Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IE 5.5 errors, possible hijack

Status
Not open for further replies.
brassmann

brassmann

Technical User
Mar 4, 2004
5
0
0
US
My problem first started when outlook express wouldn't open the inbox. All other folders worked yet oe would hang until i ended task on it. Backed up my inbox.dbx and deleted it, allowing oe to rebuild the inbox. Importing the backed up inbox.dbx wouldn't work, notifying me there were no messages. (yet a trial of MailNavigator immediately opened the 'corrupt' dbx file.) All seems well until IE starts having errors. I can access just about any page except for online email, primarily hotmail and yahoo. As soon as i enter my username/pass and submit it expecting to load my inbox, i get the notice that an error has occurred and internet explorer will have to restart..also asking if i'd like to send the error report to microsoft. Thinking maybe it was limited to IE, i used mozilla firebird. There's no error reporting tool, it just acts as if i hadn't clicked the submit button at all and never loads beyond the login pages. This happens only on the mail, i can successfully log into yahoo groups. Watching closely at the status bar i've noticed something odd. When trying to access yahoo mail, it says it's connecting to the yahoo servers, the page begins to load..and for a short period the status message switches saying "downloading from and then quickly reverts to the yahoo servers. Google is set to be my homepage, but it shouldn't require any info from google to load yahoo mail. I'm not entirely positive i haven't been somehow hijacked.

After updating all my definition files to the latest possible, i've done the following: scanned the entire pc with spybot s&d, adaware6 (build 181), run sfc, scanned the entire drive twice with avg6, trend micro's housecall, have tried repairing IE via the control panel add/remove programs panel. Nothing works, and all my results come back clean every time. I couldn't copy the entire error message, but this is the basic message:
Error Signature, AppName: iexplore.exe,
AppVer: 5.51.4807.2300, ModName: mshtml.dll,
ModVer: 5.50.4807.2300, Offset: 0010bdf5
-----------------------------------------------------------
Also ran hijack this!, and this is the log file:

Logfile of HijackThis v1.97.7
Scan saved at 2:31:51 PM, on 3/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
E:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
E:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
E:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
E:\PROGRAM FILES\HIJACK-THIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - E:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [AVG_CC] E:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [Avgserv9.exe] E:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Global Startup: ZoneAlarm Pro.lnk = E:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: Yahoo! Pool 2 - O16 - DPF: Yahoo! Chat - O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - -----------------------------------------------------------
(On the hijack this! log on startup, 3cmlnkw.exe is required for my modem) Any suggestions would be greatly appreciated. -brass
 
Sort by date Sort by votes
Somewhat of an update on the situation, I found a more recent version of mshtml.dll and installed it.. and registered it using start>run: regsvr32 mshtml.dll . Still no luck. One thing I found curious, the msie error states that the app version is 5.51.4807.2300. Checking properties on iexplore.exe confirms this. Shouldn't it be version 5.50.4807.2300 as it states in "help>about internet explorer"?
 
Upvote 0 Downvote
The first o2 bho line relating to fdcatch.dll needs to go.
I'm not sure about the other two, I saw some suggestions with google searches that the second one relating to acrobat should also go.
 
Upvote 0 Downvote
Thanks, I'll run Hijack This! again and get rid of it. Also, even though I'd already scanned my pc with two different av's, apparently they missed something. I went to symantec and used their online test which showed that I have the trojan.bookmarker.e, a variant of Coolwebsearch.cpan. I'd already looked for any mention of the coolwebsearch in my start- and search pages in spybot s&d, though i didn't realize that aifind.info was also part of it. I searched for the files cpan.dll and hh.htt which are responsible for loading the trojan/hijacker.. they don't show up under find files/folders. Being concerned that I had been hijacked, I altered some of my start- search pages in spybot s&d, changing most of them to read " just to make sure no other page was loading. Is there any way to find out what the original default pages were supposed to be linked to?
Symantec also suggested that msconfd.exe was the file infected, residing in c:/windows/system.. can I simply replace this file using sfc to repair it with a clean version? Thanks again for your advice. -brass
 
Upvote 0 Downvote
Download and install CWShredder. See FAQ's in the spyware forum.

Also I'd upgrade to IE 6.0. There's no reason to still be using 5.5 since 6.0 has been out for over a year now and is designed to be more secure. You may want to check the rest of your windows updates also.
 
Upvote 0 Downvote
I downloaded bazooka and cwshredder both.. bazooka confirmed the presence of the coolwebsearch variant, but conflicted with symantec's report. symantec said it was msconfd.exe that needed to be deleted, bazooka said it was olehelp.exe. i deleted them both in safe mode, attempted to restore mshtml.dll..everything came back clean afterwards, bazooka reported no probs and neither did cwshredder. Still didn't fix my problem, mshtml.dll seems to be permanently corrupted. I scouted through all the updates listed throughout the net and hidden away in various places on microsoft's website and have them all installed. Maybe i'll consider IE6, but it doesn't seem all that more secure than 5.5sp2 and is less capable. (I use the webdev addons not available for IE6). I realize win98's a bit old, but then again so is winxp (over 3yrs now and will probably be hitting it's end of cycle within the next couple of years). Doesn't seem worth upgrading to xp for a couple yrs use and having to put up with the controlling features of the activation. Keeping my fingers crossed that longhorn provides true improvement. In any case, I appreciate all the help. Feeling though that I've nearly exhausted all measures to repair the problem while windows is installed and running, my only option left may be to reinstall. I'm assuming the underlying problem is with mshtml.dll being corrupted since this is the same module that comes up during the IE error reports and is also the same dll that causes an error with yahoo messenger. Thank you again for all your help. -brass

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pmonett
  • Locked
  • Question
Is it possible to replace Windows Explorer when using Win+E ? 1
Replies
2
Views
92
pmonett
pmonett
ManniB
  • Locked
  • Question
Multiple Versions of Windows on one machine possible?
Replies
16
Views
241
Aditi Tyagi
Aditi Tyagi
iNotes4You
  • Locked
  • Question
Microsoft IExpress 'Extract-To'-Option
Replies
2
Views
162
iNotes4You
iNotes4You
DrB0b
  • Locked
  • Question
Windows CE 6.5 Browser that isnt IE
Replies
1
Views
64
xwb
xwb
fredmartinmaine
  • Locked
  • Question
Robocopy OK on command line, errors when in batch file
Replies
1
Views
66
Salem
Salem

Part and Inventory Search

Sponsor

Back
Top