Win XP Task Manager opens but instantly closes again

  • cerio
  • Proficient
  • Proficient
  • User avatar
  • Posts: 263
  • Loc: UK

Post 3+ Months Ago

Hi,
I'm having a problem with Task Manager in Windows XP. It was fine until a few days ago and now, when I open it (ctrl Alt Delete), it opens for a split second then immediately closes.

Can anyone suggest why this is happening and how I can fix it?


Thanks

C
  • HelloWorld
  • Newbie
  • Newbie
  • HelloWorld
  • Posts: 5

Post 3+ Months Ago

Don't know but my comp is also playing up and its not just the task manger that is not working but when I had gone in to DOS to see what programs are running (In case I saw any viruses) this also closes on the open command after a couple of seconds
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Most likely Spyware or a Virus.

You should do a complete Virus Scan. If you currently have you own anti-virus program, you should update the definitions and scan.

If you don't have any virus protection, go here:
http://housecall.trendmicro.com/

Next, you should scan for spyware. A good program is Adaware.
http://www.lavasoftusa.com/software/adaware/

Follow the instructions after installing:
Launch adaware and update the definitions:

1) Go to settings (gear at the top), Tweak, Scanning Engine: Make sure 'Unload recognized process during scanning' is checked.
2) Under Cleaning Engine, make sure 'Let Windows remove files in use after next reboot' is checked. Click Proceed. Click Start
3) Use Custom Scanning Options. Make sure 'Activate in-depth scan' is checked.
4) Click Customize, Click Select Drives + Folders, Check the drive on which your OS is installed. Click Proceed, Click Next.
5) After Scanning has completed, Right-click in the found objects area, select all, click Next, click OK and let it remove all items.
6) Reboot.

Next, download hijack this, run it, click scan, save log, and post the log here.
https://ssl.perfora.net/tools.radiospla ... ckThis.exe
  • HelloWorld
  • Newbie
  • Newbie
  • HelloWorld
  • Posts: 5

Post 3+ Months Ago

It see this forum

Windows XP Task Manager starts and instantly teminates
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

:scratchhead:
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

cerio -- some people spent a lot of time giving help and answers in this thread:

http://www.ozzu.com/mswindows-forum/windows-task-manager-starts-and-instantly-teminates-t30390.html

Please read it first and see if any of that helps you.
  • HelloWorld
  • Newbie
  • Newbie
  • HelloWorld
  • Posts: 5

Post 3+ Months Ago

Sorry about that lads (and ladies) that was the forum I was suppose to print the link for. However, after being in there I have all the virus software avg, spybout, ad-ware 6, spyhunter2 etc. and I can't find the problem. The task manger is still disappearing as is DOS and hijeckthis does not seem to what to kick-in either? It seem to start but then closes. I am just about to restart in safe mode I will post and results.
  • HelloWorld
  • Newbie
  • Newbie
  • HelloWorld
  • Posts: 5

Post 3+ Months Ago

Right,

once in safe mode I ran hijectthis and the log is as follows

Logfile of HijackThis v1.98.2
Scan saved at 14:52:17, on 12/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Virus software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meshcomputers.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [D4F181E3] C:\WINDOWS\System32\tvvothbzu.exe
O4 - HKLM\..\Run: [Microsoft Update] wssvrs.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\wpras.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [restrictanonymous] 
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\7.tmp.exe

O4 - HKLM\..\Run: [Outlook Express Config] bbkzh.exe
O4 - HKLM\..\Run: [Outlook Express] znoov.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\urslwne.exe
O4 - HKLM\..\Run: [blah service] smnp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [Microsoft Update] wssvrs.exe
O4 - HKLM\..\RunServices: [4212CFD1] C:\WINDOWS\System32\tvvothbzu.exe

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [EnableDCOM] N
O4 - HKLM\..\RunServices: [MSN Messenger] jdkmety.exe
O4 - HKLM\..\RunServices: [Outlook Express Config] bbkzh.exe
O4 - HKLM\..\RunServices: [Outlook Express] znoov.exe
O4 - HKLM\..\RunServices: [blah service] smnp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe

O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {315D1BD2-0165-48AE-9F91-9CC271704FBA} (LRNPrint Class) - file://E:\Webfiles\LRN Viewer\HTML\lrniehlp.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Any ideas would be greatly appreciated

thanks
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Let's start by getting rid of the W32/Rbot-BV worm:
http://www.sophos.com/virusinfo/analyses/w32rbotbv.html

Make sure system restore is disabled.

