HijackThis log on WindowsME, no Windows Update

the last virus scan said winshow infection I have not been able to find any of the running process or files the removal said to delete
'HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{6cc1c918-ae8b-4373-a5b4-28ba1851e39a}' and
'HKEY_LOCAL_MACHINE\software\classes\clsid\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}'

I don't have those but have:

'HKEY_CLASSES_ROOT\software\microsoft\internet explorer\activeX compatibility\{6cc1c918-ae8b-4373-a5b4-28ba1851e39a}'
and

'HKEY_CLASSES_ROOT\software\microsoft\internet explorer\activeX compatibility\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}'

also now can't find iexplore.exe

 

Hi shammie

Honestly, deleting the HJT folder wouldn't have caused this problem, and although deleting the Downloaded Program Files folder is a bit more serious, I don't believe that would have caused this type of problem either. What I believe, is that one or more of the many viruses on the machine has done alot of damage to the system, and the best thing to do is try to make backups of important data that the owner would want to keep, and reinstall the Operating System. Do you have the Windows ME cd? A clean install would be best, but if you want to just try a Windows reinstall, it may be worth a shot and might keep all the data intact also. If you need help with the how-to's, let us know.

 

I don't have ME disk. Any help with any kind of reinstall would be helpful. also are the 2 Hkey lines ok or do they need to be deleted.
Thanks

 

Didn't find any info on the keys you listed, so must assume they are OK. Check the ones shown here.

 

In the absence of the ME cd, try running a thorough scandisk in safe mode.

 

The cws infection you had can delete SpyBots bad download blocker (sdhelper), change the location of the hosts file and change Internet security settings and on rare occasion's corrupt control panel and i think shell.dll.

Perhaps before doing your update we should make sure everything is in working order, and stays that way for a week or so.

Please once more describe all the problems you have noticed and a new hijackthis log.

 

lonny, I can't change sercurity settings as there a none there. Unable to open any files in normal mode can open internet explorer but unable to go on net when i typed www.yahoo.com adress bar had htpp:///?%20www.yahoo.com then a message "your current setting prohibit running active x contols..." when I go to tools-internet options i get this message "This operation has been cancelled due to restrictions in effect on this computer. Please contact system adminstrator." Here is a hijack log(this is typed as i can't connect to internet on infected computer)

R0-HKCU\software\microsoft\internet explorer\main,start page =
R0-HKLM\software\microsoft\internet explorer\main,start page =
R0-HKLM\software\microsoft\internet explorer\search,customizesearch =
R0-HKCU\software\microsoft\internet explorer\main,local page =
R0-HKLM\software\microsoft\internet explorer\main,local page =
R0-HKCU\software\microsoft\internet explorer\toolbar,linksfoldername =
R3-default url searchhook is missing
03-toolbar: @msdxmLC.dll,-1@1033,&Radio-{8E718888-423F-11D2-876E- 00A0C9082467}-C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)


Using ctrl+alt+delete in normal mode the following are running:
explorer
systray
prinstray

one of the last things i did when i thouhgt system was clean was to add spywareblaster should I try deleting it?

Thank you

 

We need to see the entire log

In this post
http://www.windowsbbs.com/showpost.php?p=183712&postcount=9

did Rav actualy delete those files or did it say unable to clean/fix ?
sounds as if it did.

For this problem htpp:///?%20www
download and merge this registry file, I will attach it and add an entry to restore the run for scanregw , once its downloaded righclick rename
change it from iefix.txt to iefix.Reg then doubleclick it, and answer yes. you should get a succeed message did you ?

Then restart the PC go start run and type in
scanreg /fix
it will prompt you to restart the PC, do so.

Next >control panel addremove programs find microsoft inernet explorer and tools , start the uninstall >choose repair
write down any errors for us.

In control panel internet options>security Highlight each zone one at a time >click default level, OK and ok again.

were you able to run scandisk as Dave suggested ?


Finaly post another log

 

I forgot to add. also wait for Daves Imput.

 

Looks like a plan. Give it a try.

 

I can not connect to the web on that computer, I saved iefix to disk and inserted it says "cannot import A:\iefix.reg: error acceessing the registry." can I do it manually? or how about in dos mode?

Ok i copied file to computer but it will not copy to registry.

I figured out why can't open HKEY_current_User when i tried with out those entries it mergered fine.

 

I finally got the system restore function to work. Now when I try to go to internet explorer>tools>internet opitions I get this message "This operation has been cancelled due to the restrictions in effect on this computer. Please contact your system administrator." Under task bar and start menu properties there is a check by display logoff, but no logoff on start button.
Any ideas? Thanks

 

Did you use system restore ?

Get to internet options from control panel

Post a new log

 

When in normal mode I go to control panel nothing is visable show that there are 37 objects I have show all files checked. Also could the parental controls have been changed to cause this? Thanks Here is new hijack log:

Logfile of HijackThis v1.98.2
Scan saved at 8:53:05 AM, on 9/9/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsbbs.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

 

It helps us if you answer all questions

Is norton uninstalled, if not and even if so download a free av program disconnect uninstall norton reboot then install the new program. go online and check for updates from within the progy disconnect from the internet and do a full system scan. In safe mode if it has problems fixing anything.

 

sorry, yes is used system restore. Norton has been unistalled. I'm unable to connect the computer to the internet, I do have norton disk should I re-install?

 

Something has placed restrictions on you, and you will find it difficult to change as Regedit has been disabled, and you do still have the Iefix.Reg file?. Copy this file to C:\. Boot the computer with a ME boot floppy, and do this command at the A:\> prompt:
c:\windows\regedit c:\iefix.reg
You will get a confirmation it was successful, take out floppy and reboot.

 

Thank you. I do have regfix file. I think I stumbled accross the problem, because I now have it on my computer . My friend was running internet explorer 5.05 never could get to update. I kept noticing and trying to delete a folder named "content.ie5" but it kept coming back. I plugged my modem into bad computer to see if I had internet connection, then plugged back into my computer, tried to go to internet options and now i get the message "this operation has been cancelled due to restrictions placed on this computer... ". I can not delete this file! It is under Temporary Internet Files it has 5 sub folders and a total of 239 files. I have run av & etrust anti virus they found nothing. I run windows 98 & internet explorer 6.0.2800 Please help. Thank you very much

 

I'm sorry for being such a pain in the butt. Here is the problem, something has caused(placed) a restriction. If I go in internet explorer to tools>internet options I get "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." But if I go to control panel internet options I can delete files, cookies, clear history, ect. Can this be switched back. also recycle bin is empty when opened but looks like it has trash on desk top. Thank you I really appreciate all the time and effort your guys have put forth to help me.

 

shammie

Usualy that restriction would show in a hijackthis log, it didnt though.

spyware can put it there, or if you told spybot to do it.
BUT most people can still get to internet option's through control panel
try this, start run
Control.exe inetcpl.cpl
Hit ok or enter

Or use "UnlockNoBrowserOptions.reg" from here
http://www.mvps.org/winhelp2002/unwanted.htm


PS do not delete "content.ie5" and those sub folder's