possible-hijack?1?2

ran ad-aware 6
- can't connect to the internet
- this error comes up:

RUNDLL
An exception occured while trying to run "c:\windows\system32\msg121.cpy.dll", UMonitor"


Logfile of HijackThis v1.97.7
Scan saved at 8:25:02 PM, on 4/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 209.213.233.61
R3 - URLSearchHook: CleverHook Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Advisor (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\inetadpt.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR39126/payload2.cab
O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} (IEFeature Class) - http://www.popmonster.com/control/src/iefeatures.ocx
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/JEN14108/thin.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.internetwasher.com/iwasher/pptproactauthakamai/internetwasherpro.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.7342939815
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/FN/FN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4

thanks

 

Hi cam2787213,

Welcome to Wilders.

Download LSPfix as you will need it in a later step.

Now go HERE and follow the instructions to remove msg121.dll.

Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchant.com/sp

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 209.213.233.61
R3 - URLSearchHook: CleverHook Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\inetadpt.dll' missing

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR39126/payload2.cab
O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} (IEFeature Class) - http://www.popmonster.com/control/src/iefeatures.ocx
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/JEN14108/thin.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.internetwasher.com/iwasher/pptproactauthakamai/internetwasherpro.cab

O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/FN/FN.cab

Now run LSPfix and use it to remove all instances of "inetadpt.dll" and only "inetadpt.dll".

Please download the latest copy of CWShredder and run. Click FIX and follow the instructions.

There also may be hidden files. See HERE for how to show hidden files.

Then reboot in Safe Mode and delete the following:

c:\windows\system32\inetadpt.dll

Reboot and then post a fresh HijackThis log.

Regards,
Kent

 

I still can't connect to the internet but the error message goes away.

Here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 9:54:42 PM, on 4/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\Owner\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Advisor (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.7342939815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4

thanks

 

Hi cam,

What exactly does the message you are getting say?

Regards,
Kent

 

btw, the lsp didn't find anything and the shredder found three files none of which were inetadpt and there was no file to delete in safe mode with hidden files shown

 

there is no message
i open internet explorer and it won't load a webpage
the regular screen comes up when you are offline or disconnected

 

Hi cam,

One of the Experts should be here in the next 4 or 5 hours. I will have them take a look at your problem as all looks OK to me now.

One thing you can do to be sure we got the msg121.dll is the following:

Please download the KillBox from HERE.

Unzip it to a folder of it's own, not to the desktop or a temp folder.
Click on The KillBox.exe and it will open.
Now click find then find msg{}.dll.
Then on the little pop up window, that says killbox file list,
Click file >> create log,
And a pop up says do you want to create a log in notepad?
Click yes and then save as usual in notepad.
Copy & paste the resulting list here.

Regards,
Kent

 

ok, thanks for the help kent


Log for KillBox ver.2.0.1
--------------------------

---msg{}dll search---
C:\WINDOWS\System32\msgina.dll
C:\WINDOWS\System32\msgsvc.dll
C:\WINDOWS\System32\dllcache\msgina.dll
C:\WINDOWS\System32\dllcache\msgr3en.dll
C:\WINDOWS\System32\dllcache\msgrocm.dll
C:\WINDOWS\System32\dllcache\msgsvc.dll
C:\WINDOWS\System32\Setup\msgrocm.dll

 

Hi cam,

We got the msg.dll, so I do not know what else is going on. Someone else will look this over in the next 4 or 5 hours, just check back.

Regards,
Kent

 

Just got it to work and changed the connection back to this computer.
- just had to hit repair in network connections

thanks for the help

 

Hi cam,

Glad to hear your connection problem was something simple, good work!!

Regards,
Kent