Internet explorer error pop ups

Posted 4/2/2006 4:48 PM
#29441
User avatar

AznKidd86b Member

Date Joined Nov 2016
Total Posts: 6
i do not use internet explorer as my browser. but this program continues to give pop ups staying "internet explorer has encountered a problem and needs to close.

error signature:
appname: iexplorer.exe
appver: 6.0.2900.2180
modname: mfc42.dll
modver: 6.2.4131.0
offset: 000019e9

Logfile of HijackThis v1.99.1
Scan saved at 12:46:41 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\ugcoqizA.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\ugcoqiz.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\DOCUME~1\TUANPH~1\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\drwtsn32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.brainfox.com/search.php?cat=realestate&partner=sa_tk
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\kcyan.exe
F2 - REG:system.ini: UserInit=userinit.exe,uwgexqx.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\Tuan Pham\Application Data\Mozilla\Profiles\default\7ynu37no.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Tuan Pham\Application Data\Mozilla\Profiles\default\7ynu37no.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ugcoqizA] C:\WINDOWS\ugcoqizA.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\jtl2073oe.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: IEFilter - {DA7F560C-A39D-47BA-8538-0A1D20CC4523} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VHVhbiBQaGFt\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ugcoqiz.exe

i appriciate any help.
Posted 4/4/2006 3:26 AM
#29490
User avatar

Andrei Ionescu Advanced member

Date Joined Nov 2016
Total Posts: 43
Hi there,

It seems that you have several infections on your computer, that even if you do not use IE, are starting the application themselves in order to submit personal information over the internet. Please follow these steps in order to remove the infections:

1. First of all, please run HijackThis again and put a check in front of the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.brainfox.com/search.php?cat=realestate&partner=sa_tk
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\kcyan.exe
F2 - REG:system.ini: UserInit=userinit.exe,uwgexqx.exe
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [ugcoqizA] C:\WINDOWS\ugcoqizA.exe
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\jtl2073oe.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: IEFilter - {DA7F560C-A39D-47BA-8538-0A1D20CC4523} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VHVhbiBQaGFt\command.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ugcoqiz.exe

2. Then please press the FIX CHECKED button in HijackThis.

3. Download Killbox from this link: http://www.bleepingcomputer.com/files/killbox.php

4. Start the Killbox application, press the File button-> Paste from Clipboard, and paste these files in the application:

C:\WINDOWS\system32\IEFilter.dll
C:\WINDOWS\ugcoqiz.exe
C:\WINDOWS\ugcoqizA.exe
C:\WINDOWS\system32\kcyan.exe
C:\WINDOWS\system32\dmonwv.dll

5. Then press the Delete Files button (the one with the red X).

6. Restart your computer.

7. Use Regedit to remove these entries if they are still present on your computer:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell --->>> Explorer.exe, \jaicg.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ---->>> \userinit.exe,uupgqem.exe

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(4ABF810A-F11D-4169-9D5F-7D274F2270A1)

HKCR\CLSID\(CE3A44D8-BC88-4D62-A890-42D96245F8D6

HKCR\Folder\shellex\ColumnHandlers\(CE3A44D8-BC88-4D62-A890-42D96245F8D6) (default)

HKLM\SOFTWARE\qstat

HKLM\SOFTWARE\Microsoft\wwdqoq

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webnexus

8. Also please remove this entry from the Control Panel-> Add/Remove programs list if it is present: "Web Nexus Network"

After all these steps make a fresh HijackThis log and post it as a reply to this thread.

<?xml:namespace prefix = v /><?xml:namespace prefix = w />User image



















Andrei Cristian Ionescu<?xml:namespace prefix = o />

QA Team Member

BullGuard Software Ltd.

Cell phone: +40 724.276.719

[3] [/3]
[color=red>[/b]

Do not PM me with logfiles. They will be deleted
Posted 4/5/2006 12:12 AM
#29514
User avatar

AznKidd86b Member

Date Joined Nov 2016
Total Posts: 6
hey, i haven't seen an IE pop up since. thanx dude.

however

C:\WINDOWS\system32\kcyan.exe was unable to delete using killbox
C:\WINDOWS\system32\dmonwv.dll was also unable to delete killbox

new log:
Logfile of HijackThis v1.99.1
Scan saved at 8:11:15 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\Service.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\PROGRA~1\NORTON~1\QServer.exe
C:\DOCUME~1\TUANPH~1\LOCALS~1\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\kcyan.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,uwgexqx.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\Tuan Pham\Application Data\Mozilla\Profiles\default\7ynu37no.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Tuan Pham\Application Data\Mozilla\Profiles\default\7ynu37no.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O21 - SSODL: IEFilter - {5777C3C0-782E-44E7-B704-283E4A8FBCA0} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VHVhbiBQaGFt\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Tuesday, April 25, 2017, 4:29 PM (GMT +2)
There are a total of 61,193 posts in 13,463 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,020 registered members. Please welcome our newest member, gobertron.
There are currently no users on-line.
[Error loading the WebPart 'cr' of type 'CultureRedirect']
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.