Browser home-page hijack "system error #384"
#1
Posted 23 October 2005 - 03:29 PM
Register to Remove
#2
Posted 28 October 2005 - 02:28 PM
#3
Posted 29 October 2005 - 04:21 AM
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#4
Posted 30 October 2005 - 05:06 AM
#5
Posted 30 October 2005 - 06:44 AM
I suggest you do this:
Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
O2 - BHO: C:\WINDOWS\Q3105925.DLL - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\Q3105925.DLL
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM\..\Run: [WindowsDebug] drwatson32.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\TOOL2.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: style32 - C:\WINDOWS\Q3105925.DLL
Close ALL windows and browsers except HijackThis and click "Fix checked"
Restart in Safe Mode:
Restart your computer.
Press the F8 key until the startup menu appears.
Choose the Safe Mode option then press Enter.
Search for and delete these files if listed:
C:\WINSTALL.EXE
C:\WINDOWS\Q3105925.DLL
C:\drwatson32.exe
C:\combop.exe
C:\WINDOWS\TOOL2.EXE
To configure Windows to show all files
Do the following:
In Windows, on the Windows desktop, double-click the My Computer icon.
On the Tools menu, click Folder Options.
On the View tab, uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.
Do this also if these Temp Folders are part of your OS.
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Next navigate to the C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin
Reboot and "copy/paste" a new HijackThis log file into this thread.
Also please describe how your computer behaves at the moment.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#6
Posted 30 October 2005 - 09:57 AM
Thank you very much for your advice, I think it has definately improved things. Below are some comments on difficulties I had in carrying out your instructions and a description of how the computer's behaviour has changed.
My McAffee is not up to date. This computer was a recent hand-me-down from my dad and I had not updated the anti-virus when I it picked up this nasty. Its no excuse I know. Do you recommend staying with McAfee?
Thanks again, any more suggestions very gratefully received.
SimonT
*
COMMENTS ON CARRYING OUT INSTRUCTIONS
Instructions followed successfully with following exceptions:
1. The following lines did not appear in the hijack this log I generated before doing 'fix checked'
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\TOOL2.EXE (***Note I think spybot sd1.4 got rid of tool2.exe)
2. Whilst in safe mode:
I found and removed:
C:\drwatson32.exe
I could not find:
C:\WINSTALL.EXE
C:\combop.exe
C:\WINDOWS\TOOL2.EXE (previously removed by SpybotSD1.4)
I found but could not delete:
C:\WINDOWS\Q3105925.DLL (it was 'being used by windows')
3. In folder C:\Windows\Temp, I could not delete 2 files
$_2341234.TMP 17KB
$_2341233.TMP 46KB
Message said "make sure disk is not full or write-protected and that the file is not currently in use"
4. Regarding "Next navigate to the C:\Documents and Settings\(EVERY LISTED USER)\.....delete the entire contents of the Temp folder."
- I could not find the C:\Documents and Settings folder. I am guessing it relates to a later version of windows. Also I could not find any obvious equivalent (in Windows 98SE) to the Temp folder mentioned in this instruction.
5. Regarding "Finally go to Control Panel > Internet Options....etc"
-initially I could not access this folder. I got the message box "Program not found. Windows cannot find drwatson32.exe. This program is needed for opening files of type 'Application'
-as a result I restored this program to its original location from recycle bin and was then able to access internet options and carry out the instructions.
PC BEHAVIOUR AFTER REBOOTING
-Still get 'dial-up connection' box appearing as soon as windows desktop appears.
-browser use seems to be restored and back to normal speed.
-have been able to restore google as my homepage, no more of that horrible blue warning page '#384'
-I can now use google and other search engines again where before it was taking so long to bring up the these web sites that I gave up
-I can now also use my favourites again where before nothing happened if I clicked on them.
-I still get the 'this application has performed an illegal operation and will be shut down' messages but much less frequently.
Logfile of HijackThis v1.99.1
Scan saved at 15:07:54, on 30/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\BTMODEMPROTECTION.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\MY DOCUMENTS\PC MAINTENANCE\PC HIJACK\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TVWatch] C:\WINDOWS\SYSTEM\TVWatch.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [BTModemProtection] BTModemProtection.lnk
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [WindowsDebug] drwatson32.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [Shell] "C:\WINDOWS\SYSTEM\ibm00007.exe"
O4 - Startup: AOL 6.0 Tray Icon.pif = C:\DOS801.EXE
O4 - Startup: Mount Safe & Sound Volumes.lnk = C:\Program Files\McAfee\McAfee Shared Components\Safe & Sound\fbmount.exe
O4 - User Startup: AOL 6.0 Tray Icon.pif = C:\DOS801.EXE
O4 - User Startup: Mount Safe & Sound Volumes.lnk = C:\Program Files\McAfee\McAfee Shared Components\Safe & Sound\fbmount.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\Q3105925.DLL
#7
Posted 30 October 2005 - 10:38 AM
Press the F8 key until the startup menu appears.
