TechSpot - PC Technology News and Analysis

Hi, I have a puter that is running very slow the last week.Screen freezes, I have porno ads on this screen as I am typing. Also, IE closes unxpectanly when I am useing it.

I just bought a dell 22 inch monitor and since then it has not been the same. (not sure or think that is the problem.

I am unable to run Malwarebytes when I do it gives me a blue screen and says
Driver IRQL not less or equal

I have ran CCCleaner and did what was recommended.

My AVG froze and unable to finish the scan.
Java upgraded

High jack file enclosed along with

Smithfraud files

Thanks for your help.

Attached Files

	hijackthis.log (10.2 KB, 8 views)
	rapport.txt (1.9 KB, 6 views)

Boot to Safe Mode and try AVG and malwarebytes again.

If that fails, pull the hd, slave it inanother comp and run the scans on it.

I will try the boot, but I dont have another puter to try also. Thanks

Please go to this website paste your hijackthis! logs to the area that is shown and follow the directions. - You definitely have things going on that can be easily resolved and possibly help with your issue.
http://hjt.networktechs.com/parse.php Good luck!

The error above suggest that you have a hardware or device driver problem. You might have a faulty or incompatible hardware or software(driver). could be the driver for your monitor. try updating it from the device manager.
Instructions:
Start > run > devmgmt.msc > click on monitor

look to see if the hardware is in a error state(usually represented by a yellow exclamation).
Update the driver by right clicking the device then select "update driver".

BA_55
Regarding automated parsing, please read this post
Give a response there and share your perspective. I think xxdanielxx is trying get us all on the same page, so to speak.

Ippymiss
These should be deleted (imho) . Use safe mode to delete the files.
O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - (no file)

Consult your smithfraud log for o22 entry's filename.

It would be great to get things working for Malwarebytes.

Bill, I don't know you, but why would you want to send someone to another site to help with the HijackThis logs? Isn't that what we do here?

ippymiss, I've checked the current logs and will review them AFTER you run Malwarebytes and SuperAntispyware and post the logs. You will find the information in Parts 4 and Par 5 here:
http://www.techspot.com/vb/post645589-1.html
I do have two questions about things I saw in the log: there are numerous processes starting at boot for both 'iespell' and RoboForm. For instance, one iespell is for Wikipedia. Do you have to load the application separately for any site you may want to use it on the internet? I that is the case, you could get the Google Toolbar with the spell check for everything on the internet, with email not included!

As for RoboForm, can't you bring that up manually when you need the feature? I'll go over the entire log you run again AFTER Malwarebytes and Superantispyware.

In the meantime, please take this OUT of your trusted zone:
O15 - Trusted Zone: http://www.mycoupons.com

Ive checked my monitor in my device manager., and everything is good.
I booted to safe mode and completed a malwarebytes scan, log included.
safe mode for superantispy and my puter froze 3 on one file took me 3 attempts and 6 hours.I gave up.......
the file is
C:/program files/common files/microsoft shared/smart tag/FStock.DLL.

I also included a hijackthis log.

I will do what you all have asked me to and post back with more logs......Thanks !!!!!

I taken that website off my trusted also In my startup msconfig files I cant find the iespell or the roboform, I do not need either of these all the time. actually I do not need any of these. I can take them off completly.
I am going to find the files Fr66 asked me to delete, Thanks

Attached Files

	mbam-log-2008-10-12 (09-23-06)deleted .txt (3.2 KB, 2 views)
	avgrep.txt (1.1 KB, 2 views)
	hijackthis.log (9.1 KB, 2 views)

In safe mode I deleted one file only, it would not let me delete the 018 file. Filter Hijack.

I did another malware scan and posted the results. What now. I also deleted the programs that I did not use . Thanks

Attached Files

mbam-log-2008-10-12 (14-50-54).txt (2.5 KB, 4 views)

Bobbye is the man on this problem. He has the depth to lead you.