While in safe mode go to c:\Windows\System32
Delete WSSVRS.EXE

Go to regedit.
Delete the following keys

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wssvrs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = wssvrs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wssvrs.exe

I'll type up a few more instructions to get rid of another worm here in a second. You might as well wait for that before you do the above so you can get rid of both of them at the same time.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

The other worm I see is WORM_SPYBOT.BR

http://www.trendmicro.com/vinfo/virusen ... BR&VSect=T

While in safe mode go to
C:\Windows\System32\
delete SCRGRD.EXE.EXE

In regedit delete the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Restore = “scrgrd.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
Microsoft Restore = “scrgrd.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Restore = “scrgrd.exe”

Rerun Hijackthis and check these and "fix"

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [EnableDCOM] N
O4 - HKLM\..\RunServices: [MSN Messenger] jdkmety.exe
O4 - HKLM\..\RunServices: [Outlook Express Config] bbkzh.exe
O4 - HKLM\..\RunServices: [Outlook Express] znoov.exe
O4 - HKLM\..\RunServices: [blah service] smnp.exe


That should get you far enough along to where you can run your other spyware removal tools without these creeping back in. They should have caught them the first time around, but give it a go around again. Do all of this in safe mode with system restore off.
  • HelloWorld
  • Newbie
  • Newbie
  • HelloWorld
  • Posts: 5

Post 3+ Months Ago

ATNO/TW

Excellent Advise put to good use. Comp is working well. The only problem was that I had to do it for ever user on the computer which was a real pain but can't be helped. The only reason I mention it is if any one else is having the same problem. Anyway, thanks again for the advise.
  • helo53
  • Born
  • Born
  • helo53
  • Posts: 2

Post 3+ Months Ago

Hey guys i am having same problem with task manager,reg edit and msconfig. I am posting my hijackthis also.Any help will be appreciated.I am off to work so I will check the forum later this evening. Thanks

Logfile of HijackThis v1.97.7
Scan saved at 11:15:44 AM, on 9/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Protector Plus\PPAVMon.exe
C:\Program Files\Protector Plus\PPServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\icemgr.exe
C:\WINDOWS\System32\CSSRS.EXE
C:\WINDOWS\SYSCFG16.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7A60A650-7737-5241-77F7-D8C1EC8EBCF0} - C:\WINDOWS\Lpaqmkxk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Search - {C6122C8E-5963-D4C9-AF60-9AF6DD4EBAC4} - C:\WINDOWS\Lpaqmkxk.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Winsock2 driver] CSSRS.EXE
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] icemgr.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] icemgr.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] CSSRS.EXE
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] icemgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Royal Vegas Poker (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.38 ... assets.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8853E9D-2756-4137-A186-A723A4323909}: NameServer = 205.188.146.146
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

First of all, turn off system restore.

//Edit, in case you are not sure how to turn off system restore:

For Windows XP

Log on an administrative account.
Right-click the My Computer icon on the desktop and click Properties.
Click the System Restore tab.
Select Turn off System Restore.
Click Apply > Yes > OK.
Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
Re-enable System Restore by clearing Turn off System Restore.

----------------
First worm, Backdoor.Win32.Wisdoor.19968:

1- Reboot to safe mode. (You can reboot to safe mode by pressing F8. on startup)

2. Using Windows Explorer, uncheck "Hide file extensions for known file types". - [Tools] -> [Folder Options...] -> [View] -> click "Hide file extensions for known file types", also uncheck "Hide protected operating system files", click Yes to confirm and click ok.

3. Confirm if "SYSCFG16.EXE" is executing and terminate the process. [Window Task Manager] -> [Process]

- Example execution of Window Task Manager: In the Windows 95/98/ME system, press "CTRL+ALT+DELETE" and in the Windows NT/2000/XP system, press "CTRL+SHIFT+ESC".

4. Find out the following file in the window folder and delete it.

- SYSCFG16.EXE (File size : 19,968 bytes, File attribute : Hide)

5. After selecting [Start] -> [Run], type "regedit". (Registry editor is executed.)

6. Search for the value in the following path with the registry editor and delete it.

- HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
Run

- Name : Windows System Configuration
- Data : (Windows folder)\SYSCFG16.EXE

7. Close the registry editor.

8. Reboot the system.

//You have McAffee antivirus, I strongly recommend you to get the last virus definition from Mcafee.

