 |  |  |  |  |  |  |  |
HijackThis error?
 |
•
•
•
•
Originally Posted by SilentBob3208
...and comes up as this search page. Also, when I check my E-Mail, that search page keeps coming up time after time.
Until I or one of our other members can respond again, can you give us some descriptive details of the exact search page that keeps coming back?
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Apr 2004
Posts: 121
Reputation: 
Solved Threads: 1
Junior Poster
Well the best I can describe it is it has a gray bar that says Search for... at the top and with a bunch of different categories and usualy is asociated with a popup telling me my comp. is affected with spyware and such.
•
•
Join Date: Feb 2004
Posts: 10,052
Reputation: 
Solved Threads: 762
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/windows/bobby's%20folder/blank.html
Go to internet options in IE and hit the security Tab. Go into the trusted zone section and delete the entry from there.
Do you have anything disabled in msconfig? There does not appear to be anything else showing in your log.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/windows/bobby's%20folder/blank.html
Go to internet options in IE and hit the security Tab. Go into the trusted zone section and delete the entry from there.
Do you have anything disabled in msconfig? There does not appear to be anything else showing in your log.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Apr 2004
Posts: 121
Reputation:
Solved Threads: 1
Junior Poster
Everything is checked in msconfig. Also, I have a updated HJT log...
Logfile of HijackThis v1.99.0
Scan saved at 2:08:55 PM, on 2/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RQYOKV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rqyokv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: tfypnk.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Logfile of HijackThis v1.99.0
Scan saved at 2:08:55 PM, on 2/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RQYOKV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rqyokv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: tfypnk.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
•
•
Join Date: Feb 2004
Posts: 10,052
Reputation:
Solved Threads: 762
Try this tool from Symantec;
http://securityresponse.symantec.com...r/FxSpL2Me.exe
Then please do the following;
Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "aklsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.
Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
RQYOKV.EXE
Go to C:\WINDOWS and delete the file manually.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rqyokv.exe
O15 - Trusted IP range: 67.19.185.246 (HKLM)
Reboot and delete the aklsp.dll file from the c:\windows\system folder.
Post a new log please.
http://securityresponse.symantec.com...r/FxSpL2Me.exe
Then please do the following;
Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "aklsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.
Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
RQYOKV.EXE
Go to C:\WINDOWS and delete the file manually.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rqyokv.exe
O15 - Trusted IP range: 67.19.185.246 (HKLM)
Reboot and delete the aklsp.dll file from the c:\windows\system folder.
Post a new log please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Apr 2004
Posts: 121
Reputation:
Solved Threads: 1
Junior Poster
Ok, I am unable to post a new log because just as the scan finishes the program crashes now. Also, I failed to mention this yesterday, when I click ctrl alt delete to see what programs are running, there is a Rundll32 that always shows up, sometimes twice. It's path is runndll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall. And usually when Rundll32 runs in the background Iexplore runs even when I have IE closed and some other unknown programs begin running in the back and startup, I usually have to go disable those unknown programs from running on startup in my Starter program. Also, explorer usually runs on startup when I first turn on the computer but since this morning it hasn't.
Did you delete the entire contents of your C:\Windows\Temp folder as I instructed earlier? Your last log didn't have the " O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall" entry responsible for firing up the TEMP\SE.DLL file.
Unfortunately, your log does show another new nasty, aside from the rqyokv.exe entry crunchie mentioned:
O4 - Startup: tfypnk.exe
You should have HJT fix that entry and then locate and delete the tfypnk.exe file before posting the new log.
Unfortunately, your log does show another new nasty, aside from the rqyokv.exe entry crunchie mentioned:
O4 - Startup: tfypnk.exe
You should have HJT fix that entry and then locate and delete the tfypnk.exe file before posting the new log.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Apr 2004
Posts: 121
Reputation:
Solved Threads: 1
Junior Poster
Quote from Crunchie: " Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
RQYOKV.EXE"
that file does not appear there, but, do you want to see the programs on that list?
Also, I did clear out the TEMP folder, and HJT still crashes when it scans. Also, I have Spybot S&D and it also crashed when i tried to fix the problems it had detected...
RQYOKV.EXE"
that file does not appear there, but, do you want to see the programs on that list?
Also, I did clear out the TEMP folder, and HJT still crashes when it scans. Also, I have Spybot S&D and it also crashed when i tried to fix the problems it had detected...
•
•
Join Date: Aug 2003
Posts: 9,699
Reputation:
Solved Threads: 510
•
•
•
•
Originally Posted by SilentBob3208
Quote from Crunchie: " Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
RQYOKV.EXE"
that file does not appear there, but, do you want to see the programs on that list?
Also, I did clear out the TEMP folder, and HJT still crashes when it scans. Also, I have Spybot S&D and it also crashed when i tried to fix the problems it had detected...
,
,,,,,,,,,,,,,,,,,,,,,
Logfile of HijackThis v1.99.0
Scan saved at 2:08:55 PM, on 2/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RQYOKV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Wubi is an officially supported Ubuntu Linux installer for Windows .
http://wubi-installer.org/
Wubi is an officially supported Ubuntu Linux installer for Windows .
http://wubi-installer.org/
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: McAfee Notice after eliminating Downloader-VG Trojan
- Next Thread: The computer plays dirty with me
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting reliability report research rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
