conlie
1 Nickel

Internet Explorer has taken over my computer

The following problem came up all of a sudden. Running XP SP1 on Dell
4550 2.8 gig with 1024 ram, DSL thru WAP.
During boot and/or open any program. Hourglass cursor blinks
constantly, about once per second, lasting perhaps 5 minutes before program opens. Then all ok. Open another, same thing. Opened Task Manager during a wait. IExplorer shows
up in 2, sometimes 3 places in Processes listing. List changes with
each blink of cursor. Cannot pick and end a task. DSL activity light
blinks constantly. CPU usage is 60-80% until program loads then drops
back to normal. When normal, cursor stops blinking. Ran spyware
programs (2) and McAfee Virus Scan (I do both regularly) and nothing.
Same thing happens in Safe Mode when trying to run a program in cmd
window.
System Restored to earlier time. Starts ok. Open a program, back to
same problem.
Turned off modem. Tried again. There were more IExplorers in the
Processes list than I could count and growing. Had to unplug to stop.
Seems like something has gotten hold of my IE, doing something on the
internet, and releasing to me when done. It didn't like my turning off the
modem.
Appreciate any help.
Here is a HiJackThis log.
 
Logfile of HijackThis v1.99.0
Scan saved at 10:03:30 PM, on 12/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Joe\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497}
- (no file)
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3}
- (no file)
R3 - URLSearchHook: SrchHook Class -
{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink
TotalAccess\ElnIE.dll
O2 - BHO: EarthLink Popup Blocker -
{4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink
TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar -
{D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink
TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program
Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program
Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OzgfSrv32] C:\WINDOWS\ozgfsrv.exe
O4 - HKLM\..\Run: [MrcrSrv32] C:\WINDOWS\mrcrsrv.exe
O4 - HKLM\..\RunServices: [Norton Auto Protect] nava.exe
O4 - HKLM\..\RunServices: [Microsoft media] winmplayers.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI
Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink
TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program
Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Sprint FastConnect virtual assistant.lnk =
C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O4 - Global Startup: WinManager.lnk = C:\Program
Files\PC-TV\WinManager\WinManager.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} -
C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) -
file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) -
file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: Ati HotKey Poller - Unknown -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: McAfee.com McShield - Unknown -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com
Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS - Intel Corporation -
C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: X10 Device Network Service - Unknown -
C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
 
0 Kudos
17 Replies
zbestwun2001
6 Gallium

Re: Internet Explorer has taken over my computer

What were you doing just recent to that happening?
Were you surfing?
Had you just downloaded or installed anything new?
Steve


It appears the techs that analyze the logs aren't online right now so just hang tight and they will get back to you.

 

Dell Forum Member Since 2004 but not an employee of Dell

If this answers your question, click
  Yes  

0 Kudos
Midnight Star
5 Rhenium

Re: Internet Explorer has taken over my computer

conlie,

There seems to be a lot of virus/ trojans 'nesting' on there...

-----

First, go to www.trendmicro.com and click "Free Online Scan". When it's down, select all available drives, then click "Scan".

-----

Next, are you running an anti-virus program and firewall other than windows ICF? Like ZoneAlarm, Sygate or Nortons?

-----

Post back the results of the scan with a new log.

Mike.
0 Kudos
conlie
1 Nickel

Re: Internet Explorer has taken over my computer

Guys, thanks for responding. Both my pc and I have been fighting a bug

of some kind. I'm better today but my pc is still under the weather.

I connect using Sprint DSL to earthlink.net through a wireless access

point, although about a month ago I connected direct to the modem

during a troubleshooting session with a Sprint tech. My trouble started

 a week ago. Connection there???

Ran TrendMicro which found and cleaned bkdr wilba.a, worm wilab.a, troj

agent.cw, bkdr wilb.a, and troj lowzones.x.

Ran the Symantec virus clean suggested in this forum. It found

downloader.trojan, w32.spybot.worm, and, in Restore files, w32.wilab.

Updated and ran McAfee VirusScan which found and cleaned

pws-banker.c.dll, pws-banker.c, downloader-mx, downloader-rv, and

w32/sdbot.worm.gen.h.

Turned off System Restore and rebooted. No Change. Slow boot. Slow

programs opening. Task Manager shows multiple IEXPLORER and 60-80% CPU

usage. WAP and DSL modem shows constant activity until eventually

settling down. Then ok to use a program.

Below is the latest HJT log. I note that Internet Explorer shows up 6

times in the Processes list. Significant???

Logfile of HijackThis v1.99.0
Scan saved at 9:29:46 AM, on 12/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee.com\Agent\McDash.exe
C:\PROGRA~1\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joe\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [GvkbSrv32] C:\WINDOWS\gvkbsrv.exe
O4 - HKLM\..\Run: [KbarSrv32] C:\WINDOWS\kbarsrv.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\RunServices: [Norton Auto Protect] nava.exe
O4 - HKLM\..\RunServices: [Microsoft media] winmplayers.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: X10 Device Network Service - Unknown - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

0 Kudos
Midnight Star
5 Rhenium

Re: Internet Explorer has taken over my computer

conlie,
 
Let's start with this...
 