//Rescan with hijack this and post you log again.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

Second one, WORM_AGOBOT.FX

1- Again, start in safe mode
2- Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
3- In the left panel, find the following key:
- HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
Run

4- In the right panel, locate and delete the entry:

WinFX = "cssrs.exe"
Display Drivers = "cssrs.exe"

5- In the left panel, find the following key:
- HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
RunServices

6- In the right panel, locate and delete the entry:
WinFX = "cssrs.exe"
Display Drivers = "cssrs.exe"

7- Again in the left panel, locate and delete the following:
HKEY_LOCAL_MACHINE\
System\
CurrentControlSet\
Services\
Driver

8- Close Registry Editor and restart your system
9- Go to C:\WINDOWS\System32\ and delete this file CSSRS.EXE

Note: Check your spelling very well when you delete this file, it is CSSRS.exe NOT CSRSS.exe, this last one is in fact a system file
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

Not sure about this ones, I will research on them, if no one came with some information:

O2 - BHO: (no name) - {7A60A650-7737-5241-77F7-D8C1EC8EBCF0} - C:\WINDOWS\Lpaqmkxk.dll
O3 - Toolbar: Search - {C6122C8E-5963-D4C9-AF60-9AF6DD4EBAC4} - C:\WINDOWS\Lpaqmkxk.dll


O4 - HKLM\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] icemgr.exe
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

labrego wrote:
Not sure about this ones, I will research on them, if no one came with some information:

O2 - BHO: (no name) - {7A60A650-7737-5241-77F7-D8C1EC8EBCF0} - C:\WINDOWS\Lpaqmkxk.dll
O3 - Toolbar: Search - {C6122C8E-5963-D4C9-AF60-9AF6DD4EBAC4} - C:\WINDOWS\Lpaqmkxk.dll


No information whatsoever. That is suspicious in itself. I would get rid of them. Hijack this can restore them if necessary and that file can be moved temporarily.

Quote:
O4 - HKLM\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] icemgr.exe

Now these are definitely bad. any task which is is setup to launch at startup from multiple locations is no good. No legitimate windows program or service would be set up like this.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

JrzyCrim wrote:
labrego wrote:
Not sure about this ones, I will research on them, if no one came with some information:

O2 - BHO: (no name) - {7A60A650-7737-5241-77F7-D8C1EC8EBCF0} - C:\WINDOWS\Lpaqmkxk.dll
O3 - Toolbar: Search - {C6122C8E-5963-D4C9-AF60-9AF6DD4EBAC4} - C:\WINDOWS\Lpaqmkxk.dll


No information whatsoever. That is suspicious in itself. I would get rid of them. Hijack this can restore them if necessary and that file can be moved temporarily.

Quote:
O4 - HKLM\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] icemgr.exe

Now these are definitely bad. any task which is is setup to launch at startup from multiple locations is no good. No legitimate windows program or service would be set up like this.


Agreed Jim, just wanted to be sure and wait for the master's return :wink: *igor voice maaaster lol Jk
  • thommata
  • Born
  • Born
  • thommata
  • Posts: 1

Post 3+ Months Ago

Help please.

