Win XP Task Manager opens but instantly closes again

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Hidden Danger wrote:
P.S. yep, on my own PC with SP2 (the one with a problem is a friend's) it also lists explorer.exe and not .EXE.

By the way I don't know if this is relevant but the install of SP2 on my friend's machine took 24hrs + !!!


*lol -- that's not surprising if he's on dial-up.

I think your idea might do the trick, although I can't recommend it as I have never tried it.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

That's probably not it. I just ran hijackkthis in XP and it adds the caps like yours did.

That log is incredibly small. Did you do that in safe mode? If so, try running it in regular Windows and repost if different.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

He did the update from an XP SP2 CD-ROM not via a dial-up connection - it probably would have been quicker via dial-up ! (It only took 20 mins on my PC)

Anyway, I tried copying explorer.exe from my pc but this didn't work as the pc would not even boot into windows becuase of a missing .dll file. Good job I made a backup of the explorer.EXE! I've now restored the original explorer.EXE and it is booting into windows as before with the same problems.

I've also noticed that if you click on search in windows explorer that the following message appears:

"Cannot load library for language 'JScript' Path: 'C:\Program files\Common Files\Symantec shared\script blocking\scrauth.dll' Please contact Kaspersky Lab for the solution"

However, the solution at:

http://www.kaspersky.com/faq?qid=148845452

involves editing the registry, which I can't even get into !
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

The hijack was run in normal windows not safe mode. I did clean up a bit with hijack earlier though (should have mentioned that earlier, sorry) - I've restored the backup though now with hijack to before I started cleaning up and here is the original log:

Logfile of HijackThis v1.98.2
Scan saved at 00:13:31, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Temp\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol022.cab
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I see why you nixed what you did, however, at the moment I'm out of ideas. I can't see anything in your current log that's a problem.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

ok, thanks for your time anyway. I think I might try and uninstall SP2 and see if that makes any difference.

Cheers
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Wait a minute. I'm confused. If you have SP2 installed, then why does your log show SP1?

Now I'm even more confused. You say this was the original log:
Quote:
I've restored the backup though now with hijack to before I started cleaning up and here is the original log:


but the date on the first one you posted was 9/10/2004


So which is current?
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

Good point, looks like the SP2 installation that took over 24hrs really did cause some major problems.

However, I've just finished removing SP2 via add/remove prgrms and the problem remains:

Here's a revised log after the uninstall:

Logfile of HijackThis v1.98.2
Scan saved at 00:53:49, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol022.cab

Off to bed now as its 1am in England ! C U in the morning...
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

P.S. I've noticed that windows task mgr (which I can open after killing explorer.exe in hijack) shows a process called:

csrss.exe

which hijack does not ???
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

That's an OK file
http://www.liutilities.com/products/win ... ary/csrss/
  • trojanmon
  • Born
  • Born
  • trojanmon
  • Posts: 1

Post 3+ Months Ago

I'm also having a similar problem, except most antivirus programs also close and hijack this seems to get killed as well. I get a popup for just a few ms and then it goes away each time I run.

Also, I periodically get some popups that say you must click yes to continue.

This is a family member's computer and I've removed a bunch of viruses and adware removed a bunch too. HouseCall scanner won't work because it crashes IE. I'm sure these are all related. Do you think it might be a root kit? Any ideas how to proceed?

TIA.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

A little progress, I have found that by running regedt32.exe or regedit.exe from c:\i386 I am able to edit the registry. Could this mean that the versions of regedt and regedt32 that are being run by typing a command in at "run" are bogus versions stored elsewhere?

I'm currently perusing the registry now for dodgy entries.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

More info if it will help: although if i run regedt32 .exe and regedit directly from c:\i386 they run fine, if i copy the exact same files (regedt32.exe and regedit.exe) from c:\i386 to the c:\windows folder and run them from c:\windows they just close down straight away??? It's almost as if something is detecting if regedit is being run from c:\windows but not if it is run from c:\i386???? very perplexing.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

I've reinstalled XP SP2 and turned on the firewall, upon rebooting the firewall came up with a message about blocking explorer accessing the internet and the problem remains. Also, every time I enable the firewall it disables itself a few seconds later!!

:cry: :cry: :cry:
Any suggestions anyone?
:cry:
  • amadeus
  • Born
  • Born
  • amadeus
  • Posts: 2

Post 3+ Months Ago

i dont know much, but after trying lots of stuff, i solved my prob by running the house call service of the trend microsystems website. it detected this kind of virus and fixed it for me. u might want to try that.
  • triple5
  • Newbie
  • Newbie
  • triple5
  • Posts: 9

Post 3+ Months Ago

Hi, I'm having the same problem as many of these people and I've read quite a few posts as to how to fix this problem.
My comp has all the same systems as the others ie. besides taskmanager regedit auto closes, msconfig

I've disabled system restore and run virus scans (no virus found), adaware and spybot and removed everything that was previously there. But about 10 minutes after I restart my system my computer will start to get this lag and jerkiness in the mouse unless I do a system restore it'll be fine again until about a day later i get this task manager problem.

