Hijack This Log - Task manager instantly closes

  • Byrddog
  • Beginner
  • Beginner
  • Byrddog
  • Posts: 41
  • Loc: New Jersey, USA

Post 3+ Months Ago

Hello all, I'm just your basic highschool computer user, though I'm responsible for the health of all the computers in my house I rarely use this one, it being devoted to my parents and siblings, therefore while I know there is a problem it often becomes difficult to isolate and correct without a more detailed knowledge then I possess.

This is where you guys come in, the symptoms I've discovered so far are Task Manager termination, MSConfig termination, Regedit termination, It is not detected by Ad-Aware, Spy-Bot S&D, or McAfee Virus Scan. I've posted my HijackThis log in hopes that someone can help me out. Thanks again I'll be here for a while hoping for a response.


Logfile of HijackThis v1.98.2
Scan saved at 4:34:22 PM, on 10/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\QTIMER.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.phong.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Quicktime Runtime] QTIMER.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Quicktime Runtime] QTIMER.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Inst ... S_live.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

*edit*
thought I'd add that I understand that this is probably the W32.spybot.worm but that knowledge isn't enough to get me out of my fix when it won't come up on any virus scans or malware scans.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Welcome to OZZU Byrddog. Be patient while people review your log and try to offer help. Keep checking back to this post for solutions.
  • Byrddog
  • Beginner
  • Beginner
  • Byrddog
  • Posts: 41
  • Loc: New Jersey, USA

Post 3+ Months Ago

Thanks again, and since i am a most impatient person i will ofcourse attempt to fix it independently, most likely to no avail but should i change anything i'll be sure to report it here.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello Byrddog, Welcome to Ozzu.

Your log doesn't look too bad. I suspect the problem with Task manager, regedit, etc is related to this file: Qtimer.exe.

Copy or print the following instruction so you will have them handy.

Run Hijack This, scan and check the following items. (don't fix yet):
O4 - HKLM\..\Run: [Quicktime Runtime] QTIMER.EXE
O4 - HKCU\..\RunOnce: [Quicktime Runtime] QTIMER.EXE

Close all browsers and windows except for Hijack This and click 'Fix Checked'

Reboot into Safe Mode << Click 'Safe Mode' for instructions.

Display hidden files and folders
Go to Start > Run
Enter: control folders
Go to the View tab.
Check "Show hidden files and folders"
Uncheck "Hide protected Operating System files"
Click OK

Delete the following files:
C:\WINDOWS\system32\QTIMER.EXE

Clear Temporary Folders\Files and Internet Files
Go to start > run
Enter: cleanmgr

Make sure only the following are checked:
Temporary Internet files
Recycle Bin
Temporary Files

Click OK

Login for each user and repeat the steps for Clearing Temporary Folders\Files and Internet Files.

Flush System Restore
Right Click on "My Computer"
Select Properties
Go to the System Restore Tab
Check 'Turn off System Restore on all drives'.
Click Apply
Unckeck 'Turn off System Restore on all drives'
Click OK

** This will prevent accidentally going to a previous restore point which may contain things that were previously fixed

Reboot Normally
Run Hijack This, scan, save and post the new log.
  • Byrddog
  • Beginner
  • Beginner
  • Byrddog
  • Posts: 41
  • Loc: New Jersey, USA

Post 3+ Months Ago

wow your a smart one time to try... I actually was considering that to be the problem after reading one of your posts about how legit programs won't use more then 1 run code line... run service/run/run start... only thing is i think it might have been there for longer then this problem has existed. only one way to find out though. baq in a flash.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

I'm pretty confident that qtimer.exe is the culprit. A google search for Qtimer.exe found a HJT log on another forum with the same problem you are having. Actually, I suspected that before doing a search for it because of the reason you stated: Entries in both Run and Runonce sections of the registry. Plus, Qtimer.exe is not a file related to Quicktime. If it was, it would most likely be in Program Files\Quicktime\
  • Byrddog
  • Beginner
  • Beginner
  • Byrddog
  • Posts: 41
  • Loc: New Jersey, USA

Post 3+ Months Ago

okay heres the new log, and interestingly enough after following your instructions one instance of QtimeR still appears to have started with the reboot... But at least this time my access to the Task Manager has been restored. Anyway heres the new HJT log.

