Re: urlmon.dll error on IE6

[PA Bear]

1. A new install of any anti-virus application isn't reliable at all if the
definitions aren't up-to-date. What date does yours have? (BTW, McAfee
VirusScan 7 is the current version!) AdAware without an updated 'reffile'
isn't very reliable either, IMHO.

2. Re: "The error I received while trying to open Hijack This.exe was: 'a
required .DLL file, MSVBVM60.dll, was not found.'"

Robert (Aldwinckle) would be the one to advise you on this Windows file.
Researching a problem for someone who, serendipitously, is also having
problems with Urlmon.dll (!) and who received this same error, I found...

FILE: VBRun60sp5.exe Installs Visual Basic 6.0 SP5 Run-Time Files
http://support.microsoft.com/default.aspx?scid=kb;EN-US;290887

which was pointed out by MVP Bert Kinney in this thread about
downloading/installing SpywareBlaster: http://snurl.com/1ubv.

3. (#5 below) Any luck with http://www.doxdesk.com/parasite/ ? A lot of
"malware" can come into your system via a "drive by" install (you're not
aware of it).

4. <wink> Where is Jim Byrd? He start all this! </wink>
--
~PA Bear

Hi PA Bear,

I will try and answer your questions below.
I also responded to Robert's question in another posting.
I must have transposed the iexplorer in the AppName which
should be iexplore....

-----Original Message-----

1. If you can recall, Anne, what were you doing on or before Monday 14
June-03 when you first got the error? What did you (or anyone else) do with
the computer in the few days prior to the first time you got the error
(e.g., installs/uninstalls, updates/upgrades, new ISP or method of
connecting)? Was anyone else using the machine?

I am not the only user of the computer. My husband, Vern,
also uses the computer. He uses Hotmail email and views
the internet. The only thing that I have done to the
computer was to run a thorough SCANDISK, defrag and try to
update the McAfee which failed as I was not able to
download. I was able to load the from a CD that I burned
at work the McAfee version 4.5.1 SP1 which is on our
website for Western WA University. I did run that and all
looked OK. I ran the Ad-aware that I had already
installed which was an older version. I tried to download
it today and received my usual error. I was able to go
back and save it to my computer and then run the newest
version Ad-aware 6.0. There were 11 new objects including
on called CoolWebSearch listed as Malware. The rest were
categorized as DataMiner. I did delete them all.

2. What McAfee product <shudder> are you using and what happens if you
disabled it/turn it off? How long have you had it? When was the last time
you sought (or were able to seek) virus definitions? Have you run a full
system scan since doing so? You can get free online scans at
http://snurl.com/g14 and http://housecall.trendmicro.com/.

I did go to the website above and tried downloading and
got the error. I am thinking maybe I should go into work
and download a good version of a virus scan product on CD
and then bring it back and load it. Do you think I should
do this and maybe download something different than McAfee?

3. Have you tried reinstalling 5.6 Scripting Engine since installing
Q818529?

http://msdn.microsoft.com/library/default.asp?url=/downloads/list/webdev.asp

Yes. I was able to do that via my work, saving
it to CD and then loading it here.
[<paste>]
C:\WINDOWS\SYSTEM> dir MSVBVM60.dll

Volume in drive C has no label
Volume Serial Number is 3749-15FF
Directory of C:\WINDOWS\SYSTEM

File not found
350,912,512 bytes free

4. Search for (WinKey+F) MSVBVM60.DLL. What version is it? (On my Win98SE
machine, it's version 6.00.8964 and dates to the Dec. '02 Cumulative Patch
for IE.)

5. I would certainly want to run a fully up-to-date AdAware, Spybot, *and*
BHO Cop on the machine to rule out malware or hijacking but apparently you
still cannot download such applications, let alone update them. Have you
ever been to this page (can you?) and allowed it to load?...
http://www.doxdesk.com/parasite/ (It certainly won't do what any of the
foregoing apps will do but it's a start.)

Hang in there, Anne!

Thank you for helping me. I really appreciate it. Anne

--
Anne wrote:
IE information: version: 6.0.2800.1106IC
Update versions: SP1; Q818529; Q330994; q313829

I verified each file and they all had the version that you
listed. I don't have Yahoo companion or Google toolbar
installed. thanks again. Anne

-----Original Message-----
If you find a Details button in the error (unlikely), press it, copy
whatever it says and post it in a reply.

