INTERNET CONNECTION PROBLEM!

loopy_lass

my mates comp seems to have a problem trying to connect to MS website, when he tries, the site seems to get hijacked, the page comes up "about blank" and then comes up with a search page which he has never seen before which then opens itself up.

the page doesnt have a title! he has run, avg, spybot, adaware, hijakthis and no solutions.

he has downloaded and run the virus/worm cleaner for AVG7, and also run v clean which searches for 100+ virus and nothing comes up.

running on windows 98SE, on celeron processor laptop (or lapdancer as my old mum says)

thanks loops
any ideas folks?

StrikeEagle

Nasty.

What does his hijackthis log look like?

Can you paste it in a reply?

alanrowell

How does your mate access MS - does he type in "https://www.microsoft.com" or does he click a link.

If the latter, I'd check the address held in the link as it could be that he's mispelt it.

loopy_lass

Ok, i think you have misunderstood the hijak thing strike eagle, its a programme for removing visuses, sorry.

and alanrowell, my friend has tried to get into microsoft numerous ways and all load in the address bar as "about blank" and a page which says search for....which wont let him do anything, it just reverts back to blank page.

Mmm is this getting messy?

loops

peter_the_piper

About-Blank is a well known problem which takes some removing. Get him to run a Hijack this scan and post it here and people will try to help removing it. If not post the scan on any one of these sites
http://forum.misec.net/board/Trojans/1083505568

http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

http://forum.tweakxp.com/forum/messages.aspx?ForumID=29

http://www.webuser.co.uk/cgi-bin/forums/postlist.pl?Cat=&Board=hijackthis&page=11&view=collapsed&sb=5&o=93

http://www.d-a-l.com/help/forumdisplay.php?f=8
These will be sure to help.

wirm

This site will tell you exactly what the hijack log means and what should/shouldn't be there!

link

loopy_lass

THANKS PEEPS.... will pass this on, and get back to you, much appreciated....

i did offer to fix it for him but i guess i shall have to put the screwdriver, toffee hammer and black tape away then...

;-)

loops

loopy_lass

Here is a copy of the hijackThis log file after using the link suggested by Wirm.

It did find a number of suspect files and these were fixed, unfortunately the problem still exists.

If anyone can see something in this log file that shouldn't be there or might be the cause of the problem, your help would be appreciated.

Still think the screwdriver, hammer and tape is the best option.


Logfile of HijackThis v1.98.2
Scan saved at 09:57:09, on 11/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\S3TRAY.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\TEMP\Q.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\AOL 9.0A\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 9.0A\WAOL.EXE
C:\PROGRAM FILES\AOL 9.0A\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS_198\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [Guardian] c:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /su
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKLM\..\Run: [Q] C:\WINDOWS\TEMP\Q.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\RunDlI32.exe
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Wlba] C:\WINDOWS\Profiles\Paul\Application Data\scoc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [tkonnect] C:\PROGRAM FILES\TISCALI\TKONNECT\TKONNECT.EXE updatemode
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: X0LEBHL.HWE
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - User Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - User Startup: X0LEBHL.HWE
O4 - User Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: X0LEBHL.HWE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {70F34000-A531-11D8-A24D-8D788E014732} - C:\WINDOWS\SYSTEM\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {70F34000-A531-11D8-A24D-8D788E014732} - C:\WINDOWS\SYSTEM\COMDLG32.OCX
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 - Filter: text/html - {119CAB60-586D-11D9-A24E-4445960C8EB0} - C:\WINDOWS\SYSTEM\HGPN.DLL
O18 - Filter: text/plain - {119CAB60-586D-11D9-A24E-4445960C8EB0} - C:\WINDOWS\SYSTEM\HGPN.DLL

peter_the_piper

I suggest that you update to version 1.99 and post on one of the sites mentioned. There are a few about blanke entries to remove as well as some other dodgy ones I wouldn't remove without expert help.
Hijack this also needs to be in its own folder and not in unzipped or temp .

Toxteth_OGrady

25 entries up from the bottom

O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\RunDlI32.exe

You have the Litmus Trojan.

Google for "Litmus Trojan" and you'll find plenty of advice to remove it.

Don't think that's your browser hijacker though - still reviewing the rest.  Download Ewido (freeware) , update it and do a full Trojan scan.

 8)

TOG

Edit:  Q.exe is another Trojan

Edit 2:  about:blank is obviously a pain in the !!!!!! to remove.  Lot's of suggestions for you to try here

Edit 3: rundll32.vbe is the CoolWebSearch browser hijacker.

Edit 4: The msmsgs.exe file is only correctly located in the c:\windows\System32 folder. In other folders msmsgs.exe is a virus, spyware, trojan or worm

Edit 5: HGPN.dll looks like it might be a randomly named dll introduced by malware (unless you know which application it associated with.

The showdocvw entry looks suspicious. It might be the Bofra.A worm.

Looks like you got lots of cleaning up to do. Might be easier to just format and reinstall Windows fresh.