Problems with IE

TeK · October 19, 2004

I know you tech heads know about this so I figure to ask away. Recently, I've been having some problems with IE where when I open up IE, the search window on the left always pops up when I don't want it to, www.msn.com as a home page doesn't load up correctly unless I leave it and come back to it, and whenever I goto a site "Example www.gotfrag.com, it sends me to a page where it says it can't reach the site cause I spelt it wrong and its always missing an m at the end like www.gotfrag.co. I can usually get on it after another try. (I use firefox for my normal browsing my my mom still uses IE when its on and I use IE for a couple things as well.)

Buddy told me to run a program called hijackthis. I don't want to delete anything without the consent of others so I'll post the logfile, if anyone here zd,dweezil,birdman, or ak can tell me what is safe to delete plz do. Thanks! Any other help would be appreciated or if I shouldn't even be using this program.

Logfile of HijackThis v1.97.7

Scan saved at 6:25:24 PM, on 10/19/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\Explorer.EXE

E:\WINDOWS\system32\spoolsv.exe

E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

E:\WINDOWS\System32\CTsvcCDA.EXE

E:\WINDOWS\system32\drivers\dcfssvc.exe

E:\WINDOWS\System32\DVDRAMSV.exe

E:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

E:\WINDOWS\System32\nvsvc32.exe

E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\system32\ZoneLabs\vsmon.exe

E:\WINDOWS\wanmpsvc.exe

E:\WINDOWS\System32\MsPMSPSv.exe

E:\Program Files\Creative\ShareDLL\CtNotify.exe

E:\Program Files\Common Files\Symantec Shared\ccApp.exe

E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

E:\WINDOWS\System32\RUNDLL32.EXE

E:\Program Files\AIM95\aim.exe

E:\WINDOWS\System32\shell32.exe

E:\Program Files\Creative\ShareDLL\MediaDet.Exe

E:\Program Files\mIRC\mirc.exe

E:\WINDOWS\System32\wuauclt.exe

E:\Program Files\Steam\Steam.exe

E:\Program Files\iPod\bin\iPodService.exe

E:\Program Files\Ventrilo\Ventrilo.exe

E:\Program Files\Winamp\winamp.exe

E:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gotfrag.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - E:\Program Files\Lycos\IEagent\CSBB.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - E:\WINDOWS\System32\nzdd.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Disc Detector] E:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [CTStartup] E:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Jet Detection] E:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [shell32] E:\WINDOWS\System32\shell32.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab

O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab

O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab

O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab

O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.a...meInstaller.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097271860944

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partner...lim/install.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...7955.3999189815

O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245...layer5AxWin.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B21A38F1-EC5D-4519-A715-0AD9DC6CC7A3} (SMControl Class) - http://www.machineroom.org/FPSMonitor/SMActiveX.dll

O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

*edit* Friend told me to get rid of.

BHO stuff

CSBB

nzdd.dll

All o16 things.

Not deleting anything til I get some confirmation from you tech guys.

Edited October 19, 2004 by TeK

October 19, 2004

Remove these via Hijackthis and be sure to be running hijackthis from your desktop or from your Hard Drive so a backup folder is created.

Remove these:

All of these. You can reinstall if needed if any of these are legit. They could be infected with spyware.

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab

O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab

O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab

O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab

O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.a...meInstaller.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097271860944

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partner...lim/install.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...7955.3999189815

O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245...layer5AxWin.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B21A38F1-EC5D-4519-A715-0AD9DC6CC7A3} (SMControl Class) - http://www.machineroom.org/FPSMonitor/SMActiveX.dll

O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Next post on what IS spyware that should be removed....

October 19, 2004

Remove these also:

O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [shell32] E:\WINDOWS\System32\shell32.exe

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [Jet Detection] E:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

BHO's are Browser Helper Objects. These are basically mini programs that run within IE. Encourage your mom to use Firefox or some other browser also.

These ARE Spyware:

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - E:\WINDOWS\System32\nzdd.dll

R3 - Default URLSearchHook is missing

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - E:\Program Files\Lycos\IEagent\CSBB.DLL

October 19, 2004

Then run first:

Adaware SE. Get it from http://www.lavasoft.de update it and run a "FULL SCAN" not the smart scan.

Then go here and download Spybot S&D, update it and run it and also be sure to do the immunizations.

download.com

Last but not least, prevent spyware with Spyware Blaster.

Be sure to update and enable all prevention after the update.

http://www.javacoolsoftware.com/spywareblaster.html

All Kill3r · October 19, 2004

i think your problem with IE is using it. Try a diff browser like Firefox, one not so targeted.

TeK · October 19, 2004

I've ran adaware and spybot before. I had a lot of crap from it. Cleared it all up. Thanks a lot ZD for telling me what to delete. It fixed it right up.

Killer, I use Firefox, have been now for a few months and I love it. I still use IE to check a couple of things and like I said my mom uses it, everytime I help her with something on the comp she gets angry with me so I try and avoid her while shes on here.

As always thanks again to the guys on this board, always knowing about everything =]

dwEEziL · October 20, 2004

I would look into that "shell32.exe" process. Methinks you have a virus. I searched my WinXP C drive and while I did find a "shell32.dll", I found no "shell32.exe". Googling for it brought up many virus hits though.

October 20, 2004

http://housecall.antivirus.com

TeK · October 20, 2004

Did a full scan with Norton with latest definitions and found nothing. Housecall will detect it?

October 20, 2004

If you are already infected before updating norton, it is too late. So disable Norton and run Housecall. You must use IE to run it.

TeK · October 20, 2004

Wow u guys were right. Disabled norton and ran housecall. Found 3 files that were trojans. They were uncleanable so I deleted them. Thanks a lot again dweez and ZD =]

dwEEziL · October 21, 2004

np

White Knight · October 21, 2004

Another idea: Run Firefox...its superior to IE and is much more secure. You can get it at www.mozilla.org.

TeK · October 21, 2004

Killer, I use Firefox, have been now for a few months and I love it.

=D

TeK · October 25, 2004

Have another request using Hijack this. If any of you can tell me what to tell him to delete it'd be appreciated. He's been getting massive pop-ups. Told him to switch to firefox.

Logfile of HijackThis v1.97.7

Scan saved at 17:25:26 , on 10/25/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Steam\Steam.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\NoNameScript\mirc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\timu\My Documents\download\HijackThis.exe

O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper100.dll

O2 - BHO: (no name) - {356CB562-B9C9-4C59-86AC-4A77D062C433} - C:\WINDOWS\System32\rkqem.dll

O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [steam] C:\Program Files\Steam\Steam.exe -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096015786592

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Edited October 25, 2004 by TeK

October 25, 2004

Delete these: