Help please

[ippymiss]

Hi, I have a puter that is running very slow the last week.Screen freezes, I have porno ads on this screen as I am typing. Also, IE closes unxpectanly when I am useing it.

I just bought a dell 22 inch monitor and since then it has not been the same. (not sure or think that is the problem.

I am unable to run Malwarebytes when I do it gives me a blue screen and says
Driver IRQL not less or equal

I have ran CCCleaner and did what was recommended.

My AVG froze and unable to finish the scan.
Java upgraded

High jack file enclosed along with

Smithfraud files

Thanks for your help.

 

[CCT]

Boot to Safe Mode and try AVG and malwarebytes again.

If that fails, pull the hd, slave it inanother comp and run the scans on it.

 

[ippymiss]

I will try the boot, but I dont have another puter to try also. Thanks

 

[BillAllen55]

Please go to this website paste your hijackthis! logs to the area that is shown and follow the directions. - You definitely have things going on that can be easily resolved and possibly help with your issue.
http://hjt.networktechs.com/parse.php Good luck!

 

[tw0rld]

The error above suggest that you have a hardware or device driver problem. You might have a faulty or incompatible hardware or software(driver). could be the driver for your monitor. try updating it from the device manager.
Instructions:
Start > run > devmgmt.msc > click on monitor

look to see if the hardware is in a error state(usually represented by a yellow exclamation).
Update the driver by right clicking the device then select "update driver".

 

[rf6647]

BA_55
Regarding automated parsing, please read this post
Give a response there and share your perspective. I think xxdanielxx is trying get us all on the same page, so to speak.

Ippymiss
These should be deleted (imho) . Use safe mode to delete the files.
O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - (no file)

Consult your smithfraud log for o22 entry's filename.

It would be great to get things working for Malwarebytes.

 

[Bobbye]

Bill, I don't know you, but why would you want to send someone to another site to help with the HijackThis logs? Isn't that what we do here?

ippymiss, I've checked the current logs and will review them AFTER you run Malwarebytes and SuperAntispyware and post the logs. You will find the information in Parts 4 and Par 5 here:
https://www.techspot.com/vb/post645589-1.html
I do have two questions about things I saw in the log: there are numerous processes starting at boot for both 'iespell' and RoboForm. For instance, one iespell is for Wikipedia. Do you have to load the application separately for any site you may want to use it on the internet? I that is the case, you could get the Google Toolbar with the spell check for everything on the internet, with email not included!

As for RoboForm, can't you bring that up manually when you need the feature? I'll go over the entire log you run again AFTER Malwarebytes and Superantispyware.

In the meantime, please take this OUT of your trusted zone:
O15 - Trusted Zone: http://www.mycoupons.com

 

[ippymiss]

Ive checked my monitor in my device manager., and everything is good.
I booted to safe mode and completed a malwarebytes scan, log included.
safe mode for superantispy and my puter froze 3 on one file took me 3 attempts and 6 hours.I gave up.......
the file is
C:/program files/common files/microsoft shared/smart tag/FStock.DLL.

I also included a hijackthis log.

I will do what you all have asked me to and post back with more logs......Thanks !!!!!

I taken that website off my trusted also In my startup msconfig files I cant find the iespell or the roboform, I do not need either of these all the time. actually I do not need any of these. I can take them off completly.
I am going to find the files Fr66 asked me to delete, Thanks

 

[ippymiss]

In safe mode I deleted one file only, it would not let me delete the 018 file. Filter Hijack.

I did another malware scan and posted the results. What now. I also deleted the programs that I did not use . Thanks

 

[rf6647]

Bobbye is the man on this problem. He has the depth to lead you.

While waiting, see what you can do to perform a deep scan using malwarebytes.

The quick scan seems stalled as far as keeping some re-infection from occurring.

HJT and malwarebytes should be run in normal mode, not safe mode. Perhaps the freezes and errors were related to some of the malware that has been removed / weakened.

Re-post fresh logs (all 3) just as you would following the 8-step procedure.

 

[ippymiss]

I've tried running deep scans but it keeps freezing on one file...... the Fstock.dll
doesnt that file have to do with Office?? I dont even use office anymore...lol

I do NOT have any idea as to why?? it is doing that?

Should I maybe?
delete the dll file and download another one?

I'm at a loss!
Thanks
I will keep trying what you recommend

 

[rf6647]

one reference @ MS for Fstock dll
Buried on the page describing a work around.

It could be a disk error. CMD window > chkdsk /f > restart the computer

If not using Office, the Rename > Move trick should work. That is rename the file. Use Explorer to move the file to the desktop or some temporary folder. This may delay the need to repair the installation of MS OFFICE.

Delete file is an option, but the recycle bin will lose this file if emptied.