Reboot your computer into "Safe Mode"
 

 
From a command line, or "Start | Run...", run "services.msc", then locate and stop the following services:
 
[Norton Auto Protect] ...or... nava.exe
[Microsoft media] ...or... winmplayers.exe
 

 
Open the "Windows Task Manager", then 'end' the following processes, if present:
 
  • gvkbsrv.exe
  • kbarsrv.exe
  • nava.exe
  • winmplayers.exe
Be sure to refresh the list and make sure they're no longer running.
 

 
Run HiJackThis, then click "Config...", then "Misc Tools", then:
 
1) "Delete a file on reboot"
2) Browse to and double-click on the following (one at a time):
 
C:\WINDOWS\gvkbsrv.exe
C:\WINDOWS\kbarsrv.exe
nava.exe    <=== Look in c:\windows c:\windows\system : c:\windows\system32
winmplayers.exe   <=== Look in c:\windows c:\windows\system : c:\windows\system32
 
3) After double-clicking on each of the above file(s), when prompted to reboot, select "No".
 

 
In the lower-right hand of HiJackThis click "back", then click "Scan", then check(tick) the following, if present:
 
 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
 
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
 
O4 - HKLM\..\Run: [GvkbSrv32] C:\WINDOWS\gvkbsrv.exe
O4 - HKLM\..\Run: [KbarSrv32] C:\WINDOWS\kbarsrv.exe
O4 - HKLM\..\RunServices: [Norton Auto Protect] nava.exe
O4 - HKLM\..\RunServices: [Microsoft media] winmplayers.exe
 
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(If you didn't set this using something like Spybot's Immunize feature, then have hjt 'fix' it.)
 
Reboot your computer normally.
 

Post back a new log.

Mike.

0 Kudos
conlie
1 Nickel

Re: Internet Explorer has taken over my computer

Mike,

Thanks for all of your help. Great to have someone to work with. However, no change. After following your scenario to the letter, pc still slow to boot, programs slow opening (some). For instance, when creating the HJT log below, it took 20 minutes before things settled down. IEXPLORER in Task Manager Processes several places, CPU load 60-80%, modem constantly active. In fact, after the initial reboot following your plan, I had to cold reboot after 1 hour wait of partial boot that had 80 processes in Task Manager, 65 of which were IEXPLORER. After that cold reboot, it was back to where it has been since this trouble started. Here are some results from your suggested cleanup:

Safe Mode Reboot

1. Neither Norton (nava) nor Microsoft Media (winmplayers) appeared in “services.msc”

(Had to wait about 20 minutes for “services.msc” to load. Same multiple IEXPLORER, high CPU, active modem, even in Safe Mode)

2. None of the four listed programs ever appeared in Windows Task Manager.

3. HJT, “Delete on Reboot”, double-clicked on “gvkbsrv.exe” and “kbarsrv.exe”. “Nava.exe” and “winmplayers.exe” were nowhere to be found.

4. HJT, Scan, checked:

R1 – HKCU\Software\……..ProxyOverride=…………;

R3 – URLSearchHook, neither one found.

O4 – All four as listed.

O6 – Not found.

 

HJT Log after the above:

Logfile of HijackThis v1.99.0
Scan saved at 4:12:22 PM, on 12/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Documents and Settings\Joe\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: X10 Device Network Service - Unknown - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
 
0 Kudos
Midnight Star
5 Rhenium

Re: Internet Explorer has taken over my computer

conlie,

I'm not quite sure with what's going on there, so let's take this one step at a time, and check some of that out as we go...



Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)


Now, with all windows closed except HiJackThis, click "Fix checked".


Since the online scan found some problems, let's run it again and see what it tells us. Have you also tried running AdAware SE Personal and Spybot S&D yet? They may turn something up also.
 
Post back a new log, with the results of the online scan.
 
Mike.
 

Message Edited by Midnight Star on 12-21-2004 09:15 PM

0 Kudos
Highlighted
Midnight Star
5 Rhenium

Re: Internet Explorer has taken over my computer

conlie,

Also make sure your firewall blocks all the programs that were listed in my posts, along with anything else that looks 'suspicious'.

Mike.

 

0 Kudos
conlie
1 Nickel

Re: Internet Explorer has taken over my computer

Mike,

Did as you suggested with HJT. Found and clicked all four items.

Ran TrendMicro's Housecall which found and deleted "Troj Small.fl". Found it in c:\windows\nwrgryv.dll.

Ran Symantec's online virus check, followed by McAfee VirusScan. Neither found any viruses or trojans. McAfee identified two potentially unwanted programs, C:\Program Files\Earthlink 5.0\data1.cab and C:\Program Files\Earthlink 5.0\FastLane\ARProt32.dll.

I have both AdAware SE Personal and Spybot S&D 1.3. I run them regularly. Usually AdAware finds some insignificant cache items.

Below is the latest HJT log.

Logfile of HijackThis v1.99.0
Scan saved at 1:04:31 PM, on 12/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Joe\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: X10 Device Network Service - Unknown - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

 

0 Kudos
Midnight Star
5 Rhenium

Re: Internet Explorer has taken over my computer

conlie,

Good work! That log looks clear to me.


I left this entry:

O23 - Service: X10 Device Network Service - Unknown - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

I wasn't sure if your using the X10 camera software, or have it installed. If you don't want this, just have HiJackThis fix it.


 
Now to computer performance...
 
Is your computer still experiencing slow performance? If so, open the "Windows Task Manager", then click on the "performance" tab; how does the CPU Usage and PF Usage look? Max-ed out?
 
Mike.
 
0 Kudos