Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Problem


  • Please log in to reply
7 replies to this topic

#1 Cinoreah

Cinoreah

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Desert SE CA
  • Local time:11:16 PM

Posted 21 September 2006 - 05:37 PM

Log split from this thread: http://www.bleepingcomputer.com/forums/t/61015/firefox-installed/ --PK

Logfile of HijackThis v1.99.1
Scan saved at 3:31:21 PM, on 9/21/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://www.ea.com/downloads/games/common/b...trap/iegils.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab

Have no idea what some of the hi lited items are....like Symantec.....its supposed to be gone.
~ The Road To A Friend's House Is Never Long ~

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 21 September 2006 - 09:51 PM

Hi Cinoreah,

I don't see much wrong here but there are a couple line that can be fixed. I doubt if they will solve your problem but please do the following:

Scan again with HijackThis and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +


Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

Download System Security Suite here:
System Security Suite Download. Unzip it to your desktop and install the program. Don't use it yet.

A. Open System Security Suite.
B. In the Items to Clear tab make sure the following are checked:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

Reboot your computer into Safe Mode. I believe with 98 you need to hold down the Ctrl key instead of F8.

Open My Computer, right click on the C: drive and under the Tools tab, click Check Now under Error checking. Select the Thorough scan and make sure the Automatically fix errors is checked. Then click start and let the scan complete.

When that's done do a defrag. Still under the Tools tab of the C drive properties, click on Defragment Now.

When done, reboot back into Normal Mode, scan again with HijackThis and post a new log. Let me know if there are any improvements.

The thing about people

is they change

when they walk away.--Mipso


#3 Cinoreah

Cinoreah
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Desert SE CA
  • Local time:11:16 PM

Posted 22 September 2006 - 03:19 PM

This is the illegal op msg I got when I went to do the HJ log after the scan and defrag. After the scan (there were no errors) and after the boot into safe mode, I got 5 illegal op msgs before I could finish the rest of the steps you suggested.

I know I need to buy a new PC, but that is just not really a viable financial option for me right now.

Thanks for your help so far....

Cin


EXPLORER caused an invalid page fault in
module <unknown> at 0000:019b32dc.
Registers:
EAX=00000000 CS=0167 EIP=019b32dc EFLGS=00010202
EBX=0059f998 SS=016f ESP=0059f948 EBP=0059f964
ECX=00e60ff4 DS=016f ESI=000089bc FS=2587
EDX=000089d8 ES=016f EDI=0059f94c GS=24d7
Bytes at CS:EIP:

Stack dump:
bff7363b 000003b8 0000001c 00000000 ffc38617 899623df 0000016f 0059f978 bff94407 24d789bc 000024d7 00000000 bff719b8 005989b6 0059ff68 bff7186d


Logfile of HijackThis v1.99.1
Scan saved at 1:10:03 PM, on 9/22/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://www.ea.com/downloads/games/common/b...trap/iegils.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
~ The Road To A Friend's House Is Never Long ~

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 23 September 2006 - 12:05 AM

OK, I'm a little confused. You ran the scandisk and defrag in normal mode but couldn't do them in safe mode? Those were the only two steps I wanted done in safe mode. Sorry if I misread, but sounds like you may not have done what I asked in the exact order. It is ususally best to follow instructions exactly and in the order given. But don't worry about it, just let me know which steps you were unable to complete.

I don't think this is a malware problem, but let's do a couple more checks before we look at other possibilities.

Download: StartDreck from: http://www.niksoft.at/download/startdreck.htm

Extract the file into c:\startdreck.
Navigate to c:\startdreck and double-click on Startdreck.exe
When the program opens click on the Config button.
Then click on the unmark all button.
Put checkmarks in the following checkboxes:Under Registry put a checkmark in the Run Keys checkbox.
Under System/Drivers put a check in the Running Proccess checkbox.
Press the OK button.
Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log. Please post that log in your next reply.

Open HijackThis.

If you still have the New Users Quickstart screen enabled, click Open Misc Tools Section.
If you just have the regular opening screen, click the Config... button then the Misc Tools button.

Now click the Open Uninstall Manager button, then the Save List button. Save the list somewhere convenient like My Documents and then the list will open in Notepad. Copy and Paste that list into your next reply to this post.

And one question, how long has it been since you uninstalled Norton?

BTW, you can use HijackThis to fix this item as it is a leftover from Norton:

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

The thing about people

is they change

when they walk away.--Mipso


#5 Cinoreah

Cinoreah
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Desert SE CA
  • Local time:11:16 PM

Posted 23 September 2006 - 06:52 PM

I'm sorry if I mislead you....I always do scan disk and defrag in safe mode and that's what I did this time as well. After I booted into safe mode and went to do the scan disk, that is when I was getting the multiple illegal op msgs.

I printed out your instructions and followed them to the letter. I was able to complete all steps, just nothing had changed after doing them. As I posted, I got the same illegal op msg after doing all steps. I apologize for being unclear.

I haven't read your latest intructions yet as I have been gone all day, but just wanted to check in and will have to come back a little later as I have company right now. :thumbsup:

Thank you for your patience and help. :flowers:

Cin
~ The Road To A Friend's House Is Never Long ~

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 23 September 2006 - 07:14 PM

OK, Cin, thanks for clearing that up. Take your time, I know how it is with company on the weekend. :thumbsup:

It's kind of ironic--I'm slow anyway, bu it may be a while before I can get back with you as I am having some problems with Firefox myself. A power outage has messed it up and I'm working on getting it straightened out. Not to mention other things I have going on.

We'll get done what we can when we can. :flowers:

The thing about people

is they change

when they walk away.--Mipso


#7 Cinoreah

Cinoreah
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Location:Desert SE CA
  • Local time:11:16 PM

Posted 28 September 2006 - 01:16 PM

Hi Papakid....

I have been watching to see how my PC is doing with the Illegal op msgs before I followed your next steps. So far, I've had no msgs the last 4 days. However, that doesn't really mean anything as it's gone several days before w/o getting them.

I was wondering if we could keep this thread open for awhile to give me a little more time to monitor. I'm asking as I've seen other threads closed due to lack of response from the OP.

Thanks... :thumbsup:

Cin
~ The Road To A Friend's House Is Never Long ~

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 28 September 2006 - 08:06 PM

Hi Cin,

Don't worry about that with me. I don't close threads for lack of response.
And don't close most threads unless there is a good reason. Why is a trade secret :thumbsup: plus I'm lazy. :flowers: :huh:

Seriously, tho, it's is up to you and thanks for posting back to let me know. However, with the exception of fixing the one 016 line, which is harmless, nothing else in my last set of instructions will make any changes on your system. They just provide me with more information and clues as to what may be causing the problem, especially if it is something malicious. It might be less fustrating to you to post that information while the system is working more to your liking.

Whatever you want to do is fine by me. :huh:

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users