Help please

By ippymiss · 25 replies
Oct 11, 2008
  1. Hi, I have a puter that is running very slow the last week.Screen freezes, I have porno ads on this screen as I am typing. Also, IE closes unxpectanly when I am useing it.

    I just bought a dell 22 inch monitor and since then it has not been the same. (not sure or think that is the problem.

    I am unable to run Malwarebytes when I do it gives me a blue screen and says
    Driver IRQL not less or equal

    I have ran CCCleaner and did what was recommended.

    My AVG froze and unable to finish the scan.
    Java upgraded

    High jack file enclosed along with

    Smithfraud files

    Thanks for your help.

    Attached Files:

  2. CCT

    CCT TS Evangelist Posts: 2,653   +6

    Boot to Safe Mode and try AVG and malwarebytes again.

    If that fails, pull the hd, slave it inanother comp and run the scans on it.
  3. ippymiss

    ippymiss TS Rookie Topic Starter

    I will try the boot, but I dont have another puter to try also. Thanks
  4. BillAllen55

    BillAllen55 TS Maniac Posts: 368

    Please go to this website paste your hijackthis! logs to the area that is shown and follow the directions. - You definitely have things going on that can be easily resolved and possibly help with your issue. Good luck!
  5. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    The error above suggest that you have a hardware or device driver problem. You might have a faulty or incompatible hardware or software(driver). could be the driver for your monitor. try updating it from the device manager.
    Start > run > devmgmt.msc > click on monitor

    look to see if the hardware is in a error state(usually represented by a yellow exclamation).
    Update the driver by right clicking the device then select "update driver".
  6. rf6647

    rf6647 TS Maniac Posts: 829

    Regarding automated parsing, please read this post
    Give a response there and share your perspective. I think xxdanielxx is trying get us all on the same page, so to speak.

    These should be deleted (imho) . Use safe mode to delete the files.
    O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

    O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - (no file)

    Consult your smithfraud log for o22 entry's filename.

    It would be great to get things working for Malwarebytes.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Bill, I don't know you, but why would you want to send someone to another site to help with the HijackThis logs? Isn't that what we do here?

    ippymiss, I've checked the current logs and will review them AFTER you run Malwarebytes and SuperAntispyware and post the logs. You will find the information in Parts 4 and Par 5 here:
    I do have two questions about things I saw in the log: there are numerous processes starting at boot for both 'iespell' and RoboForm. For instance, one iespell is for Wikipedia. Do you have to load the application separately for any site you may want to use it on the internet? I that is the case, you could get the Google Toolbar with the spell check for everything on the internet, with email not included!

    As for RoboForm, can't you bring that up manually when you need the feature? I'll go over the entire log you run again AFTER Malwarebytes and Superantispyware.

    In the meantime, please take this OUT of your trusted zone:
    O15 - Trusted Zone:
  8. ippymiss

    ippymiss TS Rookie Topic Starter

    Ive checked my monitor in my device manager., and everything is good.
    I booted to safe mode and completed a malwarebytes scan, log included.
    safe mode for superantispy and my puter froze 3 on one file took me 3 attempts and 6 hours.I gave up.......
    the file is
    C:/program files/common files/microsoft shared/smart tag/FStock.DLL.

    I also included a hijackthis log.

    I will do what you all have asked me to and post back with more logs......Thanks !!!!!

    I taken that website off my trusted also In my startup msconfig files I cant find the iespell or the roboform, I do not need either of these all the time. actually I do not need any of these. I can take them off completly.
    I am going to find the files Fr66 asked me to delete, Thanks
  9. ippymiss

    ippymiss TS Rookie Topic Starter

    In safe mode I deleted one file only, it would not let me delete the 018 file. Filter Hijack.

    I did another malware scan and posted the results. What now. I also deleted the programs that I did not use . Thanks
  10. rf6647

    rf6647 TS Maniac Posts: 829

    Bobbye is the man on this problem. He has the depth to lead you.

    While waiting, see what you can do to perform a deep scan using malwarebytes.

    The quick scan seems stalled as far as keeping some re-infection from occurring.

    HJT and malwarebytes should be run in normal mode, not safe mode. Perhaps the freezes and errors were related to some of the malware that has been removed / weakened.

    Re-post fresh logs (all 3) just as you would following the 8-step procedure.
  11. ippymiss

    ippymiss TS Rookie Topic Starter

    I've tried running deep scans but it keeps freezing on one file...... the Fstock.dll
    doesnt that file have to do with Office?? I dont even use office

    I do NOT have any idea as to why?? it is doing that?

    Should I maybe?
    delete the dll file and download another one?