[edit]
File delete uses Windows Explorer. HJT delete means check the box.
o18 corrective action was meant to say "file delete"
I believe you understood this. This is added as a precaution.
It appears this is a type of Smithfraud. Maybe a re-run of this remedy is needed. Normal mode / safe mode - whatever seems to work.
[/edit]

 

[Bobbye]

1. mbam-log-2008-10-12 (09-23-06).txt10/12/2008 9:23:06 AM shows removal of Zlob, Hotbar and other adware and Trojans.
2. mbam-log-2008-10-12 (14-50-54).txt 10/12/2008 2:50:54 PM shows the same removal of Hotbar, adware and other Trojabs, but no section for Zlob.
It appears you may have posted the same log twice, leaving the 'Zlob' section off the second log.
3. You ran the first HijackThis in Safe mode Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:14, on 10/12/2008.
4. You posted the same HijackThis log again Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:14, on 10/12/2008

When we tell you to check specific items in a HijackThis log, following though with a reboot after all has been done and tell you to scan with HijackThis again and post the log, that does NOT mean copy the previous log. The only way we can see if the removals have worked is by viewing the subsequent log.

Please see Part 5 here: https://www.techspot.com/vb/post645589-1.html For SuperAntispyware. Attach the log.

Make these changes if still on the log, run SuperAntispware, THEN HijackThis again and post both logs. No need to do Mbam again:

Please reopen HijackThis and scan. Put a check next to the following processes:

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - (no file)
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Unknown owner - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe (file missing)

NOTE: The entry for 'monln.dll is for the Comodo AntiVirus. You are running AVG v8 which has AV+AntiSpyware. You should only run one AV program. The last entry for 'dikage' is from Zlob Trojan that infects you with the VirusHeat rogue anti-spyware program.

I am breaking the following entries out separately. All of these processes for the two programs shouldn't run from startup. If you don't want either program, check ALL the entries in each group:
For RoboForms:

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

NOTE: If you decide to keep RoboForm and start it Manually when you need it, remove all the entries above. When you boot into Safe Mode below, open the Roboform program and disable any of it's startups.

For iespell:

O8 -
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

When through close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Go to Start> Run> tyoe in 'msocnfig' without quotes> enter> Selective Startup> Startuo tab> UNCHECK everything except the AVG processes> Apply> OK
Control Panel> Add/Remove Programs> Uninstall iespell and RoboForm if you don't use them. Uninstall Comodo Security suite. Look for any other programs that are unused and uninstall them.
Start> Run> type in 'services.msc' without quotes> enter> look for Comodo Anti-Virus and Anti-Spyware Service> right click> Properties> change Startup type to Disabled> Apply> OK

Remove ALL from Trusted Zone- leave the in the internet zone- it's safer:

O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: .att.net[/url]
O15 - Trusted Zone: http://www.mycoupons.com
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: .sbcglobal.net[/url]

Reboot into Normal Mode> You will get a nag message that you can ofnore after checking 'don't show this message again'. Stay in Selective Startup.

Scan with HijackThis again and post a NEW log. Include the log from SuperAntispyware.

If you neeed a spell checker for the internet, I suggest the Google Toolbar. You don't have to enable all the available options, but it has a good spell checker and pop-up blocker:
http://www.download.com/Google-Toolbar-for-IE/3000-12777_4-10056938.html

Use this version as v5 is a beta version- still testing. We can add jut the Comodo firewall to our system if wanted.

 

[ippymiss]

I did attach a hijack this file. My AVG, found nothing but a few cookies that needed cleaned, and I could not even save a log file.

I am still running a bit slow and still do freeze, but not as much as I did. Anything else?? Thanks

 

[rf6647]

Note to Bobbye

This is some kind of booger

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} – C:\WINDOWS\system32\msiebbar.dll

Research @ whatthetech viewing topic
MBAM detects & deletes "msiebbar.dll"
DelDomains.inf is invoked before running MBAM (Link to download file)

There is no explanation. It's beyond me.

This is related to comodo. Is this broken and/or redundant AV-Firewall?
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Unknown owner - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe (file missing)

 

[ippymiss]

I have not ran comodo for ages. I uninstalled it totally awhile ago.
HiJack will not take off this file.........

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} – C:\WINDOWS\system32\msiebbar.dll


Do I still download the deldomains file you want , without taking off the other bad file? Thanks

 

[rf6647]

Note to ippymiss

bobbye is driving this. My earlier post found evidence that MBAM removed msiebbar.dll . I am asking that bobbye use this information to direct us. That extra step/file had no explanation & may not help. I do not know.

Be specific. What other bad file?

 

[Bobbye]

rf6647, thank you for catching this- I did overlook it:

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

I checked the mban log and it does not show removing this CLSID. Please scan with Malwarebytes again and see if it picks up the msiebbar.dll. I can't ID the CLSID- only info is 'Generic Downloader' so it makes specific removal impossible.

