might do, but you might end up having to format. The alternative is to wait until a tested solution for this malware is found for Windows 98. Sofare we only have a working solution for Windows 2000 and Windows XP Pro.

    Download and unzip http://download.broadbandmedic.com/VbStuff/KillBox.zip
    You will need it later on.

    Also download the L2M.txt file I attached to this post and save it as L2M.reg

    Click Start > Run > system.ini to edit the c:\windows\system.ini file.
    Once it is open, change the line shell=explorer.exe to shell=progman.exe. What you are doing here is changing the default shell from the Windows Explorer to the old Windows Program Manager shell.

    Reboot Windows. It should now successfully boot with no errors into an empty Program Manager shell.

    Use Kilbox like this:
    Close all open Windows, open KillBox and under Fix L2M>>Kill VX2.BetterInternet.
    Your Computer will Shut down..
    On rebooting, these 2 files should be deleted:
    NASTY.cpy.dll
    NASTY.dll

    Then doubleclick the L2M.reg you saved. Confirm you want to merge it with the registry

    Reboot again and hit the F8 key to bring up a Boot Menu. Choose Command Prompt and boot to the command prompt. Once there, type edit c:\windows\system.ini and, once it is open, change the line shell=progman.exe back to shell=explorer.exe. Save and exit the file. You have now set the shell back to the original value.

    Post a new log when you are done.

    Regards,

    Pieter

    Attachment:
    https://www.wilderssecurity.com/attachment.php?attachmentid=136502
     
Thread Status:
Not open for further replies.