    I'm at a loss!
    I will keep trying what you recommend
  12. rf6647

    rf6647 TS Maniac Posts: 829

    one reference @ MS for Fstock dll
    Buried on the page describing a work around.

    It could be a disk error. CMD window > chkdsk /f > restart the computer

    If not using Office, the Rename > Move trick should work. That is rename the file. Use Explorer to move the file to the desktop or some temporary folder. This may delay the need to repair the installation of MS OFFICE.

    Delete file is an option, but the recycle bin will lose this file if emptied.

    File delete uses Windows Explorer. HJT delete means check the box.
    o18 corrective action was meant to say "file delete"
    I believe you understood this. This is added as a precaution.
    It appears this is a type of Smithfraud. Maybe a re-run of this remedy is needed. Normal mode / safe mode - whatever seems to work.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    1. mbam-log-2008-10-12 (09-23-06).txt10/12/2008 9:23:06 AM shows removal of Zlob, Hotbar and other adware and Trojans.
    2. mbam-log-2008-10-12 (14-50-54).txt 10/12/2008 2:50:54 PM shows the same removal of Hotbar, adware and other Trojabs, but no section for Zlob.
    It appears you may have posted the same log twice, leaving the 'Zlob' section off the second log.
    3. You ran the first HijackThis in Safe mode Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:29:14, on 10/12/2008.
    4. You posted the same HijackThis log again Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:29:14, on 10/12/2008

    When we tell you to check specific items in a HijackThis log, following though with a reboot after all has been done and tell you to scan with HijackThis again and post the log, that does NOT mean copy the previous log. The only way we can see if the removals have worked is by viewing the subsequent log.

    Please see Part 5 here: For SuperAntispyware. Attach the log.

    Make these changes if still on the log, run SuperAntispware, THEN HijackThis again and post both logs. No need to do Mbam again:

    Please reopen HijackThis and scan. Put a check next to the following processes:
    NOTE: The entry for 'monln.dll is for the Comodo AntiVirus. You are running AVG v8 which has AV+AntiSpyware. You should only run one AV program. The last entry for 'dikage' is from Zlob Trojan that infects you with the VirusHeat rogue anti-spyware program.

    I am breaking the following entries out separately. All of these processes for the two programs shouldn't run from startup. If you don't want either program, check ALL the entries in each group:
    For RoboForms:
    For iespell:
    When through close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
    Go to Start> Run> tyoe in 'msocnfig' without quotes> enter> Selective Startup> Startuo tab> UNCHECK everything except the AVG processes> Apply> OK
    Control Panel> Add/Remove Programs> Uninstall iespell and RoboForm if you don't use them. Uninstall Comodo Security suite. Look for any other programs that are unused and uninstall them.
    Start> Run> type in 'services.msc' without quotes> enter> look for Comodo Anti-Virus and Anti-Spyware Service> right click> Properties> change Startup type to Disabled> Apply> OK

    Remove ALL from Trusted Zone- leave the in the internet zone- it's safer:
    Reboot into Normal Mode> You will get a nag message that you can ofnore after checking 'don't show this message again'. Stay in Selective Startup.

    Scan with HijackThis again and post a NEW log. Include the log from SuperAntispyware.

    If you neeed a spell checker for the internet, I suggest the Google Toolbar. You don't have to enable all the available options, but it has a good spell checker and pop-up blocker:

    Use this version as v5 is a beta version- still testing. We can add jut the Comodo firewall to our system if wanted.
  14. ippymiss

    ippymiss TS Rookie Topic Starter

    I did attach a hijack this file. My AVG, found nothing but a few cookies that needed cleaned, and I could not even save a log file.

    I am still running a bit slow and still do freeze, but not as much as I did. Anything else?? Thanks
  15. rf6647

    rf6647 TS Maniac Posts: 829

    Note to Bobbye

    This is some kind of booger
    Research @ whatthetech viewing topic
    MBAM detects & deletes "msiebbar.dll"
    DelDomains.inf is invoked before running MBAM (Link to download file)

    There is no explanation. It's beyond me.

    This is related to comodo. Is this broken and/or redundant AV-Firewall?
    O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
    O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Unknown owner - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe (file missing)
  16. ippymiss

    ippymiss TS Rookie Topic Starter

    I have not ran comodo for ages. I uninstalled it totally awhile ago.
    HiJack will not take off this file.........

    O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} – C:\WINDOWS\system32\msiebbar.dll

    Do I still download the deldomains file you want , without taking off the other bad file? Thanks
  17. rf6647

    rf6647 TS Maniac Posts: 829

    Note to ippymiss

    bobbye is driving this. My earlier post found evidence that MBAM removed msiebbar.dll . I am asking that bobbye use this information to direct us. That extra step/file had no explanation & may not help. I do not know.

