possible-hijack?1?2

Discussion in 'adware, spyware & hijack cleaning' started by cam2787213, Apr 2, 2004.

Thread Status:
Not open for further replies.
  1. cam2787213

    cam2787213 Guest

    ran ad-aware 6
    - can't connect to the internet
    - this error comes up:

    RUNDLL
    An exception occured while trying to run "c:\windows\system32\msg121.cpy.dll", UMonitor"


    Logfile of HijackThis v1.97.7
    Scan saved at 8:25:02 PM, on 4/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchant.com/sp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchant.com/sp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchant.com/sp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 209.213.233.61
    R3 - URLSearchHook: CleverHook Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Advisor (HKCU)
    O10 - Broken Internet access because of LSP provider 'c:\windows\system32\inetadpt.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR39126/payload2.cab
    O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} (IEFeature Class) - http://www.popmonster.com/control/src/iefeatures.ocx
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/JEN14108/thin.cab
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.internetwasher.com/iwasher/pptproactauthakamai/internetwasherpro.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.7342939815
    O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/FN/FN.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4

    thanks
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cam2787213,

    Welcome to Wilders.

    Download LSPfix as you will need it in a later step.

    Now go HERE and follow the instructions to remove msg121.dll.

    Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchant.com/sp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchant.com/sp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchant.com/sp

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 209.213.233.61
    R3 - URLSearchHook: CleverHook Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll

    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414

    O10 - Broken Internet access because of LSP provider 'c:\windows\system32\inetadpt.dll' missing

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR39126/payload2.cab
    O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} (IEFeature Class) - http://www.popmonster.com/control/src/iefeatures.ocx
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/JEN14108/thin.cab
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.internetwasher.com/iwasher/pptproactauthakamai/internetwasherpro.cab

    O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/FN/FN.cab

    Now run LSPfix and use it to remove all instances of "inetadpt.dll" and only "inetadpt.dll".

    Please download the latest copy of CWShredder and run. Click FIX and follow the instructions.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot in Safe Mode and delete the following:

    c:\windows\system32\inetadpt.dll

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. cam2787213

    cam2787213 Guest

    I still can't connect to the internet but the error message goes away.

    Here is the new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:54:42 PM, on 4/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Documents and Settings\Owner\Desktop\hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Advisor (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.7342939815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2059D6C7-4F14-4EB9-B560-78E7B64DD32B}: NameServer = 66.203.160.3,66.203.160.4

    thanks
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cam,

    What exactly does the message you are getting say?

    Regards,
    Kent
     
  5. cam2787213

    cam2787213 Guest

    btw, the lsp didn't find anything and the shredder found three files none of which were inetadpt and there was no file to delete in safe mode with hidden files shown
     
  6. cam2787213

    cam2787213 Guest

    there is no message
    i open internet explorer and it won't load a webpage
    the regular screen comes up when you are offline or disconnected
     
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cam,

    One of the Experts should be here in the next 4 or 5 hours. I will have them take a look at your problem as all looks OK to me now.

    One thing you can do to be sure we got the msg121.dll is the following:

    Please download the KillBox from HERE.

    Unzip it to a folder of it's own, not to the desktop or a temp folder.
    Click on The KillBox.exe and it will open.
    Now click find then find msg{}.dll.
    Then on the little pop up window, that says killbox file list,
    Click file >> create log,
    And a pop up says do you want to create a log in notepad?
    Click yes and then save as usual in notepad.
    Copy & paste the resulting list here.

    Regards,
    Kent
     
  8. cam2787213

    cam2787213 Guest

    ok, thanks for the help kent


    Log for KillBox ver.2.0.1
    --------------------------

    ---msg{}dll search---
    C:\WINDOWS\System32\msgina.dll
    C:\WINDOWS\System32\msgsvc.dll
    C:\WINDOWS\System32\dllcache\msgina.dll
    C:\WINDOWS\System32\dllcache\msgr3en.dll
    C:\WINDOWS\System32\dllcache\msgrocm.dll
    C:\WINDOWS\System32\dllcache\msgsvc.dll
    C:\WINDOWS\System32\Setup\msgrocm.dll
     
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cam,

    We got the msg.dll, so I do not know what else is going on. Someone else will look this over in the next 4 or 5 hours, just check back.

    Regards,
    Kent
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    please do this

    open hijackthis/config/misctools/ tick both boxes about minor & empty sections and press start up list, post that complete list back here please
     
  11. cam7287213

    cam7287213 Guest

    Just got it to work and changed the connection back to this computer.
    - just had to hit repair in network connections o_O

    thanks for the help
     
  12. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cam,

    Glad to hear your connection problem was something simple, good work!!

    Regards,
    Kent
     
Thread Status:
Not open for further replies.