HJT Log - XP SP2, IE6 Problems

Forgot to mention the obvious stuff that I already tried besides the items in my first post.

1. Resinstalled IE6 a couple times
2. I run Norton everyday
3. Tried to locate and remove anything associated with those ad sites I posted.

Right now I working on some more of crunchies recommendations....I'm trying to help myself, but I'm a serious junior at this.

muchas grac
carrie

Also, ran LSPFix and no instances of LSPAK.dll showed up. checked reg myself for Greyco and lspak and found nothing.

*heavy sighs*

Had some advice to look at the IE error log...here's what i found..
Microsoft Internet Explorer 5.0 Error Log -- VER_MAJOR_PRODUCTVER.VER_MINOR_PRODUCTVER.VER_PRODUCTBUILD.VER_PRODUCTBUILD_QFE
CurrentTime: 9/12/2004 9:53 AM
Exception Info: Code=c0000005 Flags=0 Address=1ec9e01
Exception Param: 0 0

9/12/2004 9:50 AM - - http://www.yahoo.com
9/12/2004 9:49 AM - - file:///C:/Documents%20and%20Settings/All%20Users/Application%20Data/Motive/Acme/plugin/indices/098105.txt
9/12/2004 9:48 AM - - http://xlime.offeroptimizer.com/close.html
9/12/2004 9:47 AM - - http://xadso.offeroptimizer.com/ctx/ron_context.php?urlContext=https%3A%2F%2Fwww.improvementscatalog.com%2Fconfirmed.asp%3Forder_id%3DDWC9R4N2C4HP8G8A85EC0DRDK7%26email%3D&domainContext=improvementscatalog.com&distID=&country=US&transponderID={386E9D46-CBE6-4255-919D-EB487F103C55}&build=0.4.4.30
9/12/2004 9:47 AM - - https://www.improvementscatalog.com/confirmed.asp?order%5Fid=DWC9R4N2C4HP8G8A85EC0DRDK7&email=
9/12/2004 9:46 AM - - https://www.improvementscatalog.com/xt_orderform_purchase.asp
9/12/2004 9:45 AM - - https://www.improvementscatalog.com/order_review.asp
9/12/2004 9:44 AM - - https://www.improvementscatalog.com/payment.asp
9/12/2004 9:43 AM - - https://www.improvementscatalog.com/xt_orderform_prepare.asp
9/12/2004 9:42 AM - - http://www.improvementscatalog.com/xt_shipping.asp

From here I do what?

There are a number of malware and virii programs that will cause the 'IE6 will not open anything in a new window, even if right-clicked.' problem you describe.

Among them a program called Pop_Up_Killer.

A few BHO programs, (browser helper objects), can cause the same or similar symptoms, you need one of the experts here to go through that HJT log, as even a glance shows me you're rather infested. ^^;

This looks like a virus:
C:\WINDOWS\system32\qlkmdo.exe

This is spyware/adware:
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll

And yet more spyware:
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\system32\winb2s32.dll

And there's much more. Crunchie or DMR will be able to help you out, and hopefully you're problems will go with that full load of spyware and such. :)

Thanks for the guidance, but, praytell, how do I come by the assistance of these senior techs?

Crunchie and DMR, any chance you'd review the log and help out here?

Muchas Gracias,
Carrie

p.s. I would not disrepect you senior by not trying to help myself.....I continue the spyway battle.

Thanks cruchie, you picked a great weekend to go on vacation... :rolleyes: :mrgreen:

OK, this is going to take a bit, but:

1. Have HJT fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {AB7B8CE0-FC1B-FE0C-1CE1-8F2414EB8A24} - C:\WINDOWS\System32\kaekdosn.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\system32\winb2s32.dll
O4 - HKLM\..\Run: [qnrnpfqs] C:\WINDOWS\ycvuwacq.exe
O4 - HKLM\..\Run: [rozhdnumneta] C:\WINDOWS\system32\qlkmdo.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

If the IP addresses in the following entry are not the IP addresses of the DNS servers that your ISP gave you, have HJT fix this as well:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B890F822-3EA8-4C00-8A7E-F12A821005A9}: NameServer = 205.152.37.23 205.152.132.23

2. - Reboot into safe mode and, for every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files". Once done, search for and delete all of the .dll and .exe files in the HJT entries I listed above.

- Empty your Recycle Bin.
- Reboot normally.

- Run HJT again and post a fresh log.