Logfile of HijackThis v1.98.2
Scan saved at 5:15:34 PM, on 10/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.phong.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Quicktime Runtime] QTIMER.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Inst ... S_live.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hmm, not sure what that's about. I don't see qtimer.exe in the process list anymore. Were you able to delete that file?

Run Hijack This, scan and check the following items. (don't fix yet):
O4 - HKLM\..\Run: [Quicktime Runtime] QTIMER.EXE

Close all browsers and windows except for Hijack This and click 'Fix Checked'.

Delete C:\WINDOWS\system32\QTIMER.EXE if it still exists.

Flush System Restore
Right Click on "My Computer"
Select Properties
Go to the System Restore Tab
Check 'Turn off System Restore on all drives'.
Click Apply
Unckeck 'Turn off System Restore on all drives'
Click OK

** Just to make sure nothing's left

Reboot and post a new log. Let us know if Qtimer.exe is still around.

Oh, and as far as the topic title goes, *Description of the Problem* should actually be a short description of the problem.

Hijack This Log -- Task Manager instantly closes

or something similar. :)
  • Byrddog
  • Beginner
  • Beginner
  • Byrddog
  • Posts: 41
  • Loc: New Jersey, USA

Post 3+ Months Ago

Well I'm happy to say that this little bit of dusting up the debris managed to eradicate the final twitches this little bugger was making, because that final bit of HJT removal seems to have removed in completely. Thanks for the help and don't be suprised if i bring some more problems your way I tend to have to fix little bugs on a lot of computers being my families resitend tech in a family of people who take very little care for what they download ;p. Time to head upstairs to my room and run this fix cause i'm pretty sure i've got that same little thing on my computer upstairs, no use waiting for it to cause troubles. If i have some though maybe you'll see another log from me.

btw, where do you learn all how to use HJT better if you could post a link to a tutorial or something i'd appreciate it.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

You're welcome. Glad the problem is fixed. :)

You've probably already looked at this thread: http://www.ozzu.com/mswindows-forum/highjackthis-and-spyware-removal-resources-and-tips-t31034.html

Lots of good info there.

In that thread, there is a link for "Spyware bootcamp":
http://forums.spywareinfo.com/index.php?showtopic=34

You need to register as a user first and then respond to the above thread. A hidden forum named "Boot Camp" will be made available to you. There are many resources available as well as practice logs, tutorials and tools.

Feel free to ask for any other help you might need.

Now the obligatory speech. :)

For the Future Prevention of Spyware/Malware and other Security Issues
-----------------------------------------------------------------------
Microsoft issues security updates on a regular basis. These updates patch vulnerabilities that hackers can exploit. Please visit Windows Update and install all Critical updates for Windows and Internet Explorer.
http://windowsupdate.microsoft.com/

Keep your Anti-Virus program up-to-date. This is very important. New viruses are released at an alarming rate. By keeping your AV program updated, you greatly reduce the risk of being infected.

Spyware cleaning programs such as Spybot Search and Destroy and Adaware are a must have for any internet user. Seemingly benign websites can cause great harm to the unwary user.
  • AdAware
  • Spybot Search and Destroy
I recommend installing both of these and updating them on a regular basis. A good article to read:
So how did I get infected in the first place?

The above article mentions a favorite program of mine: Spywareblaster; This is an excellent program which:
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially dangerous sites in Internet Explorer.

A firewall is also an important tool for system security. I recommend reading this article:
Understanding and Using Firewalls

Again, it is essential to keep all of these programs up-to-date. The longer you go without updating them, the less effective they become.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Just to do it by the book, you should rerun and post your log one last time, just to be on the safe side, even though it appears the problem is resolved.

Post Information

  • Total Posts in this topic: 11 posts
  • Users browsing this forum: No registered users and 55 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.