Choose the Safe Mode option then press Enter.
I suggest you do this:
Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
O4 - HKLM\..\Run: [WindowsDebug] drwatson32.exe
O4 - HKCU\..\Run: [Shell] "C:\WINDOWS\SYSTEM\ibm00007.exe"
Close ALL windows and browsers except HijackThis and click "Fix checked"
Delete these if listed.
C:\WINDOWS\SYSTEM\ibm00007.exe
Empty Recycle Bin
Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.
I have a free Anti-Virus program I can give you a link to if you can't update McAffee.My McAffee is not up to date. This computer was a recent hand-me-down from my dad and I had not updated the anti-virus
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#8
Posted 30 October 2005 - 03:34 PM
Thanks for your latest post. I can get McAfee. Instructions followed apart from exceptions below.
Regards, SimonT
COMMENTS ON FOLLOWING INSTRUCTIONS
1. O4 - HKCU\..\Run: [Shell] "C:\WINDOWS\SYSTEM\ibm00007.exe"
-this did not appear instead the same line contained the filename ibm00009.exe. Perhaps wrongly, I fixed this instead.
2. O4 - HKLM\..\Run: [WindowsDebug] drwatson32.exe
-fixed this but it seems to reappear on re-booting.
3. Delete these if listed.
C:\WINDOWS\SYSTEM\ibm00007.exe
-I located ibm00009.exe as there was no ibm00007.exe in C\windows\system. Deleted ibm00009.exe.
BEHAVIOUR
-no change noticed in computer behaviour from previous post
-when rebooted got message "ibm00009.exe. Cannot find the file ‘ibm00009.exe’(or one of its components). Make sure the path and filename are correct and that all required libraries are available. OK button." I clicked ok and have not noticed any new problems with computer.
Logfile of HijackThis v1.99.1
Scan saved at 21:06:06, on 30/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\BTMODEMPROTECTION.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\PC MAINTENANCE\PC HIJACK\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TVWatch] C:\WINDOWS\SYSTEM\TVWatch.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [BTModemProtection] BTModemProtection.lnk
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [WindowsDebug] drwatson32.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - Startup: AOL 6.0 Tray Icon.pif = C:\DOS801.EXE
O4 - Startup: Mount Safe & Sound Volumes.lnk = C:\Program Files\McAfee\McAfee Shared Components\Safe & Sound\fbmount.exe
O4 - User Startup: AOL 6.0 Tray Icon.pif = C:\DOS801.EXE
O4 - User Startup: Mount Safe & Sound Volumes.lnk = C:\Program Files\McAfee\McAfee Shared Components\Safe & Sound\fbmount.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\Q3105925.DLL
#9
Posted 30 October 2005 - 04:04 PM
Trojan.Dremn is a Trojan horse program that attempts to log keystrokes and steal information. The Trojan may arrive on a compromised computer as a Microsoft Word document with a password protected macro.
Do you use the computer to do any financial trasactions or any other important information?
Close all windows and browsers.
Open HijackThis
Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINDOWS\Q3105925.DLL
Do the same for these if found.
C:\WINDOWS\syscache\DrWatson32.exe
C:\WINDOWS\syscache\DrvWtsn32.dll
Click on the Back button to exit Process Manager
Now, back at the main screen of HijackThis, proceed to Scan.
and put a check by these.
O4 - HKLM\..\Run: [WindowsDebug] drwatson32.exe
O20 - Winlogon Notify: style32 - C:\WINDOWS\Q3105925.DLL
Close ALL windows and browsers except HijackThis and click "Fix checked"
Also look in C\windows\system and delete all files like this ibm0000.exe.
Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL
Download Registrar Lite from here:
http://www.resplende...oad/reglite.exe
Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.
Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
In the pane on the right are the values associated with that key.
In the right pane, delete any of the following values:
"[default]" = "[original folder]\DrWatson32.exe"
"[default]" = C:\WINDOWS\syscache\DrWatson32.exe"
Right click on it, and select delete.
Navigate to and delete the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
\Perams\1
If you get a confirmation question, respond OK then close out the program.
Empty Recycle Bin
Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.
Can you also do a search for these and tell me where you find them
dllcache
drivercache
Edited by LDTate, 30 October 2005 - 04:19 PM.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#10
Posted 02 November 2005 - 03:54 PM
Register to Remove
#11
Posted 02 November 2005 - 04:11 PM
Restart your computer in Safe Mode.
Press the F8 key until the startup menu appears.
Choose the Command Prompt option then press Enter.
Go into DOS, and run scanreg /restore. (Note the space) It will prompt you for your choice of registry to restore. Pick a date of a registry that used to work properly. Then you'll be prompted to reboot. It's very simple
Edited by LDTate, 02 November 2005 - 04:13 PM.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#12
Posted 03 November 2005 - 04:12 PM
#13
Posted 03 November 2005 - 04:20 PM
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#14
Posted 03 November 2005 - 04:28 PM
#15
Posted 03 November 2005 - 04:49 PM
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users