While waiting, see what you can do to perform a deep scan using malwarebytes.

The quick scan seems stalled as far as keeping some re-infection from occurring.

HJT and malwarebytes should be run in normal mode, not safe mode. Perhaps the freezes and errors were related to some of the malware that has been removed / weakened.

Re-post fresh logs (all 3) just as you would following the 8-step procedure.

I've tried running deep scans but it keeps freezing on one file...... the Fstock.dll
doesnt that file have to do with Office?? I dont even use office anymore...lol

I do NOT have any idea as to why?? it is doing that?

Should I maybe?
delete the dll file and download another one?

I'm at a loss!
Thanks
I will keep trying what you recommend

one reference @ MS for Fstock dll
Buried on the page describing a work around.

It could be a disk error. CMD window > chkdsk /f > restart the computer

If not using Office, the Rename > Move trick should work. That is rename the file. Use Explorer to move the file to the desktop or some temporary folder. This may delay the need to repair the installation of MS OFFICE.

Delete file is an option, but the recycle bin will lose this file if emptied.

[edit]
File delete uses Windows Explorer. HJT delete means check the box.
o18 corrective action was meant to say "file delete"
I believe you understood this. This is added as a precaution.
It appears this is a type of Smithfraud. Maybe a re-run of this remedy is needed. Normal mode / safe mode - whatever seems to work.
[/edit]

1. mbam-log-2008-10-12 (09-23-06).txt10/12/2008 9:23:06 AM shows removal of Zlob, Hotbar and other adware and Trojans.
2. mbam-log-2008-10-12 (14-50-54).txt 10/12/2008 2:50:54 PM shows the same removal of Hotbar, adware and other Trojabs, but no section for Zlob.
It appears you may have posted the same log twice, leaving the 'Zlob' section off the second log.
3. You ran the first HijackThis in Safe mode Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:14, on 10/12/2008.
4. You posted the same HijackThis log again Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:14, on 10/12/2008

When we tell you to check specific items in a HijackThis log, following though with a reboot after all has been done and tell you to scan with HijackThis again and post the log, that does NOT mean copy the previous log. The only way we can see if the removals have worked is by viewing the subsequent log.

Please see Part 5 here: http://www.techspot.com/vb/post645589-1.html For SuperAntispyware. Attach the log.

Make these changes if still on the log, run SuperAntispware, THEN HijackThis again and post both logs. No need to do Mbam again:

Please reopen HijackThis and scan. Put a check next to the following processes:
NOTE: The entry for 'monln.dll is for the Comodo AntiVirus. You are running AVG v8 which has AV+AntiSpyware. You should only run one AV program. The last entry for 'dikage' is from Zlob Trojan that infects you with the VirusHeat rogue anti-spyware program.

I am breaking the following entries out separately. All of these processes for the two programs shouldn't run from startup. If you don't want either program, check ALL the entries in each group:
For RoboForms:
For iespell:
When through close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Go to Start> Run> tyoe in 'msocnfig' without quotes> enter> Selective Startup> Startuo tab> UNCHECK everything except the AVG processes> Apply> OK
Control Panel> Add/Remove Programs> Uninstall iespell and RoboForm if you don't use them. Uninstall Comodo Security suite. Look for any other programs that are unused and uninstall them.
Start> Run> type in 'services.msc' without quotes> enter> look for Comodo Anti-Virus and Anti-Spyware Service> right click> Properties> change Startup type to Disabled> Apply> OK

Remove ALL from Trusted Zone- leave the in the internet zone- it's safer:
Reboot into Normal Mode> You will get a nag message that you can ofnore after checking 'don't show this message again'. Stay in Selective Startup.

Scan with HijackThis again and post a NEW log. Include the log from SuperAntispyware.

