Solve : Problem with IE 6.0? – InterviewSolution

InterviewSolution

1.	Solve : Problem with IE 6.0?
Answer» Hello. Recently I have had quite a problem with my computer, but mainly IE. I have tried programs such as spybot Search and Destroy, Ad-Aware SE professional with Ad-watch SE professional, peerguardian, window washer, eTrust PestPatrol, browser HIJACK recover(BHR),Spy Sweeper, SpywareGuard, XoftSpy, HijackThis, CWShredder, and registry Mechanic. All of these and my homepage is still being turned back to http://213.159.117.134/index.php and each time I bring up IE I get a virus warning from my copy of Avast anti-virus home edition. It does the same when open MSN explorer. And earlier today it wouldn't let me get on either my yahoo or hotmail email accounts, it would redirect me to some other site. Also note I am running Stompsoft firewall x-treme. Along with all those my searchbars (yahoo, aim,etc.) have been removed. I am running Windows XP home and this is the first time something like this has happened to me and has been going on for a few days now. Any help would be very great!!Matt Smith........Ok .....Does your anti virus identify the virus for you ? you may have two issues here .....a hijacker as well as a virus ....... So let's try ......Using another pc ......D/L Stinger ...get it here ..... http://vil.nai.com/vil/stinger/ save it on a floppy disk and run it from your machine .....( make sure your off -line ( disconnect from internet ) Delete anything it finds ...... Now go into your Internet Options and change your homepage back to whatever you want .........now reboot. Reconnect to the internet and SEE if your homepage is still ok .....if it isnt , and your not getting the the virus warning ....run hijackthis and post the log file here so we can look at it .......because if you ran it before you may have missed some entries. dl65 alright heres the log from hijackthis after I ran the stinger. Logfile of HijackThis v1.98.0 Scan saved at 2:32:38 PM, on 2/10/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\BCMSMMSG.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Washer\washer.exe C:\Documents and Settings\Matt\Application Data\eetu.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Yahoo!\Messenger\YPager.exe C:\Program Files\AIM\aim.exe C:\Documents and Settings\Matt\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php F0 - system.ini: Shell= F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\STOMPS~1\FIREWA~1\IrlOnIE.dll O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\STOMPS~1\FIREWA~1\FARPOP~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" O4 - HKLM\..\Run: [kHlJ] C:\WINDOWS\System32\pdvtjisiceww.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Matt\Application Data\eetu.exe O4 - HKCU\..\Run: [Bebuyir] C:\WINDOWS\System32\n?tdde.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O15 - Trusted Zone: .blazefind.com O15 - Trusted Zone: .clickspring.net O15 - Trusted Zone: .flingstone.com O15 - Trusted Zone: .iframedollars.biz O15 - Trusted Zone: .mt-download.com O15 - Trusted Zone: .my-internet.info O15 - Trusted Zone: .searchbarcash.com O15 - Trusted Zone: .searchmiracle.com O15 - Trusted Zone: .skoobidoo.com O15 - Trusted Zone: .slotch.com O15 - Trusted Zone: .slotchbar.com O15 - Trusted Zone: .windupdates.com O15 - Trusted Zone: .xxxtoolbar.com O15 - Trusted Zone: .ysbweb.com O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732 Also, might I suggest downloading Microsoft AntiSpyware? It also helps prevent browser hijacking... http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en [glb]Flame[/glb]Matt Smith......Ok ...I see whats going on ........Several questions ... 1 ......What is your normal homepage ? 2 .....I notice there are no hijackthis entries past the 1.....016 entry ......are you sure you posted all of it .....because there is usually more ....CHECK and see .... I am working on a removal list for you ..... dl65 Matt Smith....ok ...at this time I will assume you have no entries past the 1 ....016 entry.... So heres what to do .... 1.. open your hijackthis.......click on config. (lower right corner) 2.. in the configuration window ........make sure there is no check in the first box , and a check in the next 4 boxes . 3..now in the 4 address boxes below ......enter your homepage in each one. ( all 4 entries will be the same ) 4..Click back 5..click scan Now mark for removal , the following : ALL R1 , R0 , F0 , F2 entries . and ........ O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe O4 - HKLM\..\Run: [kHlJ] C:\WINDOWS\System32\pdvtjisiceww.exe O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Matt\Application Data\eetu.exe O4 - HKCU\..\Run: [Bebuyir] C:\WINDOWS\System32\n?tdde.exe O15 - Trusted Zone: .blazefind.com O15 - Trusted Zone: .clickspring.net O15 - Trusted Zone: .flingstone.com O15 - Trusted Zone: .iframedollars.biz O15 - Trusted Zone: .mt-download.com O15 - Trusted Zone: .my-internet.info O15 - Trusted Zone: .searchbarcash.com O15 - Trusted Zone: .searchmiracle.com O15 - Trusted Zone: .skoobidoo.com O15 - Trusted Zone: .slotch.com O15 - Trusted Zone: .slotchbar.com O15 - Trusted Zone: .windupdates.com O15 - Trusted Zone: .xxxtoolbar.com O15 - Trusted Zone: .ysbweb.com O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732 Next .....click fix checked Now reboot .........and see if your homepage remains as you set it ......... Now rerun your Ad-aware scan again ..... I would like to suggest you D/L and install the Antispyware Beta ...app......it's very good . get it at http://www.microsoft.com/athome/security/spyware/software/default.mspx Now rerun your hijackthis again and post the log ..... Good luck dl65 Alright I am trying the microsoft anti-spyware...I have used it before but wasn't TOO impressed with it. I will download it and run it...then run hijack this again and then post the log.Alright..heres the new log file....Microsoft Anti-spyware worked far better this time around than before I would say. And yes..the first log file was all of what it showed me on the .txt file as is this one here. Logfile of HijackThis v1.98.0 Scan saved at 5:29:30 PM, on 2/10/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Yahoo!\Messenger\YPager.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Documents and Settings\Matt\Desktop\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe F0 - system.ini: Shell= F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe, O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe Matt Smith....Wow ....are you sure this is the log file from the same pc ? What happened to the 04 entries that we hadn't marked for removal ? More important is your home page staying as you have it set ? did Antispyware find much ? Are you able to get to your hotmail account now ? let us know dl65 Matt Smith......I just noticed you do not have SP2 installed .........It would be a good idea to have it installed as it plugs up some of the security holes in IE6 and the is a built in firewall which you may turn off if you wish . dl65 Yes, that is from the same pc. I ran the Microsoft anti-spyware program and ran the hijackthis program right after I was done and thats what it gave me. And no I don't have SP2 on because I have had it 2 different times and each time it makes my computers performance drop. Also when I last posted my pc was a bit better...most of the problems were gone....but now they are back again. Only this time when I open IE the address is pointed to a location on my computer it looks like. RES://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm It BRINGS up a different page each time I bring up IE...but each say either "Your search page" or "search the web" with "about:blank-" as the page name...this is new within the past day or so. I can always run a system image restore again but I have done this a few times before I posted here and its getting sort of old. Should I do that or continue to try and fix the issue?

Discussion

No Comment Found

Related InterviewSolutions