    Be specific. What other bad file?
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    rf6647, thank you for catching this- I did overlook it:
    I checked the mban log and it does not show removing this CLSID. Please scan with Malwarebytes again and see if it picks up the msiebbar.dll. I can't ID the CLSID- only info is 'Generic Downloader' so it makes specific removal impossible.

    AFTER rerunning Malwrebytes:
    Scan with HijackThis again. Check the following:
    Now close all windows other than HiJackThis, then click Fix Checked.Close HiJackThis and reboot into Safe mode:
    Right click on Start> Explore> Windows> go to Tools> Folder Options> View tab> CHECK 'show hidden files and folders'> Apply> OK>>> then click onSystem32 on the left> look on the right screen for msiebbar.dll. If you see the file there, do a right click> Delete.

    If you don't see it> click on dll cache> look on the right- same thing, right click> delete if found.
    Go back into Folder Options and UNCHECK 'show hidden files and folders> Apply> OK.

    The Comodo entries have been removed. Make sure any Comodo program showing in Add/Remove Programs is also uninstalled- it can be done while in Safe Mode. You still have extra entries for iespell. decide if you need them- if not, have HijackThis fix.

    Boot into Normal Mode> scan with HijackThis once more to see if the 018 entry has been handled. Attach the log.
  19. ippymiss

    ippymiss TS Rookie Topic Starter

    I ran Hijack and found the 018

    file. O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

    But it wont delete it. saved the log
    Went to safe mode did a search for the file in my System32 and my dll cache. NOPE not there!
    I went back to my AVG antivirus, that file is in my Resident shield Protection file, but then says it ihas been moved to my virus vault....... its not there!. and I cant get the files out of the resident shield . and moved to anywhere else in AVG

    Comondo is not on the puter anymore I did a search and found nothing. I think I took off all the iespell. AVG still found nothing.

    I dont know what to do about this problem? HELP!!. And Thanks !
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Your system should be running better without all the RoboForm and iespell entries. But this needs to be checked. On original log, AVG program shows. On latest log, it's missing:

    On HJ1: Scan saved at 17:58:29, on 10/11/2008Scan
    On last: saved at 17:51:17, on 10/15/2008
    The auto-loading 04 entry is still there as well as the two 023 Services, but the program is missing from the programs list. Please check the status of that.

    As for the 018 entry:
    I have to assume it's malware. The CLSID is not identifiable and this is strange either way- bad or good. Since you've used Malwarebytes, the remaining suggestion is:

    Follow the instructions exactly. Screen shots will help you through.

    When you have finished, rerun HijackThis and post both logs. I would still encourage running SuperAntispyware and including that log also.
  21. ippymiss

    ippymiss TS Rookie Topic Starter

    I still have AVG, and ran it this morning, I do not know why it is not on the list. I have also ran and do use SmitfraudFix faithful almost every month, but I will run it again and also highjack along with superantispy, and post logs.

    Thanks !

    AVG works fine, did all scans and heres the logs............ IE still closes on its own, at times, but the system seems to be running better. I do not know about that msiebarr.dll. Cant seem to get rid of it.

  22. CCT

    CCT TS Evangelist Posts: 2,653   +6

    Have you copied off all the stuff you value to a CD or drive or something?

    If you haven't, do so.

    Then re-install.

    This has gone on long enough!

  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    ippymiss, your original problem was:
    What is the status on that please? We've done a lot of cleaning- I hate to lose it all.
  24. ippymiss

    ippymiss TS Rookie Topic Starter

    Puter is running faster then it was, the porno is gone. IE still closes at times but not as much. I would really hate to re-install if I really do not have to. I may give it more time and see what happens. What we have done has helped more then you know!

    I uninstalled foxfire and may reload and see how that does now. Should I upgrade IE to 7? anything else I may try to do?? Thanks for all your help!!
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    When this happens, note the time on the computer clock, then do this:
    Do the same thing with the Systems log. NOTE: Ignore Warnings and Information Events. IF you have a recurring Error with same ID#, same Source and same Description, I only need one copy. You do not need to include the lines of code in the box below the Description, if any.

    FYI: The Event Viewer documents (logs) everything that happens in the computer. It divides the logs into Events for the System itself, Event specifically regarding Applications and Security Audits checking the status of the system at that time. It includes documentation about the normal every day happenings in "Information Events." It logs a temporary problem as a Warning. If a Warning doesn't resolve itself, or if something happens to prevent a function or cause it to fail in the computer, it will show as an Error. But checking for these, we can often troubleshoot the cause of a problem and find the resolution.

    The browser is Firefox. I encourage you to try it. I've been using it for 4 years- rarely use IE.

    Not at this time. You need to get a stable system. IE7 doesn't solve those problems.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...