I am trying to help a freind clean her pc. Here is what I have done. I have updated AV and ran a full scan, multiple virus's were found and cleand. Ran adaware multiple times and clean files. Ran a vb script to remove the disable regedit. I can boot to safemode and launch regedit and it is fine. When I log in as a user with admin rights, regedit opens and closes when ran. I then opened norton av and noticed that the auto protect was not enabled, tried to enable it and could not. Also everytime I launch a browser and try to go to norton site or mcafee it redirects me to some ad123 site that then launches multiple browsers. I have also ran hijackthis, used this to remove the 07 reg reference, still no regedit. Any help would be fantastic. Here is the hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 9:50:36 AM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\ZONEALARMUPDATE.EXE
C:\WINDOWS\System32\ws2_32s.exe
C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\CLBCATQ2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\AIM\aim.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 127.208.109.145 http://www.symantec.com
O1 - Hosts: 127.139.62.44 securityresponse.symantec.com
O1 - Hosts: 127.254.139.74 symantec.com
O1 - Hosts: 127.128.106.240 http://www.mcafee.com
O1 - Hosts: 127.113.55.99 mcafee.com
O1 - Hosts: 127.131.210.24 us.mcafee.com
O1 - Hosts: 127.52.55.3 http://www.sophos.com
O1 - Hosts: 127.148.126.103 sophos.com
O1 - Hosts: 127.140.3.237 http://www.viruslist.com
O1 - Hosts: 127.112.18.5 viruslist.com
O1 - Hosts: 127.214.253.244 f-secure.com
O1 - Hosts: 127.82.182.95 http://www.f-secure.com
O1 - Hosts: 127.86.252.70 kaspersky.com
O1 - Hosts: 127.25.55.68 http://www.avp.com
O1 - Hosts: 127.124.188.120 http://www.kaspersky.com
O1 - Hosts: 127.209.173.136 avp.com
O1 - Hosts: 127.141.200.92 http://www.networkassociates.com
O1 - Hosts: 127.229.67.144 networkassociates.com
O1 - Hosts: 127.183.253.6 http://www.ca.com
O1 - Hosts: 127.85.243.153 ca.com
O1 - Hosts: 127.240.183.142 my-etrust.com
O1 - Hosts: 127.201.94.150 http://www.my-etrust.com
O1 - Hosts: 127.54.65.109 secure.nai.com
O1 - Hosts: 127.95.2.248 nai.com
O1 - Hosts: 127.2.45.139 http://www.nai.com
O1 - Hosts: 127.118.117.194 trendmicro.com
O1 - Hosts: 127.28.141.83 http://www.trendmicro.com
O1 - Hosts: 127.247.125.171 housecall.trendmicro.com
O1 - Hosts: 127.0.81.108 http://www.pandasoftware.com
O1 - Hosts: 127.190.17.75 http://www.bitdefender.com
O1 - Hosts: 127.159.51.235 http://www.ravantivirus.com
O1 - Hosts: 127.55.170.126 www3.ca.com
O1 - Hosts: 127.32.246.16 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.71.116.129 windowsupdate.microsoft.com
O1 - Hosts: 127.228.227.246 http://www.windowsupdate.com
O1 - Hosts: 127.27.50.118 windowsupdate.com
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\faye haas\Local Settings\Temp\wCfruvdA.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kuljblwp.exe
O4 - HKLM\..\Run: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
O4 - HKLM\..\Run: [Winsock2 driver] ZONEALARMUPDATE.EXE
O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] C:\WINDOWS\System32\ws2_32s.exe
O4 - HKLM\..\Run: [DC4j] C:\documents and settings\faye haas\local settings\temp\DC4j.exe
O4 - HKLM\..\Run: [dO6eE] C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\TafqX5mo.exe
O4 - HKLM\..\Run: [fcb8f7189662] C:\WINDOWS\System32\CLBCATQ2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\RunServices: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\RunServices: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKCU\..\Run: [DriveService16] sysserv16.exe -drivers
O4 - HKCU\..\Run: [Microsoft Update] wudmate.exe
O4 - HKCU\..\Run: [d0q3RVeFg] ixstls.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunOnce: [Winsock2 driver] ZONEALARMUPDATE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5197190017
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Adqlai32.dll (file missing)



Thank you in advance,

Tom
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello Tom, welcome to Ozzu. Thanks for the detailed information.

Print or save the following so that you will have these instructions handy.

Run Hijack This, Go to Config > Misc Tools > Open Process Manager.
Select the following one at a time and click Kill Process:

C:\WINDOWS\System32\ws2_32s.exe
C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
C:\WINDOWS\System32\CLBCATQ2.exe
C:\PROGRA~1\Web Offer\wo.exe


Click Back in the lower right of hijack this.

Click Scan and check the following items. Don't Fix yet.

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 127.208.109.145 http://www.symantec.com
O1 - Hosts: 127.139.62.44 securityresponse.symantec.com
O1 - Hosts: 127.254.139.74 symantec.com
O1 - Hosts: 127.128.106.240 http://www.mcafee.com
O1 - Hosts: 127.113.55.99 mcafee.com
O1 - Hosts: 127.131.210.24 us.mcafee.com
O1 - Hosts: 127.52.55.3 http://www.sophos.com
O1 - Hosts: 127.148.126.103 sophos.com
O1 - Hosts: 127.140.3.237 http://www.viruslist.com
O1 - Hosts: 127.112.18.5 viruslist.com
O1 - Hosts: 127.214.253.244 f-secure.com
O1 - Hosts: 127.82.182.95 http://www.f-secure.com
O1 - Hosts: 127.86.252.70 kaspersky.com
O1 - Hosts: 127.25.55.68 http://www.avp.com
O1 - Hosts: 127.124.188.120 http://www.kaspersky.com
O1 - Hosts: 127.209.173.136 avp.com
O1 - Hosts: 127.141.200.92 http://www.networkassociates.com
O1 - Hosts: 127.229.67.144 networkassociates.com
O1 - Hosts: 127.183.253.6 http://www.ca.com
O1 - Hosts: 127.85.243.153 ca.com
O1 - Hosts: 127.240.183.142 my-etrust.com
O1 - Hosts: 127.201.94.150 http://www.my-etrust.com
O1 - Hosts: 127.54.65.109 secure.nai.com
O1 - Hosts: 127.95.2.248 nai.com
O1 - Hosts: 127.2.45.139 http://www.nai.com
O1 - Hosts: 127.118.117.194 trendmicro.com
O1 - Hosts: 127.28.141.83 http://www.trendmicro.com
O1 - Hosts: 127.247.125.171 housecall.trendmicro.com
O1 - Hosts: 127.0.81.108 http://www.pandasoftware.com
O1 - Hosts: 127.190.17.75 http://www.bitdefender.com
O1 - Hosts: 127.159.51.235 http://www.ravantivirus.com
O1 - Hosts: 127.55.170.126 www3.ca.com
O1 - Hosts: 127.32.246.16 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.71.116.129 windowsupdate.microsoft.com
O1 - Hosts: 127.228.227.246 http://www.windowsupdate.com
O1 - Hosts: 127.27.50.118 windowsupdate.com
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\faye haas\Local Settings\Temp\wCfruvdA.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kuljblwp.exe
O4 - HKLM\..\Run: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] C:\WINDOWS\System32\ws2_32s.exe
O4 - HKLM\..\Run: [DC4j] C:\documents and settings\faye haas\local settings\temp\DC4j.exe
O4 - HKLM\..\Run: [dO6eE] C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\TafqX5mo.exe
O4 - HKLM\..\Run: [fcb8f7189662] C:\WINDOWS\System32\CLBCATQ2.exe
O4 - HKLM\..\RunServices: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\RunServices: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\RunServices: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
O4 - HKCU\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKCU\..\Run: [DriveService16] sysserv16.exe -drivers
O4 - HKCU\..\Run: [Microsoft Update] wudmate.exe
O4 - HKCU\..\Run: [d0q3RVeFg] ixstls.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Adqlai32.dll (file missing)


