S
Shani S.
Hi all, I am having a problem with IE6. I suspect it may
be a worm or parasite but have exhausted my conventional
knowledge knowledge. I've run Adaware, Spybot, CW
Shredder, Norton Anti-Virus and now HijackThis (but don't
know what to do wih it...LOL).
My browswer seems to be "hijacked" by something. It keeps
opening up by itself and "LOADING" pages and pop-ups. As a
matter of fact, it is doing it now as I'm typing this
message and it is driving me NUTS!!!
I think this problem MAY have something to do
with "Rundll32," which was/is loading everytime
I "Start/Boot my computer but I could be wrong.
By the way, my OS is Millenium ME. I ran HiJackThis and
here are the results:
Logfile of HijackThis v1.97.7
Scan saved at 8:14:17 AM, on 5/6/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.optonline.net/Home
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-
4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1
\BHO\INCFIN~1.DLL (file missing)
O1 - Hosts: 207.36.196.189 ieautosearch
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-
00400523e39a} - C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
\NAVAPW32.EXE
O4 - HKLM\..\Run: [QuickTime
Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [devldr16.exe]
C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk =
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program
Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &2 Customize Menu -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComCustomIEMenu.html
O8 - Extra context menu item: &5 Fill from Identity -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComFillIdent.html
O8 - Extra context menu item: &6 Fill from Passcard -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComFillPass.html
O8 - Extra context menu item: &7 Fill Forms -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComSavePass.html
O8 - Extra context menu item: &9 Robo Toolbar -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComShowToolbar.html
O9 - Extra button: RF toolbar (HKLM)
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: &7 Fill Forms (HKLM)
O9 - Extra button: Save Forms (HKLM)
O9 - Extra 'Tools' menuitem: &8 Save Forms (HKLM)
O9 - Extra button: Identities (HKLM)
O9 - Extra 'Tools' menuitem: &3 Edit Identities (HKLM)
O9 - Extra button: Passcards (HKLM)
O9 - Extra 'Tools' menuitem: &4 Edit Passcards (HKLM)
O9 - Extra button: Fill Id (HKLM)
O9 - Extra 'Tools' menuitem: &5 Fill from Identity (HKLM)
O9 - Extra button: Fill Pass (HKLM)
O9 - Extra 'Tools' menuitem: &6 Fill from Passcard (HKLM)
O9 - Extra button: Go Fill (HKLM)
O9 - Extra 'Tools' menuitem: &Go && Fill from Passcard
(HKLM)
O9 - Extra button: Login (HKLM)
O9 - Extra 'Tools' menuitem: &Login (Go, Fill, Submit)
(HKLM)
O9 - Extra button: Options (HKLM)
O9 - Extra 'Tools' menuitem: &Options (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CA
B?37869.4390856481
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/017a26a43d0ecbc61419/netzip/RdxIE601.c
ab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74166} -
http://www.compete.com/panel/01/MSView.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7}
(ActiveDataObj Class) - https://www-
secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}
(ActiveDataInfo Class) - https://www-
secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE}
(Microsoft Office Tools on the Web Control) -
http://officeupdate.microsoft.com/TemplateGallery/downloads
/outc.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} -
http://download.abetterinternet.com/download/cabs/MPB38106/
button.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info
..apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95}
(OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc/opu
c.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}
(Symantec RuFSI Registry Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin
/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvS
niff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
(HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004033001/housecall.ant
ivirus.com/housecall/xscan53.cab
This problem is really driving me crazy. Please help me
get rid of it ASAP. Any and ALL help would be most
apppreicated.
Sincerely,
Shani Schulman
be a worm or parasite but have exhausted my conventional
knowledge knowledge. I've run Adaware, Spybot, CW
Shredder, Norton Anti-Virus and now HijackThis (but don't
know what to do wih it...LOL).
My browswer seems to be "hijacked" by something. It keeps
opening up by itself and "LOADING" pages and pop-ups. As a
matter of fact, it is doing it now as I'm typing this
message and it is driving me NUTS!!!
I think this problem MAY have something to do
with "Rundll32," which was/is loading everytime
I "Start/Boot my computer but I could be wrong.
By the way, my OS is Millenium ME. I ran HiJackThis and
here are the results:
Logfile of HijackThis v1.97.7
Scan saved at 8:14:17 AM, on 5/6/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.optonline.net/Home
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-
4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1
\BHO\INCFIN~1.DLL (file missing)
O1 - Hosts: 207.36.196.189 ieautosearch
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-
00400523e39a} - C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
\NAVAPW32.EXE
O4 - HKLM\..\Run: [QuickTime
Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [devldr16.exe]
C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk =
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program
Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &2 Customize Menu -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComCustomIEMenu.html
O8 - Extra context menu item: &5 Fill from Identity -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComFillIdent.html
O8 - Extra context menu item: &6 Fill from Passcard -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComFillPass.html
O8 - Extra context menu item: &7 Fill Forms -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComSavePass.html
O8 - Extra context menu item: &9 Robo Toolbar -
res://C:\Program Files\Siber Systems\AI
RoboForm\RoboForm.dll/ComShowToolbar.html
O9 - Extra button: RF toolbar (HKLM)
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: &7 Fill Forms (HKLM)
O9 - Extra button: Save Forms (HKLM)
O9 - Extra 'Tools' menuitem: &8 Save Forms (HKLM)
O9 - Extra button: Identities (HKLM)
O9 - Extra 'Tools' menuitem: &3 Edit Identities (HKLM)
O9 - Extra button: Passcards (HKLM)
O9 - Extra 'Tools' menuitem: &4 Edit Passcards (HKLM)
O9 - Extra button: Fill Id (HKLM)
O9 - Extra 'Tools' menuitem: &5 Fill from Identity (HKLM)
O9 - Extra button: Fill Pass (HKLM)
O9 - Extra 'Tools' menuitem: &6 Fill from Passcard (HKLM)
O9 - Extra button: Go Fill (HKLM)
O9 - Extra 'Tools' menuitem: &Go && Fill from Passcard
(HKLM)
O9 - Extra button: Login (HKLM)
O9 - Extra 'Tools' menuitem: &Login (Go, Fill, Submit)
(HKLM)
O9 - Extra button: Options (HKLM)
O9 - Extra 'Tools' menuitem: &Options (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\inetadpt.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CA
B?37869.4390856481
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/017a26a43d0ecbc61419/netzip/RdxIE601.c
ab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74166} -
http://www.compete.com/panel/01/MSView.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7}
(ActiveDataObj Class) - https://www-
secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}
(ActiveDataInfo Class) - https://www-
secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE}
(Microsoft Office Tools on the Web Control) -
http://officeupdate.microsoft.com/TemplateGallery/downloads
/outc.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} -
http://download.abetterinternet.com/download/cabs/MPB38106/
button.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info
..apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95}
(OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc/opu
c.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}
(Symantec RuFSI Registry Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin
/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvS
niff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
(HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004033001/housecall.ant
ivirus.com/housecall/xscan53.cab
This problem is really driving me crazy. Please help me
get rid of it ASAP. Any and ALL help would be most
apppreicated.
Sincerely,
Shani Schulman