You state that you've installed Q818529. Please confirm the following:

1. IE Help>About>Update Versions> Q818529 is found here;

2a. Mshtml.dll is version 6.0.2800.1170;

2b. Shdocvw.dll is version 6.0.2800.1203;

2c. Urlmon.dll is version 6.0.2800.1188.

[Search for (WinKey+F) each of the above
files>right-click>Properties>Version]

3. If you have Yahoo Companion (Toolbar) or Google Toolbar installed,
uninstall it via Add/Remove Programs.

Anne wrote:
I verified the error signature and that is exactly how it
reads. I did perform all the critical updates which
include 818529 but I am still receiving the error.

When I get the error, it does give me the option to send a
report. I am not sure where the report is sent. Should I
try and capture that data. It looks like a lot of data.
Any ideas would be greatly appreciated. Thank you, Anne

-----Original Message-----
....
Agreed. IE6.00.2800.1188 is *not* a valid IE version.

PMFJI but why not assume that she already has 818529?
Then 6.0.2800.1188 makes sense as ModVer of urlmon.dll
(Subject: of this thread)

Then I would wonder if she has the right copy of that module?

So some potentially clarifying diagnostics would be:

javascript:navigator.appMinorVersion

(to see what exactly is supposedly applied)

and

cd \windows\system
dir urlmon.dll

(to see date and size of module.) Notice from manifests in 818529
that versions for other OS have different sizes and timestamps.


I think that some of the confusion may be due to the fact that the
Error Signature was probably transcribed manually rather than being
captured to the Clipboard. To capture the Error Signature drag the
mouse over the text and press Ctrl-c (unfortunately there is no
right-click menu there). Then paste that result instead of having to
type it all.

In particular then we could see if she was really seeing this:

AppName: iexplorer

If so, urlmon.dll will be a victim not a culprit.

 

[Robert Aldwinckle]

Hi Robert,

I am hoping the text below is what you were asking for. ....
URLMON DLL 483,840 04-14-03 9:25a URLMON.DLL

Perfect. That proves that you probably have installed the right patch
for your OS.

There are still a few things we could try along this diagnostic tack
(e.g. IE Repair, check faultlog.txt) but I suggest we defer those
pending the outcome of your Hijack This! test.


Good luck

Robert
---

 

[Jim Byrd]

Hi Bear - Re: your other message. Well, I've been following the thread
(sort of) but since I don't have Win98 available, I just didn't think I
had much to contribute in addition to you and Robert in trying to
straighten out the version soup issues. It's clear that she needs to
get her machine clean of malware before she can try and do much of
anything else. Depending on what shows after that, I might at this
point just have her do an IEradicate and re-install IE5.x from her Win98
disk, then upgrade to IE6 fresh. The important thing at this point
would be to get the machine clean, though.

 

[PA Bear]

He lives! <G>

Don't forget http://support.microsoft.com/?kbid=312451, which we "found" the
other day.[/QUOTE]

 

[Anne]

Hi Robert,

I was able to perform the hijackthis.exe Some of these
had comments that say possible hijack.

I am hoping that you will understand the results:

Logfile of HijackThis v1.95.1
Scan saved at 8:11:43 PM, on 07/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
D:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.r1.attbi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-
AC7CC6B5FFA7} - C:\WINDOWS\TEMP\WINNDKJ.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

Any idea what all of this means?
I was able to copy the msvbvm60.dll from a OS 98 machine
from work onto my machine. I tried the same process with
the urlmon.dll file but it says that Windows is using it
so that didn't work.

Thanks again for all your help. Take care, Anne

 

[Anne]

Hi Jim,

the following is a result of running hijackthis.exe

I am not sure what it means. I also posted to Richard's
earlier thread with this information. Any help you can
provide would be greatly appreciated.

