Win XP Task Manager opens but instantly closes again

No information whatsoever. That is suspicious in itself. I would get rid of them. Hijack this can restore them if necessary and that file can be moved temporarily.


Now these are definitely bad. any task which is is setup to launch at startup from multiple locations is no good. No legitimate windows program or service would be set up like this.

Agreed Jim, just wanted to be sure and wait for the master's return *igor voice maaaster lol Jk

Help please.

I am trying to help a freind clean her pc. Here is what I have done. I have updated AV and ran a full scan, multiple virus's were found and cleand. Ran adaware multiple times and clean files. Ran a vb script to remove the disable regedit. I can boot to safemode and launch regedit and it is fine. When I log in as a user with admin rights, regedit opens and closes when ran. I then opened norton av and noticed that the auto protect was not enabled, tried to enable it and could not. Also everytime I launch a browser and try to go to norton site or mcafee it redirects me to some ad123 site that then launches multiple browsers. I have also ran hijackthis, used this to remove the 07 reg reference, still no regedit. Any help would be fantastic. Here is the hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 9:50:36 AM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\ZONEALARMUPDATE.EXE
C:\WINDOWS\System32\ws2_32s.exe
C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\CLBCATQ2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\AIM\aim.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 127.208.109.145 http://www.symantec.com
O1 - Hosts: 127.139.62.44 securityresponse.symantec.com
O1 - Hosts: 127.254.139.74 symantec.com
O1 - Hosts: 127.128.106.240 http://www.mcafee.com
O1 - Hosts: 127.113.55.99 mcafee.com
O1 - Hosts: 127.131.210.24 us.mcafee.com
O1 - Hosts: 127.52.55.3 http://www.sophos.com
O1 - Hosts: 127.148.126.103 sophos.com
O1 - Hosts: 127.140.3.237 http://www.viruslist.com
O1 - Hosts: 127.112.18.5 viruslist.com
O1 - Hosts: 127.214.253.244 f-secure.com
O1 - Hosts: 127.82.182.95 http://www.f-secure.com
O1 - Hosts: 127.86.252.70 kaspersky.com
O1 - Hosts: 127.25.55.68 http://www.avp.com
O1 - Hosts: 127.124.188.120 http://www.kaspersky.com
O1 - Hosts: 127.209.173.136 avp.com
O1 - Hosts: 127.141.200.92 http://www.networkassociates.com
O1 - Hosts: 127.229.67.144 networkassociates.com
O1 - Hosts: 127.183.253.6 http://www.ca.com
O1 - Hosts: 127.85.243.153 ca.com
O1 - Hosts: 127.240.183.142 my-etrust.com
O1 - Hosts: 127.201.94.150 http://www.my-etrust.com
O1 - Hosts: 127.54.65.109 secure.nai.com
O1 - Hosts: 127.95.2.248 nai.com
O1 - Hosts: 127.2.45.139 http://www.nai.com
O1 - Hosts: 127.118.117.194 trendmicro.com
O1 - Hosts: 127.28.141.83 http://www.trendmicro.com
O1 - Hosts: 127.247.125.171 housecall.trendmicro.com
O1 - Hosts: 127.0.81.108 http://www.pandasoftware.com
O1 - Hosts: 127.190.17.75 http://www.bitdefender.com
O1 - Hosts: 127.159.51.235 http://www.ravantivirus.com
O1 - Hosts: 127.55.170.126 www3.ca.com
O1 - Hosts: 127.32.246.16 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.71.116.129 windowsupdate.microsoft.com
O1 - Hosts: 127.228.227.246 http://www.windowsupdate.com
O1 - Hosts: 127.27.50.118 windowsupdate.com
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\faye haas\Local Settings\Temp\wCfruvdA.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kuljblwp.exe
O4 - HKLM\..\Run: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
O4 - HKLM\..\Run: [Winsock2 driver] ZONEALARMUPDATE.EXE
O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] C:\WINDOWS\System32\ws2_32s.exe
O4 - HKLM\..\Run: [DC4j] C:\documents and settings\faye haas\local settings\temp\DC4j.exe
O4 - HKLM\..\Run: [dO6eE] C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\TafqX5mo.exe
O4 - HKLM\..\Run: [fcb8f7189662] C:\WINDOWS\System32\CLBCATQ2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\RunServices: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\RunServices: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKCU\..\Run: [DriveService16] sysserv16.exe -drivers
O4 - HKCU\..\Run: [Microsoft Update] wudmate.exe
O4 - HKCU\..\Run: [d0q3RVeFg] ixstls.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunOnce: [Winsock2 driver] ZONEALARMUPDATE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5197190017
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Adqlai32.dll (file missing)



Thank you in advance,

Tom

Hello Tom, welcome to Ozzu. Thanks for the detailed information.

Print or save the following so that you will have these instructions handy.

Run Hijack This, Go to Config > Misc Tools > Open Process Manager.
Select the following one at a time and click Kill Process:

C:\WINDOWS\System32\ws2_32s.exe
C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
C:\WINDOWS\System32\CLBCATQ2.exe
C:\PROGRA~1\Web Offer\wo.exe

Click Back in the lower right of hijack this.

