msg121.dll help needed badly

Discussion in 'adware, spyware & hijack cleaning' started by cg6672, Apr 6, 2004.

Thread Status:
Not open for further replies.
  1. cg6672

    cg6672 Guest

    Hi & help!!!!

    I got hit with something pretty bad. I already ran Ad Aware 6.181 and also Spybot S & D on it, to no avail.

    Here is my log file:

    ogfile of HijackThis v1.97.7
    Scan saved at 9:59:31 PM, on 4/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Program Files\killbox\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/WINDOWS/System32/blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\System32\blank.htm
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hope film does - {DBD2520E-AAD2-371F-374F-F2BAFD52279E} - C:\PROGRA~1\GPLBAR~1\flagatom.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [CityGlue] C:\PROGRA~1\transbonesixth\trust creative.exe
    O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\tb_setup.exe /dcheck
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm2\HOTSYNC.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37584.6382060185
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
    O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD5DA2-0EEC-42F5-8FF2-A92843FA3032}: NameServer = 204.127.129.4 12.102.244.4



    Please help me out!!!

    Thanks :)
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cg6672,

    First go HERE and follow the instructions to remove msg121.dll.

    Reboot.

    Then download the KillBox from HERE.

    Unzip it to a folder of it's own, not to the desktop or a temp folder.
    Click on The KillBox.exe and it will open.
    Now click find then find msg{}.dll.
    Then on the little pop up window, that says killbox file list,
    Click file >> create log,
    And a pop up says do you want to create a log in notepad?
    Click yes and then save as usual in notepad.
    Copy & paste the resulting list here along with a new HJT log.

    Regards,
    Kent
     
  3. cg6672

    cg6672 Guest

    Hi Kent!

    Thanks for the fast reply. I went to the link before (and sutpidly closed my window) now it gives me the following message:

    The daily bandwidth limit for this customer has been exceeded. Try again after midnight, EST.
    Click here for more information.

    Any change anyone here has the instructions and the direct link to the download?

    :oops:

    THanks again, I really appreciate any help!
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cg6672,

    That is the only sure complete fix for the msg.dll. There are others but they are hit and miss. You would be best to wait a hour or so and use that fix.

    Regards,
    Kent
     
  5. cg6672

    cg6672 Guest

    Will do. Thanks Kent. Here's hoping I'll get to this tonight.
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
  7. cg6672

    cg6672 Guest

    Something tells me it's gonna be a long night :D Hey, there's an excuse for a big breakfast tomorrow! Trying to stay positive. Looking at your board it seems like this msg thingamajig is a new problem, right? I am still wondering how the heck I even got it in the first place.
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cg6672,

    The 121 version is fairly new. They keep changing the number on it over a period of time to make us change our way of fighting it. And it makes a copy of itself and then the original and the copy watch each others back to make it hard to kill.

    Kent
     
  9. cg6672

    cg6672 Guest

    Kent, THANK YOU so much. Both of the msg files are gone! Maybe I get some sleep afterall :)
     
  10. Guest~freeee

    Guest~freeee Guest

    :cool: Kewl!

    In ref: My site may be exceeding it's daily quota
    according to 'hits' @~8pm till midnights EST!

    Temp mirror (some links are not all
    updated yet, original package is ready tho)

    http://www.aboutme.com/freeatlast1/L2M/Msg_121.htm *puppy*
     
  11. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cg6672,

    There are still a few items that will need to be fixed. Please post a new HJT log so we can finish cleaning you up,

    Regards,
    Kent
     
  12. cg6672

    cg6672 Guest

    You bet, here it is:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:48:03 AM, on 4/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Palm2\HOTSYNC.EXE
    C:\Program Files\Wacom\TabUserW.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\killbox\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\System32\blank.htm
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hope film does - {DBD2520E-AAD2-371F-374F-F2BAFD52279E} - C:\PROGRA~1\GPLBAR~1\flagatom.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm2\HOTSYNC.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37584.6382060185
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
    O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD5DA2-0EEC-42F5-8FF2-A92843FA3032}: NameServer = 12.102.244.4 204.127.129.4

    THANK YOU :)
     
  13. cg6672

    cg6672 Guest

    Well, if you are the one who created the fix, let me just extend a big thanks to you as well :)
     
  14. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cg6672,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\System32\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\System32\blank.htm

    O3 - Toolbar: hope film does - {DBD2520E-AAD2-371F-374F-F2BAFD52279E} - C:\PROGRA~1\GPLBAR~1\flagatom.dll (file missing)

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\WINDOWS\System32\blank.htm
    C:\PROGRA~1\GPLBAR~1\ <-- entire folder

    Reboot.

    Please download the KillBox from HERE.

    Unzip it to a folder of it's own, not to the desktop or a temp folder.
    Click on The KillBox.exe and it will open.
    Now click find then find msg{}.dll.
    Then on the little pop up window, that says killbox file list,
    Click file >> create log,
    And a pop up says do you want to create a log in notepad?
    Click yes and then save as usual in notepad.
    Copy & paste the resulting list here along with a fresh HijackThis log.

    Regards,
    Kent

    P.S. Yes, that was free at last who created that automated fix you used ;) .....
     
Thread Status:
Not open for further replies.