Logfile of HijackThis v1.95.1
Scan saved at 8:11:43 PM, on 07/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
D:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.r1.attbi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-
AC7CC6B5FFA7} - C:\WINDOWS\TEMP\WINNDKJ.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

thanks for your help. Anne

 

[PA Bear]

These look most suspicious to me, Anne. Both eWebSearch and JetSeeker appear
to be very new or new variants:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
http://www.jetseeker.com/ie/
[see http://snurl.com/1uum]

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFA7} -
C:\WINDOWS\TEMP\WINNDKJ.DLL

One of the malware experts here (siljaline) regularly posts these
instructions:
<paste>
Go to: http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button. Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button] (generates "startuplist.txt")

Next, go to the below location: Spyware and Hijackware Removal Support.
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files in your message.
</paste>

I've asked siljaline to drop in on this thread. (I'd tell you to run
'hikackthis' again and have it 'fix' (remove) the 3 above but please wait
for more experienced guidance and/or post your results to the forum above.)
--
~PA Bear

| Logfile of HijackThis v1.95.1
| Scan saved at 8:11:43 PM, on 07/21/03
| Platform: Windows 98 SE (Win9x 4.10.2222A)
| MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
|
| Running processes:
| C:\WINDOWS\SYSTEM\KERNEL32.DLL
| C:\WINDOWS\SYSTEM\MSGSRV32.EXE
| C:\WINDOWS\SYSTEM\MPREXE.EXE
| C:\WINDOWS\SYSTEM\MSTASK.EXE
| C:\WINDOWS\SYSTEM\mmtask.tsk
| C:\WINDOWS\EXPLORER.EXE
| C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
| C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
| C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
| C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
| C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
| D:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
|
| R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
| http://www.ewebsearch.net/sp.htm
| R1 - HKCU\Software\Microsoft\Internet
| Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
| R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
| Page = http://www.comcast.net/
| R1 - HKCU\Software\Microsoft\Internet
| Explorer\Search,SearchAssistant =
| http://www.ewebsearch.net/sp.htm
| R1 -
| HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings,ProxyOverride = *.r1.attbi.com
| R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
| Page =
| O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
| 784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
| \READER\ACTIVEX\ACROIEHELPER.OCX
| O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-
| AC7CC6B5FFA7} - C:\WINDOWS\TEMP\WINNDKJ.DLL
| O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
| 0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
| O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
| 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
| O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
| O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
| C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
| O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
| (Shockwave Flash Object) -
| http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
|
| Any idea what all of this means?
| I was able to copy the msvbvm60.dll from a OS 98 machine
| from work onto my machine. I tried the same process with
| the urlmon.dll file but it says that Windows is using it
| so that didn't work.
|
| >-----Original Message-----
| >| >> I am hoping the text below is what you were asking for.
| >....
| >> URLMON DLL 483,840 04-14-03 9:25a URLMON.DLL
| >
| >Perfect. That proves that you probably have installed the right patch
| >for your OS.
| >
| >There are still a few things we could try along this diagnostic tack
| >(e.g. IE Repair, check faultlog.txt) but I suggest we defer those
| >pending the outcome of your Hijack This! test.

 

[Jim Byrd]

Hi Anne - Well, you're on the right track. Here's what you need to do
(This is a standard post, so ignore the stuff that doesn't apply such as
downloading HijackThis which you already have - just do the scans and
saves as below ond post them to the spywareinfo site with a request for
help):

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click
the Config button, then Misc Tools and click on Generate StartupList.log
which will create Startuplist.txt

Go to Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the
removal of your parasite(s).



Then post back in this same thread with what happens.

--
Regards, Jim Byrd, MS-MVP
Please respond in original thread in Newsgroup.




In [email protected], Anne typed:

Hi Jim,

the following is a result of running hijackthis.exe

I am not sure what it means. I also posted to Richard's
earlier thread with this information. Any help you can
provide would be greatly appreciated.

Logfile of HijackThis v1.95.1
Scan saved at 8:11:43 PM, on 07/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
D:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.r1.attbi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-
AC7CC6B5FFA7} - C:\WINDOWS\TEMP\WINNDKJ.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

thanks for your help. Anne

-----Original Message-----
Yeah, that too or in place of, depending on how badly the malware's
screwed up the OS. I'm still a little suspicious of 312451 in that I
haven't seen any direct feedback from anyone who's used it yet - maybe
you have (?), while I know IEradicator works (at least for Win98X's -
not so comfortable recommending it with NT based OS's, - it didn't used
to work well for these - however, I have been told that the newer
version works OK there too).

--
Regards, Jim Byrd, MS-MVP
Please respond in original thread in Newsgroup.