Here is a copy of my logfile from HijackThis. Alot of things look weird but I'm not sure what it is. Any help would be grateful. Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 3:24:33 AM, on 11/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\windvsrv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\Bandwidth Monitor\Bandwidth Monitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\a b b i e . c\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {657405F1-D350-4194-8182-FA8E8492C467} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [Microsoft Update Protocols] updr32.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windvsrv] windvsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update Protocols] updr32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Update Protocols] updr32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\RunOnce: [Windvsrv] windvsrv.exe
O4 - Startup: Bandwidth Monitor.lnk = C:\Program Files\Bandwidth Monitor\Bandwidth Monitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b28578.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b28578.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {33E7E377-FA07-4228-93A6-8A340B768140} (Nexon Package Manager Control (Jp)) - http://www.nexon.co.jp/JP/f/ActiveX/Public/nxpmjp.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/A ... ngctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b28578.cab
O16 - DPF: {CDA94496-ED6F-4C72-94C8-2C485DC63390} (VCDS Control) - http://vcds-client.nefficient.co.kr/vcd ... t/vCDS.CAB
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {DD85FDB7-9363-4873-B50C-CC46F3E4B704} (IGOLauncher6 Control) - http://vitalsign.igamesasia.com.sg/acti ... ncher6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b28578.cab
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINDOWS\system32\msc.cpl (file missing)
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello triple5, just hang tight while I go over your log.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Copy or print the following instruction so you will have them handy.

Run Hijack This, scan and check the following items. (don't fix yet):

O2 - BHO: C:\WINDOWS\lbbho.dll - {657405F1-D350-4194-8182-FA8E8492C467} - C:\WINDOWS\lbbho.dll

O4 - HKLM\..\Run: [Microsoft Update Protocols] updr32.exe
O4 - HKLM\..\Run: [Windvsrv] windvsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update Protocols] updr32.exe
O4 - HKCU\..\Run: [Microsoft Update Protocols] updr32.exe
O4 - HKCU\..\RunOnce: [Windvsrv] windvsrv.exe
O4 - Startup: Bandwidth Monitor.lnk = C:\Program Files\Bandwidth Monitor\Bandwidth Monitor.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {33E7E377-FA07-4228-93A6-8A340B768140} (Nexon Package Manager Control (Jp)) - http://www.nexon.co.jp/JP/f/ActiveX/Public/nxpmjp.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/A ... ngctrl.cab
O16 - DPF: {CDA94496-ED6F-4C72-94C8-2C485DC63390} (VCDS Control) - http://vcds-client.nefficient.co.kr/vcd ... t/vCDS.CAB
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINDOWS\system32\msc.cpl (file missing)

The following entries are not harmful but are not needed. Fixing these entries will prevent them from launching at startup but will not remove the programs that they are associated with:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Close all browsers and windows except for Hijack This and click 'Fix Checked'.


Reboot into Safe Mode
http://www.jayloden.com/SafeMode.htm


Display hidden files and folders
Go to Start > Run
Enter: control folders
Go to the View tab.
Check "Show hidden files and folders"
Uncheck "Hide protected Operating System files"
Click OK


Delete the following files:
C:\WINDOWS\system32\windvsrv.exe


Search for and delete the following files:
updr32.exe < most likely in c:\windows\ or c:\windows\system32\

Clear Temporary Folders\Files and Internet Files
Go to start > run
Enter: cleanmgr

Make sure only the following are checked:
Temporary Internet files
Recycle Bin
Temporary Files

Click OK

Login for each user and repeat the steps for Clearing Temporary Folders\Files and Internet Files.

Flush System Restore
Right Click on "My Computer"
Select Properties
Go to the System Restore Tab
Check 'Turn off System Restore on all drives'.
Click Apply
Unckeck 'Turn off System Restore on all drives'
Click OK

Reboot Normally
Run Hijack This, scan, save and post the new log.

After it has been determined that your system is clean, it is advised that you visit Windows Update:

Microsoft issues security updates on a regular basis. These updates patch vulnerabilities that hackers can exploit. Please visit Windows Update and install all Critical updates for Windows and Internet Explorer.
http://windowsupdate.microsoft.com/
  • triple5
  • Newbie
  • Newbie
  • triple5
  • Posts: 9

Post 3+ Months Ago

I followed all your instructions and it seems to be working fine now. Thanks alot for the help. I really appreciate it.
Here is my log. Couldn't find updr32.exe in any folders to delete after fixing it in hijackthis though, so I guess that is good.
Hmm, just a question. Should I fix those files in hijackthis that say O21 - (no file) at the end? I seem to get new ones everytime I refresh.