Click Scan and check the following items. Don't Fix yet.

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 127.208.109.145 http://www.symantec.com
O1 - Hosts: 127.139.62.44 securityresponse.symantec.com
O1 - Hosts: 127.254.139.74 symantec.com
O1 - Hosts: 127.128.106.240 http://www.mcafee.com
O1 - Hosts: 127.113.55.99 mcafee.com
O1 - Hosts: 127.131.210.24 us.mcafee.com
O1 - Hosts: 127.52.55.3 http://www.sophos.com
O1 - Hosts: 127.148.126.103 sophos.com
O1 - Hosts: 127.140.3.237 http://www.viruslist.com
O1 - Hosts: 127.112.18.5 viruslist.com
O1 - Hosts: 127.214.253.244 f-secure.com
O1 - Hosts: 127.82.182.95 http://www.f-secure.com
O1 - Hosts: 127.86.252.70 kaspersky.com
O1 - Hosts: 127.25.55.68 http://www.avp.com
O1 - Hosts: 127.124.188.120 http://www.kaspersky.com
O1 - Hosts: 127.209.173.136 avp.com
O1 - Hosts: 127.141.200.92 http://www.networkassociates.com
O1 - Hosts: 127.229.67.144 networkassociates.com
O1 - Hosts: 127.183.253.6 http://www.ca.com
O1 - Hosts: 127.85.243.153 ca.com
O1 - Hosts: 127.240.183.142 my-etrust.com
O1 - Hosts: 127.201.94.150 http://www.my-etrust.com
O1 - Hosts: 127.54.65.109 secure.nai.com
O1 - Hosts: 127.95.2.248 nai.com
O1 - Hosts: 127.2.45.139 http://www.nai.com
O1 - Hosts: 127.118.117.194 trendmicro.com
O1 - Hosts: 127.28.141.83 http://www.trendmicro.com
O1 - Hosts: 127.247.125.171 housecall.trendmicro.com
O1 - Hosts: 127.0.81.108 http://www.pandasoftware.com
O1 - Hosts: 127.190.17.75 http://www.bitdefender.com
O1 - Hosts: 127.159.51.235 http://www.ravantivirus.com
O1 - Hosts: 127.55.170.126 www3.ca.com
O1 - Hosts: 127.32.246.16 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.71.116.129 windowsupdate.microsoft.com
O1 - Hosts: 127.228.227.246 http://www.windowsupdate.com
O1 - Hosts: 127.27.50.118 windowsupdate.com
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\faye haas\Local Settings\Temp\wCfruvdA.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kuljblwp.exe
O4 - HKLM\..\Run: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] C:\WINDOWS\System32\ws2_32s.exe
O4 - HKLM\..\Run: [DC4j] C:\documents and settings\faye haas\local settings\temp\DC4j.exe
O4 - HKLM\..\Run: [dO6eE] C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\TafqX5mo.exe
O4 - HKLM\..\Run: [fcb8f7189662] C:\WINDOWS\System32\CLBCATQ2.exe
O4 - HKLM\..\RunServices: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\RunServices: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\RunServices: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
O4 - HKCU\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKCU\..\Run: [DriveService16] sysserv16.exe -drivers
O4 - HKCU\..\Run: [Microsoft Update] wudmate.exe
O4 - HKCU\..\Run: [d0q3RVeFg] ixstls.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Adqlai32.dll (file missing)

Close all browsers and windows except Hijack this and click Fix Checked.

Reboot into Safe Mode.

Find and delete the following files:
C:\WINDOWS\System32\ws2_32s.exe
C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
C:\WINDOWS\System32\CLBCATQ2.exe
C:\WINDOWS\System32\kuljblwp.exe
C:\WINDOWS\System32\ws2_32s.exe
C:\WINDOWS\System32\TafqX5mo.exe
C:\WINDOWS\System32\CLBCATQ2.exe


Delete the following folders:
C:\PROGRA~1\Web Offer\

Search for these files and delete if found:
mssecure.exe
sysserv16.exe
wudmate.exe
ipconfigs.exe
ixstls.exe

Go to start > run, enter: cleanmgr

Make sure only the following are checked:

Temporary Internet files
Recycle Bin
Temporary Files

Click OK

Reboot into normal mode. Run Hijack This, Scan and save the log. Post the new log here.

Sorry guys no update on my system yet i have been so busy i haven't had time to repair the problems on my pc although i am very confident it will be a good fix. I will keep posted and post my hijack this when finished.

Thanks Helo53

hi, im new here and am experiencing similar problems, like the task manager isn't working, as well as reg edit and my antivirus software (norton). the window appears for a split-second then disappears suddenly.
also, when i start up my computer, the internet connection speed is fine. but after a few mintues or so, it quickly begins to slow down until my pc cannot detect a connection anymore. when i reboot, the internet speed is fine again but the same problem occurs after a few minutes. something is eating up the bandwith.
i think i know what the problem is though i cannot fix it. the file "hjdjhaid.exe" is running in the background (as seen in my task list), and fails to end when i shut down my computer causing a popup window to appear everytime. i manually tried to delete the file in the windows/prefetch folder where it is located, but whenever i do, it disappears and reappears again in the same folder.
anyway, here is the log file from hijackthis...hope someone can help me because im lost. thanks!