In OUg%[email protected], PA Bear typed:

.

 

[PA Bear]

Siljaline and Henri both confirm my suspicions (thread, this NG: "PING -
siljaline").

Hijackthis should be able to remove them...or post to spywareinfo.com forum.
--
~PA Bear

These look most suspicious to me, Anne. Both eWebSearch and JetSeeker appear
to be very new or new variants:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
http://www.jetseeker.com/ie/
[see http://snurl.com/1uum]

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFA7} -
C:\WINDOWS\TEMP\WINNDKJ.DLL

One of the malware experts here (siljaline) regularly posts these
instructions:
<paste>
Go to: http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button. Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button] (generates "startuplist.txt")

Next, go to the below location: Spyware and Hijackware Removal Support.
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files in your message.
</paste>

I've asked siljaline to drop in on this thread. (I'd tell you to run
'hikackthis' again and have it 'fix' (remove) the 3 above but please wait
for more experienced guidance and/or post your results to the forum above.)
--
~PA Bear

Logfile of HijackThis v1.95.1
Scan saved at 8:11:43 PM, on 07/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
D:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.r1.attbi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-
AC7CC6B5FFA7} - C:\WINDOWS\TEMP\WINNDKJ.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Any idea what all of this means?
I was able to copy the msvbvm60.dll from a OS 98 machine
from work onto my machine. I tried the same process with
the urlmon.dll file but it says that Windows is using it
so that didn't work.

-----Original Message-----
I am hoping the text below is what you were asking for.
....
URLMON DLL 483,840 04-14-03 9:25a URLMON.DLL

Perfect. That proves that you probably have installed the right patch
for your OS.

There are still a few things we could try along this diagnostic tack
(e.g. IE Repair, check faultlog.txt) but I suggest we defer those
pending the outcome of your Hijack This! test.

 

[Anne]

Hi PA Bear,

Thank you so much for all your help. I did post the logs
on that website. You were right about the ones to fix.
The 3 starting in R1, The one that said 02-BHO (no name)
and the one that said 03-toolbar (no name) After I clean
those, they said to reboot, then download SpyBot and fix
any problems found.

I did purchase a firewall to connect to my Comcast cable
modem to hopefully prevent further hijacking.

I am still not sure if that will fix my IE error re:
urlmon.dll. If not, do you think I should take my
computer in and have everything removed and then have
Window 98 reinstalled?

My computer is too small to have 2000 or XP. At least
that is what i have been told. I need to purchase a new
one but money is tight right now. I do appreciate all
your help. Thanks again. Anne

-----Original Message-----
Siljaline and Henri both confirm my suspicions (thread, this NG: "PING -
siljaline").

Hijackthis should be able to remove them...or post to spywareinfo.com forum.

eWebSearch and JetSeeker
appear

to be very new or new variants:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
http://www.jetseeker.com/ie/
[see http://snurl.com/1uum]

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7- AC7CC6B5FFA7} -
C:\WINDOWS\TEMP\WINNDKJ.DLL

One of the malware experts here (siljaline) regularly posts these
instructions:
<paste>
Go to: http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will

change into a "Save
Log"

button. Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button] (generates "startuplist.txt")

Next, go to the below location: Spyware and Hijackware Removal Support.

http://www.spywareinfo.com/forums/index.php?

s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11 to the forum
above.)

--
~PA Bear

Logfile of HijackThis v1.95.1
Scan saved at 8:11:43 PM, on 07/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
D:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.r1.attbi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-
AC7CC6B5FFA7} - C:\WINDOWS\TEMP\WINNDKJ.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
.
[/QUOTE]

 

[Anne]

Hi Jim,

I did post the logs on that website. I was told to clean
up 5 different files.

After I clean those, they said to reboot, then download
SpyBot and fix any problems found. I will do that when I
get home from work.

I did purchase a firewall to connect to my Comcast cable
modem to hopefully prevent further hijacking.

I am still not sure if that will fix my IE error re:
urlmon.dll. If not, do you think I should take my
computer in and have everything removed and then have
Window 98 reinstalled?