Logfile of HijackThis v1.98.2
Scan saved at 5:00:01 AM, on 11/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Documents and Settings\a b b i e . c\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Windvsrv] windvsrv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b28578.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b28578.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {DD85FDB7-9363-4873-B50C-CC46F3E4B704} (IGOLauncher6 Control) - http://vitalsign.igamesasia.com.sg/acti ... ncher6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b28578.cab
O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Your log looks pretty good. Just a couple of more things to fix:

Run Hijack This, scan and check the following items. (don't fix yet):
O4 - HKLM\..\Run: [Windvsrv] windvsrv.exe
O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)

Close all browsers and windows except for Hijack This and click 'Fix Checked'.

Make sure these files are not on your system:
C:\WINDOWS\system32\windvsrv.exe

updr32.exe <-- Use the search feature just to make sure. If you've used housecall, that may have removed it. I don't see it in your running processes. Should be ok.

Reboot, run Hijack this and scan once more. Check and see if any of the bad entries are present. If not, you should be good to go. :)

For the Future Prevention of Spyware/Malware and other Security Issues
-----------------------------------------------------------------------
Microsoft issues security updates on a regular basis. These updates patch vulnerabilities that hackers can exploit. Please visit Windows Update and install all Critical updates for Windows and Internet Explorer.
http://windowsupdate.microsoft.com/

Keep your Anti-Virus program up-to-date. This is very important. New viruses are released at an alarming rate. By keeping your AV program updated, you greatly reduce the risk of being infected.

Spyware cleaning programs such as Spybot Search and Destroy and Adaware are a must have for any internet user. Seemingly benign websites can cause great harm to the unwary user.
  • AdAware
  • Spybot Search and Destroy
I recommend installing both of these and updating them on a regular basis. A good article to read:
So how did I get infected in the first place?

The above article mentions a favorite program of mine: Spywareblaster; This is an excellent program which:
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially dangerous sites in Internet Explorer.

A firewall is also an important tool for system security. I recommend reading this article:
Understanding and Using Firewalls

Again, it is essential to keep all of these programs up-to-date. The longer you go without updating them, the less effective they become.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

triple5 wrote:
Hmm, just a question. Should I fix those files in hijackthis that say O21 - (no file) at the end? I seem to get new ones everytime I refresh.


Let me check on that. In your first log, this was listed:
C:\WINDOWS\system32\msc.cpl (file missing)

I'm not sure what msc.cpl is but it was missing to begin with. Let me get back to you on that.

Just another reminder, you should really visit Windows Update.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Here's what I've discovered about msc.cpl:
Quote:
I'M NOT SURE WHAT TO CALL IT, BUT IT IS NOT LEGAL (msc.cpl) (changed to RED 14. september after research from Fromsej)

O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:WINDOWS\System32\msc.cpl

The CLSID stays the same but the name changes throughout the fix:

changed to this after fixing 1st time:

O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)

changed to this after fixing 2nd time:

O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)


From http://www.fbeej.dk/NewHJTEntries.htm
about a 3rd of the way down the page. Nothing really definitive.

It seems to change after fixing with hijack this.

Trend Micro's Housecall may have removed that file. Were you having any problems with your control panel in the past?

Try rebooting and posting a new HJT log.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

There is definitely something funny going on with that.

If you have the time and are willing, open regedit and search for this string:

E61B5E20-DE35-11CF-9C87-1579005127ED

Go to start > run, enter: regedit

Go to Edit > Find and enter that long string above. When the search finds that string, right-click on the open Key folder in the left pane, select 'export' and save the file.

Hit f3 to continue the search, export and save any other positive search results using a different filename for each. Open those saved files with notepad and post the contents here.
  • triple5
  • Newbie
  • Newbie
  • triple5
  • Posts: 9

Post 3+ Months Ago

Here is my logfile after cleaning all the bad files out besides the last one that says (no file). Problem with updating windows though. The downloads just keep failing. :roll: So many problems.

Logfile of HijackThis v1.98.2
Scan saved at 7:08:19 AM, on 11/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\a b b i e . c\Desktop\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 9591691795
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b28578.cab
O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)



and here is the content of the registry key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
@="{E61B5E20-DE35-11CF-9C87-1579005127ED}"
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Okay. Sorry for the delay on finding info on this. I finally found some useful info but you already gave me the info I need. Thanks for doing that.