AFTER rerunning Malwrebytes:
Scan with HijackThis again. Check the following:

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

Now close all windows other than HiJackThis, then click Fix Checked.Close HiJackThis and reboot into Safe mode:
Right click on Start> Explore> Windows> go to Tools> Folder Options> View tab> CHECK 'show hidden files and folders'> Apply> OK>>> then click onSystem32 on the left> look on the right screen for msiebbar.dll. If you see the file there, do a right click> Delete.

If you don't see it> click on dll cache> look on the right- same thing, right click> delete if found.
Go back into Folder Options and UNCHECK 'show hidden files and folders> Apply> OK.

The Comodo entries have been removed. Make sure any Comodo program showing in Add/Remove Programs is also uninstalled- it can be done while in Safe Mode. You still have extra entries for iespell. decide if you need them- if not, have HijackThis fix.

Boot into Normal Mode> scan with HijackThis once more to see if the 018 entry has been handled. Attach the log.

 

[ippymiss]

Thanks!
I ran Hijack and found the 018

file. O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll


But it wont delete it. saved the log
Went to safe mode did a search for the file in my System32 and my dll cache. NOPE not there!
I went back to my AVG antivirus, that file is in my Resident shield Protection file, but then says it ihas been moved to my virus vault....... its not there!. and I cant get the files out of the resident shield . and moved to anywhere else in AVG

Comondo is not on the puter anymore I did a search and found nothing. I think I took off all the iespell. AVG still found nothing.

I dont know what to do about this problem? HELP!!. And Thanks !

 

[Bobbye]

Your system should be running better without all the RoboForm and iespell entries. But this needs to be checked. On original log, AVG program shows. On latest log, it's missing:

On HJ1: Scan saved at 17:58:29, on 10/11/2008Scan

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

On last: saved at 17:51:17, on 10/15/2008

Does not show AVG program
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

The auto-loading 04 entry is still there as well as the two 023 Services, but the program is missing from the programs list. Please check the status of that.

As for the 018 entry:

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

I have to assume it's malware. The CLSID is not identifiable and this is strange either way- bad or good. Since you've used Malwarebytes, the remaining suggestion is:

Download the following free removal program: SmitFraudFix: Please scroll ldown to this:
Removal Instructions:
1. Print out these instructions as we will need to close every window that is open later in the fix.
2. Download SmitfraudFix.exe from here and save it to your desktop:
follow download and screen shots here:
http://www.bleepingcomputer.com/forums/topic17258.html

Follow the instructions exactly. Screen shots will help you through.

When you have finished, rerun HijackThis and post both logs. I would still encourage running SuperAntispyware and including that log also.

 

[ippymiss]

I still have AVG, and ran it this morning, I do not know why it is not on the list. I have also ran and do use SmitfraudFix faithful almost every month, but I will run it again and also highjack along with superantispy, and post logs.

Thanks !

AVG works fine, did all scans and heres the logs............ IE still closes on its own, at times, but the system seems to be running better. I do not know about that msiebarr.dll. Cant seem to get rid of it.

Thanks

 

[CCT]

Have you copied off all the stuff you value to a CD or drive or something?


If you haven't, do so.


Then re-install.

This has gone on long enough!

 

[Bobbye]

ippymiss, your original problem was:

Hi, I have a puter that is running very slow the last week.Screen freezes, I have porno ads on this screen as I am typing. Also, IE closes unxpectanly when I am useing it.

What is the status on that please? We've done a lot of cleaning- I hate to lose it all.

 

[ippymiss]

Puter is running faster then it was, the porno is gone. IE still closes at times but not as much. I would really hate to re-install if I really do not have to. I may give it more time and see what happens. What we have done has helped more then you know!

I uninstalled foxfire and may reload and see how that does now. Should I upgrade IE to 7? anything else I may try to do?? Thanks for all your help!!

 

[Bobbye]

IE still closes at times but not as much.

When this happens, note the time on the computer clock, then do this:

Control Panel> Administrative Tools> Event Viewer> click on Applications first to open the log> look for Error(s) that corresponds to time of IE crash> right click on Error> Properties> click on the Copy icon, top right, below the down arrow> Paste here (Ctrl V)

Do the same thing with the Systems log. NOTE: Ignore Warnings and Information Events. IF you have a recurring Error with same ID#, same Source and same Description, I only need one copy. You do not need to include the lines of code in the box below the Description, if any.

FYI: The Event Viewer documents (logs) everything that happens in the computer. It divides the logs into Events for the System itself, Event specifically regarding Applications and Security Audits checking the status of the system at that time. It includes documentation about the normal every day happenings in "Information Events." It logs a temporary problem as a Warning. If a Warning doesn't resolve itself, or if something happens to prevent a function or cause it to fail in the computer, it will show as an Error. But checking for these, we can often troubleshoot the cause of a problem and find the resolution.

I uninstalled foxfire and may reload and see how that does now.

The browser is Firefox. I encourage you to try it. I've been using it for 4 years- rarely use IE.

Should I upgrade IE to 7

Not at this time. You need to get a stable system. IE7 doesn't solve those problems.