Many popups, now IE6 won't work. Help please!

Question

soccerchick 0 Newbie Poster

19 Years Ago

Hi! I'm using Windows 98 and a few days ago I started getting many popups from sites such as "ads1.revenue.net" and "ad-a-w-a-r-e.???". I have Zone Alarm, AVG and Ad-aware on my computer. I also got something called Cookie Wall and I started using Spybot. According to them, my system is clean except for one recurring problem on Spybot called _____________________.

These problems started when I tryed downloading the update for Kazaa (not a smart move, I know!). AVG detected a couple viruses in the Kazaa download so I cancelled the download and cleaned the system. One of the viruses that was more difficult to remove was Downloader.XrenA. I then tried to get Torrent, I didn't like how it was working so deleted it. I tried to make sure all the files for both programs were gone from the temp files, but don't know if I succeeded. This was when the problem with the popups started.

Under the security options in IE6 I started putting in the popup sites as restricted sites so that the information wasn't downloaded each time. A couple programs were installed on my computer without my knowledge (Zone Alarm caught one of them, but not one called "My Daily Horoscope". Soon after I started blocking the restricted sites I got Spybot and it found some problems and fixed them.

The next problem was that RunDll32.exe started trying to access the internet "as an application" according to Zone Alarm. I kept denying it access and then IE started not working completely. I can open the program, it tries to go to the home page or google or wherever, but then is redirected by something in c:\windows\?????????.dll\?????? I can't make out what it says because it is only shown quickly in the status bar at the bottom.

There were some other random problems throughout the time such as my system becoming unstable and when I try to shut down, certain programs "aren't responding" and i can wait or end task. These programs are "unregister", "McDetect" and a blank one. There's also some strange files I don't recognize on my computer such as NicTechNetwork, DJNDI.dll, Wrapperouter, Glb70dl. I tried repairing IE and running, AVG, Spybot, AdAware, etc in safe mode (multiple times). Any ideas?

Sorry this is so long, but I figured it best to explain everything! Thanks for any help you can give me! My hijack this log is as follows:

Logfile of HijackThis v1.98.2
Scan saved at 3:40:07 PM, on 12/09/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CookieWall] C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how/home_network/getfqdn.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/blockwerx/blockwerx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/25f51e3fa72a80ef3e18/netzip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

Thanks again!

windows-virus

3 Contributors
11 Replies
106 Views
4 Days Discussion Span
Latest Post 19 Years Ago Latest Post by crunchie

All 11 Replies

deonnanicole 5 Posting Whiz in Training

19 Years Ago

If you have all of your Windows Updates, then you can probably ignore the DSO Exploit. It is a bug in Spybot. One of the experts will let you know for sure. :)

crunchie 990 Most Valuable Poster

19 Years Ago

deonnanicole is correct. As long as you are fully up-to-date with your Windows Microsoft updates, there is nothing to worry about. Set spybot to ignore that item.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/25f51e3fa72a80...ip/RdxIE601.cab
-Netster

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\Program Files\Orbit-folder
C:\Program Files\VBouncer-folder

Reboot normally after doing the above then post a fresh log please.

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

crunchie 990 Most Valuable Poster

19 Years Ago

Try downloading the Anti-Virus in my signature, update it & run it. Allow it to clean anything it finds.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

soccerchick 0 Newbie Poster · Answer 1 · 2004-09-13T02:12:12+00:00

The blank above is "DSO exploit".

I ran some online Trojan detector programs which found nothing.

I also checked the Startup Files in msconfig. Now the only startup files that I have checked are AVG Control Centre, Zone Labs Client, CookieWall, ScanRegistry, SystemTray, Loadqm, TrueVector and AVGserv9.exe

soccerchick 0 Newbie Poster · Answer 2 · 2004-09-13T03:01:38+00:00

OK so the file that IE is directed to is C:\Windows\System\Shdoclc.dll
I opened this file in Wordpad and it seemed to be just the error page for IE that says "This page cannot be displayed" however the copyright on it is not Microsoft, it's the University of something. I tried renaming the file (in normal and safe mode) but it said that Windows was using it. I'm not sure if this file is anything or if it is just the normal error page. Let me know if I should attach this file as .txt so you can see it. Any help would be greatly appreciated! This thing's driving me nuts!!! :)

soccerchick 0 Newbie Poster · Answer 3 · 2004-09-13T03:19:03+00:00

I saw your "help yourself" thread and realized all the startup programs had to be checked. Here's my new hijack this log.

