spyware not allowing me to use internet explorer

Question

SolitaryIvy1 0 Newbie Poster

19 Years Ago

to anyone that can help:

my internet explorer is currently out of commission by what someone has said is spyware. it opens and just tells me that the page cannot be displayed and won't open anything else or refresh.

i'm using a compaq presario, windows XP, and i'm on a LAN connection.

here is my hijackthis log.

please help.

Logfile of HijackThis v1.98.2
Scan saved at 10:21:26 PM, on 9/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Inverse IP InSight\PenTele\ARUpld32.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\Program Files\Inverse IP InSight\PenTele\ARMon32a.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis-1.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\o5g6ppqf.slt\prefs.js)
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SpyHunter] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://anti-virus.albright.edu/webinstall/webinst.cab

windows-virus

3 Contributors
15 Replies
227 Views
1 Day Discussion Span
Latest Post 19 Years Ago Latest Post by DMR

All 15 Replies

DMR 152 Wombat At Large

19 Years Ago

Your log file is pretty clean; are you sure you don't have a DNS issue instead?

Try reaching a website by its IP address instead of its URL. Using Google as an example, in Internet Exploder's location bar, type the following:

http://64.233.167.99

Does that take you to Google?

Also try opening a DOS box and typing the following commands. Tell us the results of each:

ping www.google.com

ping 64.233.167.99

DMR 152 Wombat At Large

19 Years Ago

Your HJT log doesn't report any evidence of a broken or corrupted TCP/IP stack, so...

How are you connected to the Internet (cable, DSL, Dial-up, etc.), and what hardware is involved?

If you have cable or DSL, are you using a broadband router or do you connect directly to the modem? If you use a router, can you ping the IP of the router (usually 192.168.0.1 or 192.168.1.1)?

If you use broadband and connect directly to the modem, is the connection USB or Ethernet?

DMR 152 Wombat At Large

19 Years Ago

everything else is fuctioning other than the internet explorer itself.

Unfortunatley, everything else isn't functioning if you can't even ping. :sad:

- Try to ping the IP of your own machine.

- Try these two pings and post the results:

ping localhost
ping 127.0.0.1

Also- post the output of the following command:

route print

DuncanIdaho 2 Unverified User

19 Years Ago

I've seen this before:

O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL

It's part of some nasty, or at least, some on other forums have indicated so, might be worth taking a look into. One thing I know about this is that the filename isn't always the same. Hope this helps one of the experts get you squared away. :)

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

SolitaryIvy1 0 Newbie Poster · Answer 1 · 2004-09-07T09:15:39+00:00

using the IP address still does not open the website.

and here is what i got in dos when i tried to ping.

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.

C:\DOCUME~1\OWNER>ping www.google.com

Pinging www.google.akadns.net [64.233.161.104] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 64.233.161.104:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\DOCUME~1\OWNER>
C:\DOCUME~1\OWNER>ping 64.233.167.99

Pinging 64.233.167.99 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 64.233.167.99:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\DOCUME~1\OWNER>

SolitaryIvy1 0 Newbie Poster · Answer 2 · 2004-09-07T09:23:29+00:00

i'm at a school with either a T1 or T3 connection i'm not sure.....and i use an ethernet connection. everything else is fuctioning other than the internet explorer itself.

SolitaryIvy1 0 Newbie Poster · Answer 3 · 2004-09-07T19:01:47+00:00

well when i meant that everything else is functioning i meant my messengers and netscape which is what i'm using to access the internet right now.

here is the information for what you said to do

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.

C:\DOCUME~1\OWNER>ping localhost

Pinging Beccascomputer [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\DOCUME~1\OWNER>ping 127.0.0.1

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\DOCUME~1\OWNER>

DMR 152 Wombat At Large Team Colleague · Answer 4 · 2004-09-07T21:57:25+00:00

I've seen this before:
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
It's part of some nasty, or at least, some on other forums have indicated so, might be worth taking a look into. One thing I know about this is that the filename isn't always the same. Hope this helps one of the experts get you squared away. :)

Thanks DuncanIdaho, I totally missed that one- I guess that's what I get for posting at 1:30 AM. [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/sleep.gif[/img]

You're right- that entry should be fixed by HJT, and then the ATPART~1.dll file should be deleted if it still exists after the HJT fix and a reboot.

SolitaryIvy1,

The "~1" in the filename is a truncation, so ATPART~1.dll will not be the file's real, full name. In the Folder Options under the Tools menu of Windows Explorer, select "Show hidden files and folders", deselect "Hide protected operating system files, and then look in your C:\WINDOWS\System32 folder for the file whose name begins with ATPART. Delete that file if you find it.

Usually the inability to ping indicates something lower-level than a browser problem, but in this case, since you've said that Netscape works fine, my guess is that ping requests to/from the "outside world" are probably just being blocked by your school's IT dept. for security reaons.

DuncanIdaho 2 Unverified User · Answer 5 · 2004-09-07T22:17:12+00:00

Glad to help. I'm learning a lot watching you guys. :)

DMR 152 Wombat At Large Team Colleague · Answer 6 · 2004-09-07T22:19:51+00:00

DMR 152 Wombat At Large

19 Years Ago

You're doing just fine- glad to have you aboard. :)

SolitaryIvy1 0 Newbie Poster · Answer 7 · 2004-09-07T23:10:20+00:00

i fixed the problem in hijackthis and made sure that the file wasn't in my system32 folder...is there something else that i need to do after that? because my internet explorer is still not working

SolitaryIvy1 0 Newbie Poster · Answer 8 · 2004-09-07T23:52:11+00:00

i don't know if it will help but i was playing around with some sites in internet explorer trying to get it to work. and the sites would come up with these symbols in front of the words...

for example

i typed in www.yahoo.com and hit enter and got this on the web address line-

http:///?%20www.yahoo.com

and it does that for all kinds of other sites too..and tells me that the page cannot be displayed.

SolitaryIvy1 0 Newbie Poster · Answer 9 · 2004-09-08T00:28:28+00:00

i ran spybot and destory something i didn't know about until after i posted and my internet explorer is working fine....thank you for your time.

DuncanIdaho 2 Unverified User · Answer 10 · 2004-09-08T02:17:05+00:00

DuncanIdaho 2 Unverified User

19 Years Ago

That's great news. Keep safe.

DMR 152 Wombat At Large Team Colleague · Answer 11 · 2004-09-08T02:56:10+00:00

i don't know if it will help but i was playing around with some sites in internet explorer trying to get it to work. and the sites would come up with these symbols in front of the words...
for example
i typed in www.yahoo.com and hit enter and got this on the web address line-
http:///?%20www.yahoo.com
and it does that for all kinds of other sites too..and tells me that the page cannot be displayed.

"%20" is the ACSII code for the "space" character. I dimly rember some issue with parsing that character code in a URL and/or HTLM in general, but I'd have to do some research to find the reference again.

Anyway, I'm glad you got it sorted. In the future, run SpyBot and Adaware consecutively at regular intervals (make sure to get the most recent updates for each before running them) to find and remove whatever might have managed to creep into your system.

spyware not allowing me to use internet explorer

Recommended Answers Collapse Answers

All 15 Replies

Recommended Answers