If you neeed a spell checker for the internet, I suggest the Google Toolbar. You don't have to enable all the available options, but it has a good spell checker and pop-up blocker:
http://www.download.com/Google-Toolb...-10056938.html

Use this version as v5 is a beta version- still testing. We can add jut the Comodo firewall to our system if wanted.

I did attach a hijack this file. My AVG, found nothing but a few cookies that needed cleaned, and I could not even save a log file.

I am still running a bit slow and still do freeze, but not as much as I did. Anything else?? Thanks

Attached Files

hijackthis1.log (7.2 KB, 2 views)

This is some kind of booger
Research @ whatthetech viewing topic
MBAM detects & deletes "msiebbar.dll"
DelDomains.inf is invoked before running MBAM (Link to download file)

There is no explanation. It's beyond me.

This is related to comodo. Is this broken and/or redundant AV-Firewall?
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Unknown owner - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe (file missing)

I have not ran comodo for ages. I uninstalled it totally awhile ago.
HiJack will not take off this file.........

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} – C:\WINDOWS\system32\msiebbar.dll


Do I still download the deldomains file you want , without taking off the other bad file? Thanks

Attached Files

hijackthis2.log (6.6 KB, 2 views)

bobbye is driving this. My earlier post found evidence that MBAM removed msiebbar.dll . I am asking that bobbye use this information to direct us. That extra step/file had no explanation & may not help. I do not know.

Be specific. What other bad file?

rf6647, thank you for catching this- I did overlook it:
I checked the mban log and it does not show removing this CLSID. Please scan with Malwarebytes again and see if it picks up the msiebbar.dll. I can't ID the CLSID- only info is 'Generic Downloader' so it makes specific removal impossible.

AFTER rerunning Malwrebytes:
Scan with HijackThis again. Check the following:
Now close all windows other than HiJackThis, then click Fix Checked.Close HiJackThis and reboot into Safe mode:
Right click on Start> Explore> Windows> go to Tools> Folder Options> View tab> CHECK 'show hidden files and folders'> Apply> OK>>> then click onSystem32 on the left> look on the right screen for msiebbar.dll. If you see the file there, do a right click> Delete.

If you don't see it> click on dll cache> look on the right- same thing, right click> delete if found.
Go back into Folder Options and UNCHECK 'show hidden files and folders> Apply> OK.

The Comodo entries have been removed. Make sure any Comodo program showing in Add/Remove Programs is also uninstalled- it can be done while in Safe Mode. You still have extra entries for iespell. decide if you need them- if not, have HijackThis fix.

Boot into Normal Mode> scan with HijackThis once more to see if the 018 entry has been handled. Attach the log.

Thanks!
I ran Hijack and found the 018

file. O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll


But it wont delete it. saved the log
Went to safe mode did a search for the file in my System32 and my dll cache. NOPE not there!
I went back to my AVG antivirus, that file is in my Resident shield Protection file, but then says it ihas been moved to my virus vault....... its not there!. and I cant get the files out of the resident shield . and moved to anywhere else in AVG

Comondo is not on the puter anymore I did a search and found nothing. I think I took off all the iespell. AVG still found nothing.

I dont know what to do about this problem? HELP!!. And Thanks !

Attached Files

hijackthis4.log (5.5 KB, 1 views)

Your system should be running better without all the RoboForm and iespell entries. But this needs to be checked. On original log, AVG program shows. On latest log, it's missing:

On HJ1: Scan saved at 17:58:29, on 10/11/2008Scan
On last: saved at 17:51:17, on 10/15/2008
The auto-loading 04 entry is still there as well as the two 023 Services, but the program is missing from the programs list. Please check the status of that.

As for the 018 entry:
I have to assume it's malware. The CLSID is not identifiable and this is strange either way- bad or good. Since you've used Malwarebytes, the remaining suggestion is:

Follow the instructions exactly. Screen shots will help you through.

When you have finished, rerun HijackThis and post both logs. I would still encourage running SuperAntispyware and including that log also.