I do appreciate your help. Thank you. Anne

-----Original Message-----
Hi Anne - Well, you're on the right track. Here's what you need to do
(This is a standard post, so ignore the stuff that doesn't apply such as
downloading HijackThis which you already have - just do the scans and
saves as below ond post them to the spywareinfo site with a request for
help):

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click
the Config button, then Misc Tools and click on Generate StartupList.log
which will create Startuplist.txt

Go to Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php? s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the
removal of your parasite(s).



Then post back in this same thread with what happens.

--
Regards, Jim Byrd, MS-MVP
Please respond in original thread in Newsgroup.




In [email protected], Anne typed:

Hi Jim,

the following is a result of running hijackthis.exe

I am not sure what it means. I also posted to Richard's
earlier thread with this information. Any help you can
provide would be greatly appreciated.

Logfile of HijackThis v1.95.1
Scan saved at 8:11:43 PM, on 07/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
D:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.r1.attbi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-
AC7CC6B5FFA7} - C:\WINDOWS\TEMP\WINNDKJ.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

thanks for your help. Anne

-----Original Message-----
Yeah, that too or in place of, depending on how badly the malware's
screwed up the OS. I'm still a little suspicious of 312451 in that I
haven't seen any direct feedback from anyone who's

used it yet -
maybe OS's, - it didn't
used kbid=312451, which we
"found" the following the
thread just didn't
think I that she needs
to I might at
this IE5.x from her
Win98 thing at this
point
.

 

[Anne]

Hi PA Bear,

I am happy to report that my computer is working good
again. Well, as good as it can be. I postd my logs from
hijackthis.exe to the forums at spywareinfo.com. They
told me what to remove which I did. I rebooted and ran
system file checker as it had previously given me a .dll
file that could be corrupted. Now it runs smoothe.

I want to say thank you to you, Robert and Jim for all
your help. I could not have gotten to this point without
you and the help of others. Thank you so much. Best
wishes to all of you. Take care, Anne

-----Original Message-----
YW. (No need to post the same content elsewhere in this thread, Anne.
Anyone covering it will see your first post.)

I'd *hope* that removing the malware would set things to right. If not, see
either of these two KB articles for help in

removing/reinstalling IE6-SP1 on

your Win98 box...

http://support.microsoft.com/?kbid=318378
(Method 2)

or Removing IE6 and Reinstalling Windows 98...

http://support.microsoft.com/?kbid=312451.

If you wouldn't feel comfortable doing either of the above, I suppose a
*trustworthy* (independent, IMHO) shop could handle it. I'd provide them
with the KB articles above, if so. Given current "firesale" pricings of
processors these days (even including WinXP), it may prove only slightly
more expensive to bet a new box.

While a firewall is certainly a very good idea (RTFM), it may not help you
avoid "drive-by" installs of malware. Consider getting/running
SpywareBlaster

http://www.javacoolsoftware.com/spywareblaster.html as well

as AdAware and Spybot. Always seek updates before each use of any of them.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com
spywareinfo.com

forum.

--
~PA Bear

PA Bear wrote:
These look most suspicious to me, Anne. Both eWebSearch and JetSeeker
appear to be very new or new variants:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
http://www.jetseeker.com/ie/
[see http://snurl.com/1uum]

R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,SearchAssistant

=

change into a "Save
Log"

button. Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button]
(generates "startuplist.txt")

Next, go to the below location: Spyware and

Hijackware Removal
Support. above but please
wait

for more experienced guidance and/or post your results to the forum
above.) --
~PA Bear

Logfile of HijackThis v1.95.1
Scan saved at 8:11:43 PM, on 07/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
D:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.r1.attbi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-
AC7CC6B5FFA7} - C:\WINDOWS\TEMP\WINNDKJ.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

Any idea what all of this means?
I was able to copy the msvbvm60.dll from a OS 98 machine
from work onto my machine. I tried the same process with
the urlmon.dll file but it says that Windows is using it
so that didn't work.

-----Original Message-----
I am hoping the text below is what you were asking for. ....
URLMON DLL 483,840 04-14-03 9:25a URLMON.DLL

Perfect. That proves that you probably have

installed the right
patch suggest we defer
those
.

 

[PA Bear]

You're very welcome, Anne. I'm most certain Robert Aldwinckle, Jim Byrd
myself are glad to have been able to get you back in good shape!