Copy and paste the following into notepad and save as "fix.reg", include the quotes around the filename when saving in notepad:
Code: [ Select ]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
@=-
  1. Windows Registry Editor Version 5.00
  2. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
  3. @=-


After saving, double click fix.reg to merge this file into the registry. Actually, it will remove the offending value.

Reboot, run hijack this, scan and post a fresh log.

*whew* :)

I found a similar problem here in case your interested:
http://spywarewarrior.com/viewtopic.php ... 05c3#37649

The same entry kept reapearing over and over until the registry was fixed.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

triple5 wrote:
Here is my logfile after cleaning all the bad files out besides the last one that says (no file). Problem with updating windows though. The downloads just keep failing. :roll: So many problems.


hmm, after you do that last fix, try Windows Update one more time. If it fails, right click on 'My computer', select properties, go to the 'Automatic Updates' tab and turn off Automatic updates.

Next, with all browsers closed, open "C:\Windows\Downloaded Program Files", right click on 'WUWebControl Class' and select 'Remove'

Then go to "C:\Program Files\Windows Update" and delete the 'V4' folder.

Next, go to http://v4.windowsupdate.microsoft.com/en/default.asp
It should reinstall the update software.

If you still have problems, refer to this page:
http://v4.windowsupdate.microsoft.com/troubleshoot/
  • triple5
  • Newbie
  • Newbie
  • triple5
  • Posts: 9

Post 3+ Months Ago

Thanks alot. You were very helpful.
I believe it's fixed besides the winxp updates which I'll figure out. Thanks again :)

Logfile of HijackThis v1.98.2
Scan saved at 7:50:30 AM, on 11/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\a b b i e . c\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b28578.cab
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Great! Glad to be of help. That {E61B5E20-DE35-11CF-9C87-1579005127ED} problem had me worried for a while. I didn't know what to make of it. Fortunately, we got it taken care of. Looking back, it probably wouldn't have hurt if you left that since msc.cpl was gone but I didn't want to take a chance.

Don't hesitate to come back if you can't get Windows Update to work.

Good Luck. :)
  • stuiek
  • Born
  • Born
  • stuiek
  • Posts: 1
  • Loc: London

Post 3+ Months Ago

Hi Guys,

This my first post here, my sister is having the same problems as those in this topic and for some strange reason she thinks I can fix it !!
The symptoms are task manager, msconfig, regedit and Norton Antivirus all close immediately after opening, also when she goes on the web as soon as she clicks away from her homepage she gets a "page cannot be found" error. Here is the Hijackthis log, hope someone can help....

Logfile of HijackThis v1.98.2
Scan saved at 19:12:30, on 18/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator.BORO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVComS.exe
O4 - HKLM\..\Run: [A0481379] C:\WINDOWS\System32\jryzapur.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vtygbvs.exe
O4 - HKLM\..\Run: [Windows Update] host32.exe
O4 - HKLM\..\Run: [Spool Server Daemon] SPOOLSVD32.EXE
O4 - HKLM\..\Run: [Microsoft Protection Subsystems] msm32.exe
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Microsoft Windows Secure Server] rpcxWindows.exe
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
O4 - HKLM\..\Run: [Microsoft Secure Server Config] rpcxConfig.exe
O4 - HKLM\..\Run: [Microsoft Config] msconf.exe
O4 - HKLM\..\Run: [Norton SpySweeper AutoUpdate] navsw.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] winxpini.exe
O4 - HKLM\..\Run: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\Run: [Win Updator Services] ctfnom.exe
O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [Spool Server Daemon] SPOOLSVD32.EXE
O4 - HKLM\..\RunServices: [Microsoft Protection Subsystems] msm32.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Secure Server] rpcxWindows.exe
O4 - HKLM\..\RunServices: [Microsoft Secure Server Config] rpcxConfig.exe
O4 - HKLM\..\RunServices: [Microsoft Config] msconf.exe
O4 - HKLM\..\RunServices: [Norton SpySweeper AutoUpdate] navsw.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winxpini.exe
O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\RunServices: [Win Updator Services] ctfnom.exe
O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunOnce: [Norton SpySweeper AutoUpdate] navsw.exe
O4 - HKLM\..\RunOnce: [Win Updator Services] ctfnom.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol012.cab

Thanks in advance.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello stuiek. Your sister's computer is full of viruses and trojons. If you have an antivirus program, you should update it and do a full scan. Also, if you are able, use Trend Micro's online scanner:

http://housecall.trendmicro.com/houseca ... t_corp.asp
Select your location and click go. Check 'Auto Clean' before scanning.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 62 posts
  • Users browsing this forum: No registered users and 96 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.