Please review my log and help

Discussion in 'adware, spyware & hijack cleaning' started by Chas, Feb 29, 2004.

Thread Status:
Not open for further replies.
  1. Chas

    Chas Registered Member

    Joined:
    Feb 17, 2004
    Posts:
    15
    I've attached my HiJackThis Log. I'd appreciate having someone tell me what is wrong.

    My browser does not work. It does not access any websites. I am using IE, with the latest Sp1. Dial up connection is fine.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:32:09 PM, on 2/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\SHUTTLE TECHNOLOGY\ICONFIG.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\BIN\HPOSTR05.EXE
    C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\AU10TRAY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\BIN\HPOVDX05.EXE
    C:\WINDOWS\SYSTEM\HPOHID05.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE"
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [ICONFIG.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE "Software\Shuttle Technology\07810200"
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series 9x\Bin\HPOstr05.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Startup: Microsoft Office.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{00160409-78E1-11D2-B60F-006097C998E7}\misc.exe
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O10 - Broken Internet access because of LSP provider 'c:\program files\armor2net\armorwall personal firewall\netdog.dll' missing
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .3dml: C:\Program Files\Flatland\NProver.dll
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://rain.cs.boeing.com
    O15 - Trusted Zone: http://proxy-support.boeing.com
    O15 - Trusted Zone: http://*.conxion.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab
    O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.getdway.com/dwayready/dpcsysinfo.cab
    O16 - DPF: {BE3115EE-B85F-4730-8ABD-345B271D4C9A} (Nomad Control) - http://plpadmin.tempdomainname.com/Nomad/nomad.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38042.6348958333

    Thanks alot!

    My system was working fine yesterday evening until I downloaded a trial of Sygate Home Network and Sygate Personal Firewall. May be coincidence but my system was fine until I installed (or tried to install) Sygate Home Network.

    Chas
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    From your log, it appears that you have been using Armorwall personal firewall. Uninstalling it has broken the LSP stack, which is why IE no longer works.
    To fix it, please download Lspfix
    Unzip and run it. Check all instances of netdog.dll (and nothing else) , and move them to the "Remove" pane.
    You will have to click the "I know what I'm doing" button.

    That should restore internet connectivity.


    Then have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - (no file)

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm


    Reboot, and delete the folder C:\Program Files\WebSavingsfromEbates

    Please post a followup Hijack this log.
     
  3. Chas

    Chas Registered Member

    Joined:
    Feb 17, 2004
    Posts:
    15
    Here's my new log. I've done everything you suggested.

    I still can not access the internet with IE or Outlook Express. Fortunately I have this computer networked to it, or I would not know what to do next.

    Here's the latest HiJackthis log -

    Logfile of HijackThis v1.97.7
    Scan saved at 10:18:58 AM, on 2/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\SHUTTLE TECHNOLOGY\ICONFIG.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\BIN\HPOSTR05.EXE
    C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\AU10TRAY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\BIN\HPOVDX05.EXE
    C:\WINDOWS\SYSTEM\HPOHID05.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-support.boeing.com:31060/proxy.pac
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE"
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [ICONFIG.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE "Software\Shuttle Technology\07810200"
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series 9x\Bin\HPOstr05.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Startup: Microsoft Office.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{00160409-78E1-11D2-B60F-006097C998E7}\misc.exe
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .3dml: C:\Program Files\Flatland\NProver.dll
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://rain.cs.boeing.com
    O15 - Trusted Zone: http://proxy-support.boeing.com
    O15 - Trusted Zone: http://*.conxion.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab
    O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.getdway.com/dwayready/dpcsysinfo.cab
    O16 - DPF: {BE3115EE-B85F-4730-8ABD-345B271D4C9A} (Nomad Control) - http://plpadmin.tempdomainname.com/Nomad/nomad.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38042.6348958333
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Chas,

    In IE click Tools > Reset Websettings.

    Does that help?

    If it doesn't, try fixing this entry next:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-support.boeing.com:31060/proxy.pac

    Regards,

    Pieter
     
  5. Chas

    Chas Registered Member

    Joined:
    Feb 17, 2004
    Posts:
    15
    Sorry, didn't work.

    I guess I'm now moving toward an area that isn't covered by this forum.

    Any suggestions.

    Thank you for trying! :)
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I think dave38 was on the right track by suspecting that the removal of the firewall didn't go as it should have.

    Do you think that could be related or does it not fit the timeframe?

    Or can you think of any other major changes you made shortly before this started?

    Regards,

    Pieter
     
  7. Chas

    Chas Registered Member

    Joined:
    Feb 17, 2004
    Posts:
    15
    Yep. I believe it's firewall related.

    I un-installed Armorwall and tried an installation of Sygate Home Network, because I was hoping for a program I could just load on the one computer that would protect the networked PC (which is this one).

    Everything went Bananas when I tried to Run the Sygate program. Not been able to go to a website on that machine since.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Just so everyone finds the solution if they stumble into this thread.

     
Thread Status:
Not open for further replies.