0

to anyone that can help:

my internet explorer is currently out of commission by what someone has said is spyware. it opens and just tells me that the page cannot be displayed and won't open anything else or refresh.

i'm using a compaq presario, windows XP, and i'm on a LAN connection.

here is my hijackthis log.

please help.

Logfile of HijackThis v1.98.2
Scan saved at 10:21:26 PM, on 9/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Inverse IP InSight\PenTele\ARUpld32.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\Program Files\Inverse IP InSight\PenTele\ARMon32a.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis-1.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\o5g6ppqf.slt\prefs.js)
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SpyHunter] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://anti-virus.albright.edu/webinstall/webinst.cab

3
Contributors
15
Replies
16
Views
13 Years
Discussion Span
Last Post by DMR
1

Your log file is pretty clean; are you sure you don't have a DNS issue instead?

Try reaching a website by its IP address instead of its URL. Using Google as an example, in Internet Exploder's location bar, type the following:

http://64.233.167.99

Does that take you to Google?


Also try opening a DOS box and typing the following commands. Tell us the results of each:

ping www.google.com

ping 64.233.167.99

0

using the IP address still does not open the website.

and here is what i got in dos when i tried to ping.

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.

C:\DOCUME~1\OWNER>ping www.google.com

Pinging www.google.akadns.net [64.233.161.104] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 64.233.161.104:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\DOCUME~1\OWNER>
C:\DOCUME~1\OWNER>ping 64.233.167.99

Pinging 64.233.167.99 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 64.233.167.99:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\DOCUME~1\OWNER>

0

Your HJT log doesn't report any evidence of a broken or corrupted TCP/IP stack, so...

How are you connected to the Internet (cable, DSL, Dial-up, etc.), and what hardware is involved?

If you have cable or DSL, are you using a broadband router or do you connect directly to the modem? If you use a router, can you ping the IP of the router (usually 192.168.0.1 or 192.168.1.1)?

If you use broadband and connect directly to the modem, is the connection USB or Ethernet?

0

i'm at a school with either a T1 or T3 connection i'm not sure.....and i use an ethernet connection. everything else is fuctioning other than the internet explorer itself.

0

everything else is fuctioning other than the internet explorer itself.

Unfortunatley, everything else isn't functioning if you can't even ping. :sad:

- Try to ping the IP of your own machine.

- Try these two pings and post the results:

ping localhost
ping 127.0.0.1

Also- post the output of the following command:

route print

0

well when i meant that everything else is functioning i meant my messengers and netscape which is what i'm using to access the internet right now.

here is the information for what you said to do

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.

C:\DOCUME~1\OWNER>ping localhost

Pinging Beccascomputer [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\DOCUME~1\OWNER>ping 127.0.0.1

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\DOCUME~1\OWNER>

1

I've seen this before:

O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL

It's part of some nasty, or at least, some on other forums have indicated so, might be worth taking a look into. One thing I know about this is that the filename isn't always the same. Hope this helps one of the experts get you squared away. :)

0

I've seen this before:

O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL

It's part of some nasty, or at least, some on other forums have indicated so, might be worth taking a look into. One thing I know about this is that the filename isn't always the same. Hope this helps one of the experts get you squared away. :)

Thanks DuncanIdaho, I totally missed that one- I guess that's what I get for posting at 1:30 AM. [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/sleep.gif[/img]

You're right- that entry should be fixed by HJT, and then the ATPART~1.dll file should be deleted if it still exists after the HJT fix and a reboot.


SolitaryIvy1,

The "~1" in the filename is a truncation, so ATPART~1.dll will not be the file's real, full name. In the Folder Options under the Tools menu of Windows Explorer, select "Show hidden files and folders", deselect "Hide protected operating system files, and then look in your C:\WINDOWS\System32 folder for the file whose name begins with ATPART. Delete that file if you find it.

Usually the inability to ping indicates something lower-level than a browser problem, but in this case, since you've said that Netscape works fine, my guess is that ping requests to/from the "outside world" are probably just being blocked by your school's IT dept. for security reaons.

0

i fixed the problem in hijackthis and made sure that the file wasn't in my system32 folder...is there something else that i need to do after that? because my internet explorer is still not working

0

i don't know if it will help but i was playing around with some sites in internet explorer trying to get it to work. and the sites would come up with these symbols in front of the words...

for example

i typed in www.yahoo.com and hit enter and got this on the web address line-

http:///?%20www.yahoo.com

and it does that for all kinds of other sites too..and tells me that the page cannot be displayed.

0

i ran spybot and destory something i didn't know about until after i posted and my internet explorer is working fine....thank you for your time.

0

i don't know if it will help but i was playing around with some sites in internet explorer trying to get it to work. and the sites would come up with these symbols in front of the words...

for example

i typed in www.yahoo.com and hit enter and got this on the web address line-

http:///?%20www.yahoo.com

and it does that for all kinds of other sites too..and tells me that the page cannot be displayed.

"%20" is the ACSII code for the "space" character. I dimly rember some issue with parsing that character code in a URL and/or HTLM in general, but I'd have to do some research to find the reference again.

Anyway, I'm glad you got it sorted. In the future, run SpyBot and Adaware consecutively at regular intervals (make sure to get the most recent updates for each before running them) to find and remove whatever might have managed to creep into your system.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.