Logfile of HijackThis v1.98.2
Scan saved at 5:19:40 PM, on 12/09/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CookieWall] C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [PVR] C:\PROGRAM FILES\XEMICOMPUTERS\POCKET VOICE RECORDER\PVR.exe
O4 - HKCU\..\Run: [Cookie Monitor] C:\PROGRAM FILES\COOKIE MONITOR\COOKIEMONITOR.exe /1
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how/home_network/getfqdn.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/blockwerx/blockwerx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/25f51e3fa72a80ef3e18/netzip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

Thanks!

soccerchick 0 Newbie Poster · Answer 4 · 2004-09-13T19:09:24+00:00

Ok I did everything you said. It's still not letting IE access the internet. Zone Alarm gave me the notification (when I opened HiJack this ... it's usually when I open IE) that said "Run a DLL as an App is trying to acceess the internet" the application is still rundll32.exe only this time I recorded the IP it was trying to access 192.168.0.101 Port 1027. A different time it tried port 1900. Could this be a trojan???

Here's my new Hijack this log. Thanks for the help!

Logfile of HijackThis v1.98.2
Scan saved at 9:05:39 AM, on 13/09/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CookieWall] C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Cookie Monitor] C:\PROGRAM FILES\COOKIE MONITOR\COOKIEMONITOR.exe /1
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [PVR] C:\PROGRAM FILES\XEMICOMPUTERS\POCKET VOICE RECORDER\PVR.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how/home_network/getfqdn.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/blockwerx/blockwerx.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

soccerchick 0 Newbie Poster · Answer 5 · 2004-09-15T10:04:39+00:00

Ok, I downloaded AntiVir and ran it 3 times, twice in normal mode and once in safe mode. In the settings menu I configured it to check for everything except for games. It found 3 trojan horses and deleted them in the first two runs. In the last run it found nothing. Everytime I turn the computer on Zone Alarm still asks if RunDll32.exe can access the internet. I keep denying it (I'm not saying deny always so that I'll know when it stops). Also internet explorer still isn't working.

Any other ideas?

Here's my new Hijack This log:

Logfile of HijackThis v1.98.2
Scan saved at 12:07:07 AM, on 15/09/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACRORD32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CookieWall] C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Cookie Monitor] C:\PROGRAM FILES\COOKIE MONITOR\COOKIEMONITOR.exe /1
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [PVR] C:\PROGRAM FILES\XEMICOMPUTERS\POCKET VOICE RECORDER\PVR.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how/home_network/getfqdn.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/blockwerx/blockwerx.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

Thanks again for your time!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2004-09-15T17:54:51+00:00

The only one I am not sure of is
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
So have hijackthis fix it then delete the MyDailyHoroscope folder in program files.
First though, check to see if it has an entry in add\remove programs.
Apart from that, all other entries are legit.

soccerchick 0 Newbie Poster · Answer 7 · 2004-09-15T18:42:18+00:00

I realize that rundll32.exe is a system folder, but when I was in msconfig for the start up items, there are now 3 entries that call on rundll32.exe . I'm pretty sure that none of them were there before. The entries are:

ICSDCLT C:\WINDOWS\rundll32.exe C:\WINDOWS|SYSTEM\icsdclt.dll,ICSClient

LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

What do you think of these files? When I searched google with some of the names I got alot of security forums where people seem to have the same problem... I'm going to try some of their solutions. I'll let you know if something works. Do you have any other suggestions?

Thanks!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 8 · 2004-09-17T17:03:30+00:00

ICSDCLT C:\WINDOWS\rundll32.exe C:\WINDOWS|SYSTEM\icsdclt.dll,ICSClient= Internet Connection Sharing allows more than one computer to simultaneously access the internet with a single connection. Also required when networking two machines

LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme=
Power management specifics such as monitor shut-off, system standby, etc. Associated with power management

Many popups, now IE6 won't work. Help please!

Recommended Answers Collapse Answers

All 11 Replies

Recommended Answers