Logfile of HijackThis v1.98.2
Scan saved at 12:18:37 AM, on 10/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Toby Corona\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Msi Setup] mssetup.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\tixbmquj.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe
O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
O4 - HKLM\..\Run: [MS FIREWALL] msfirewall.exe
O4 - HKLM\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunServices: [MS FIREWALL] msfirewall.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] wuagmsd.exe
O4 - HKCU\..\Run: [Msi Setup] mssetup.exe
O4 - HKCU\..\Run: [Windows Monitor] winmon.exe
O4 - HKCU\..\Run: [MS FIREWALL] msfirewall.exe
O4 - HKCU\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKCU\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunServices: [MS FIREWALL] msfirewall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Hcoklfqh.dll

Despite trying to solve this same problem without posting, I have run out of things to do and am asking for help.

After removing a number of files per other suggestions
(e.g., all the /Temp files in the users' Local Settings filders) and performing a number of actions and running removal tools, key programs
like msconfig immediately close on running despite all of the following actions being done.

I have AVG 7.0 with no virus reported
I have SpyBot 1.3 with only 5 DSO errors showing
I have Norton AntiVirus 2003 with the latest definitions with no virus showing
I have Ad-aware 6.0 with reference file 01R343 04.10.2004 and no problems showing

I also ran a Recovery boot from the installation disk
I ran SFC
I ran the AVG vcleaner utility
I cleaned out my recycle bin
I ran PepiMK's CoolWWWSearch.SmartKiller removal tool

Below is my HijackThis output
Logfile of HijackThis v1.97.7
Scan saved at 12:56:05 PM, on 10/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\QTIMER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\Brad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weekapauggolfclub.com/Club/S ... e/home.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: P3P Client - {00000178-CD4A-447a-BCF9-6FD0096B5527} - C:\PROGRA~1\PRIVAC~1\P3PCLI~1.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Quicktime Runtime] QTIMER.EXE
O4 - HKCU\..\RunOnce: [Quicktime Runtime] QTIMER.EXE
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdat ... t/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C ... 7879.53875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab


Please can somebody help me?

Brad

Brad -- if no body else gets to it first, I'll try to take a look at it later this evening when I get home.

I believe I have traced down the actual problem. The key, pardon the pun, was the Qtimer entries which I was fooled into thinking was related to QuickTime.

If I have this correctly, this is a variant of an AOL AIM trojan backdoor which goes by several names: msnguyen.exe aolmsngr.exe msginab.exe and now also (apparently) including qtimer.exe (spelled QtimeR.exe for details sake).

I somehow stumbled across several descriptions including:
http://computercops.biz/postp307801.html
http://www.tech-recipes.com/instant_mes ... ps575.html

To resolve this required using a Process Explorer described in this article:
http://www.geocities.com/cumquat18/elimiexplorer.html

I followed the instructions subtituting QtimeR.exe for ElimiExplore.exe everywhere where appropriate (e.g., deleting processes, files, and Registry entries).

I now have control back of my system and full use of system commands from the Run interface for regedit, msconfig, etc.

I plan on rerunning all of my various adware, virus, trojan detectors and to rerun sfc to ensure I haven't messed up things or left the little bugger around someplace else.

Thank you for letting me post here and get help.

Brad

Hey, thanks for the update and the great info. Timing was perfect. I just got home a bit ago and was just sitting down to look at this.

I have a similar problem:

opening regedit - closes again straightaway
opening regedt32 - closes again straightaway
ctrl alt del / tsk mge - closes again straightaway
all of the above also happen in safe mode.

I've disabled system restore and I've run spybot 1.3 and fixed all problems. I've also ran full virus check of system with Kasprersky AV (update to today).

I've installed hijack and the file is as below:

Logfile of HijackThis v1.98.2
Scan saved at 22:59:40, on 09/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize

Many thanks in anticipation

That's a pretty clean and simple looking log. The only thing that jumps out at me is Explorer.EXE in your running processes. Yes, I know explorere.exe should be there, but in my XP (SP2) it is explorer.exe (all small case) - not Explorer.EXE

I'm wondering if you had a nasty replace your explorer shell. Take a look in C:\WINDOWS\ and see if you have different variations of explorer.exe

Hi, the only entries I can see like explorer in c:\windows are:

EXPLORER (no extension - the type is listed as Windows Explorer command)
explorer.exe (981KB modified 29.08.02 06:00)

thanks.

P.S. yep, on my own PC with SP2 (the one with a problem is a friend's) it also lists explorer.exe and not .EXE.

By the way I don't know if this is relevant but the install of SP2 on my friend's machine took 24hrs + !!!

now then, if I kill the explorer.EXE process using Hijack I can then open Task Mgr ok. However, if I then run regedt32 (which just closes straightaway again) and then ctrl / alt / del tsk mgr closes straightaway again.

Maybe I could copy the explorer.exe from my other pc to this one?