Temporarily disable Tea-Timer.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\system32\winb2s32.dll
O2 - BHO: (no name) - {AB7B8CE0-FC1B-FE0C-1CE1-8F2414EB8A24} - C:\WINDOWS\System32\kaekdosn.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\system32\winb2s32.dll

O4 - HKLM\..\Run: [qnrnpfqs] C:\WINDOWS\ycvuwacq.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [rozhdnumneta] C:\WINDOWS\system32\qlkmdo.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\ycvuwacq.exe-file
C:\WINDOWS\system32\qlkmdo.exe-file
C:\WINDOWS\ALCXMNTR.EXE-file

Reboot normally after doing the above then post a fresh log please.

Many thanks to the three of you for your time and patience. I have completed the recommended actions and this is the resultant HJT log. Off to install Sygate.

Logfile of HijackThis v1.98.2
Scan saved at 8:38:26 AM, on 9/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Carrie_2\Desktop\Security\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com

These entries seem like spyware i went to the link and the page looks like a normal hijack your homepage type of site

Fix those 01 entries as suggested by mikeandike22 then, download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.

download the VX cleaner plug in for Adaware. Install it, then open Adaware & go to *add-ons* & run the plug-in. If anything is found, select *clean system* & when done, reboot & run Adaware & let it finish the clean-up. Reboot again.

http://www.lavasoftusa.com/software/plugins/vx2cleaner.shtml

What's up DMR?? :). I'm still here.

Hello.
Little bit of usless info:
I got laptop from a friend who complaina bout IE that it open only 1 freaking window. I found this topic but I can see no one slove the mystery yet. It took me few hours on reading some forums and doing silly stuff by scanning with ad-aware... Once I give up on searching answare on internet I start messing with her laptop. I guess it took me another hour or so but I think i got it fixed. :cool:

I can see from thefemmsfixit log file that he have same little bug :twisted: that sitting there and eating every windows.

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll

Here what you need to do.
In IE, Click Tools, Manage add-ons...
New windows will open and you will see
"Yahoo! Companion BHO" -- ycomp5_3_12_0.dll
Disable this plugin.

I belive it will fix your problem.

PS I am kinda noob in that stuff. :eek:
PSS let me know if it will fix your pc and what steps you did. I need that for personal exp.

Many thanks for all the assistance!!! Can only get here on Saturdays..you all know how it is....lol

Have fixed everything IkeandMike and Crunchie suggested. Helped tremendously. Also, the suggestion to disable the Yahoo BHO did solve the single window problem in IE.

Big ups, guys.

Still outstanding issue w/ typing an address into address bar. Site typed does not open. Doesn't appear that anything is happening.

Is there an IE trace facility?

Still trying to get Sygate downloaded...their site seems to be having some sort of stalling problem...Or, could be me.

You can get it here:

http://www.tucows.com/preview/213160.html

Many thanks for all the assistance!!! Can only get here on Saturdays..you all know how it is....lol

Have fixed everything IkeandMike and Crunchie suggested. Helped tremendously. Also, the suggestion to disable the Yahoo BHO did solve the single window problem in IE.

Big ups, guys.

Still outstanding issue w/ typing an address into address bar. Site typed does not open. Doesn't appear that anything is happening.

Is there an IE trace facility?

Still trying to get Sygate downloaded...their site seems to be having some sort of stalling problem...Or, could be me.

I am not really sure but I think some toolbars that downloads into your IE could mess it up. (As well most of the free software that install them as well)
You can try run some AD-Aware software to see.
You need keep on your computer Winsock repair tool. http://cexx.org/lspfix.htm
You can try use it to fix your IE problem (most of them connectivity problems.)

I am not really sure but I think some toolbars that downloads into your IE could mess it up. (As well most of the free software that install them as well)

Quite true; you might want to uninstall any IE add-ons such as the Yahoo and AIM toolbars just to eliminate any variables.

You need keep on your computer Winsock repair tool. http://cexx.org/lspfix.htm. You can try use it to fix your IE problem (most of them connectivity problems.)

Be careful with Winsock utilities though: they can repair a corrupted Winsock layer, but they can also break that layer if used improperly.
Also, while spyware/trojans/hijackers and the like can definitely alter or cripple your web browsing, relatively few of them actually do so by grafting themselves into your Winsock implementation.

Given that, tools such as LSPFix should only be used when you know for certain that a corrupt Winsock stack is part of your problem; Winsock utilities will be of no help whatsoever for the numerous other problems caused by malicious programs.

By the way- Hijack this does detect irregularities in the Winsock/LSP stack; it will report them with an "010" code in its log.