Consider hanging around here for a while and using what you've learned to
help others with similar hijack problems. You'll have plenty of
opportunities, believe me.
--
Archive of this thread: http://snurl.com/1ucf
(42 posts, 14-23 July-03)

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com

CC: John Eddy; Tony Hynes

Hi PA Bear,

I am happy to report that my computer is working good
again. Well, as good as it can be. I postd my logs from
hijackthis.exe to the forums at spywareinfo.com. They
told me what to remove which I did. I rebooted and ran
system file checker as it had previously given me a .dll
file that could be corrupted. Now it runs smoothe.

I want to say thank you to you, Robert and Jim for all
your help. I could not have gotten to this point without
you and the help of others. Thank you so much. Best
wishes to all of you. Take care, Anne

-----Original Message-----
YW. (No need to post the same content elsewhere in this thread, Anne.
Anyone covering it will see your first post.)

I'd *hope* that removing the malware would set things to right. If not, see
either of these two KB articles for help in

removing/reinstalling IE6-SP1 on

your Win98 box...

http://support.microsoft.com/?kbid=318378
(Method 2)

or Removing IE6 and Reinstalling Windows 98...

http://support.microsoft.com/?kbid=312451.

If you wouldn't feel comfortable doing either of the above, I suppose a
*trustworthy* (independent, IMHO) shop could handle it. I'd provide them
with the KB articles above, if so. Given current "firesale" pricings of
processors these days (even including WinXP), it may prove only slightly
more expensive to bet a new box.

While a firewall is certainly a very good idea (RTFM), it may not help you
avoid "drive-by" installs of malware. Consider getting/running
SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html as well
as AdAware and Spybot. Always seek updates before each use of any of them.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com

Anne wrote:
Hi PA Bear,

Thank you so much for all your help. I did post the logs
on that website. You were right about the ones to fix.
The 3 starting in R1, The one that said 02-BHO (no name)
and the one that said 03-toolbar (no name) After I clean
those, they said to reboot, then download SpyBot and fix
any problems found.

I did purchase a firewall to connect to my Comcast cable
modem to hopefully prevent further hijacking.

I am still not sure if that will fix my IE error re:
urlmon.dll. If not, do you think I should take my
computer in and have everything removed and then have
Window 98 reinstalled?

My computer is too small to have 2000 or XP. At least
that is what i have been told. I need to purchase a new
one but money is tight right now. I do appreciate all
your help. Thanks again. Anne

-----Original Message-----
Siljaline and Henri both confirm my suspicions (thread, this NG: "PING -
siljaline").

Hijackthis should be able to remove them...or post to spywareinfo.com
forum. --
~PA Bear

PA Bear wrote:
These look most suspicious to me, Anne. Both eWebSearch and JetSeeker
appear to be very new or new variants:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
http://www.jetseeker.com/ie/
[see http://snurl.com/1uum]

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7- AC7CC6B5FFA7} -
C:\WINDOWS\TEMP\WINNDKJ.DLL

One of the malware experts here (siljaline) regularly posts these
instructions:
<paste>
Go to: http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save
Log" button. Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button]
(generates "startuplist.txt")

Next, go to the below location: Spyware and Hijackware Removal Support.

http://www.spywareinfo.com/forums/index.php?
s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files in your message.
</paste>

I've asked siljaline to drop in on this thread. (I'd tell you to run
'hikackthis' again and have it 'fix' (remove) the 3 above but please
wait for more experienced guidance and/or post your results to the
forum above.) --
~PA Bear

Logfile of HijackThis v1.95.1
Scan saved at 8:11:43 PM, on 07/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
D:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.r1.attbi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-
AC7CC6B5FFA7} - C:\WINDOWS\TEMP\WINNDKJ.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F-
11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService]
C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Any idea what all of this means?
I was able to copy the msvbvm60.dll from a OS 98 machine
from work onto my machine. I tried the same process with
the urlmon.dll file but it says that Windows is using it
so that didn't work.

-----Original Message-----
I am hoping the text below is what you were asking for. ....
URLMON DLL 483,840 04-14-03 9:25a URLMON.DLL

Perfect. That proves that you probably have installed the right
patch for your OS.

There are still a few things we could try along this diagnostic tack
(e.g. IE Repair, check faultlog.txt) but I suggest we defer those
pending the outcome of your Hijack This! test.