Close all browsers and windows except Hijack this and click Fix Checked.

Reboot into Safe Mode.

Find and delete the following files:
C:\WINDOWS\System32\ws2_32s.exe
C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
C:\WINDOWS\System32\CLBCATQ2.exe
C:\WINDOWS\System32\kuljblwp.exe
C:\WINDOWS\System32\ws2_32s.exe
C:\WINDOWS\System32\TafqX5mo.exe
C:\WINDOWS\System32\CLBCATQ2.exe


Delete the following folders:
C:\PROGRA~1\Web Offer\

Search for these files and delete if found:
mssecure.exe
sysserv16.exe
wudmate.exe
ipconfigs.exe
ixstls.exe


Go to start > run, enter: cleanmgr

Make sure only the following are checked:

Temporary Internet files
Recycle Bin
Temporary Files


Click OK

Reboot into normal mode. Run Hijack This, Scan and save the log. Post the new log here.
  • helo53
  • Born
  • Born
  • helo53
  • Posts: 2

Post 3+ Months Ago

Sorry guys no update on my system yet i have been so busy i haven't had time to repair the problems on my pc although i am very confident it will be a good fix. I will keep posted and post my hijack this when finished.

Thanks Helo53
  • amadeus
  • Born
  • Born
  • amadeus
  • Posts: 2

Post 3+ Months Ago

hi, im new here and am experiencing similar problems, like the task manager isn't working, as well as reg edit and my antivirus software (norton). the window appears for a split-second then disappears suddenly.
also, when i start up my computer, the internet connection speed is fine. but after a few mintues or so, it quickly begins to slow down until my pc cannot detect a connection anymore. when i reboot, the internet speed is fine again but the same problem occurs after a few minutes. something is eating up the bandwith.
i think i know what the problem is though i cannot fix it. the file "hjdjhaid.exe" is running in the background (as seen in my task list), and fails to end when i shut down my computer causing a popup window to appear everytime. i manually tried to delete the file in the windows/prefetch folder where it is located, but whenever i do, it disappears and reappears again in the same folder.
anyway, here is the log file from hijackthis...hope someone can help me because im lost. thanks!

Logfile of HijackThis v1.98.2
Scan saved at 12:18:37 AM, on 10/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Toby Corona\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Msi Setup] mssetup.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\tixbmquj.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe
O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
O4 - HKLM\..\Run: [MS FIREWALL] msfirewall.exe
O4 - HKLM\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunServices: [MS FIREWALL] msfirewall.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] wuagmsd.exe
O4 - HKCU\..\Run: [Msi Setup] mssetup.exe
O4 - HKCU\..\Run: [Windows Monitor] winmon.exe
O4 - HKCU\..\Run: [MS FIREWALL] msfirewall.exe
O4 - HKCU\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKCU\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunServices: [MS FIREWALL] msfirewall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Hcoklfqh.dll
  • bradcj
  • Born
  • Born
  • bradcj
  • Posts: 2

Post 3+ Months Ago

Despite trying to solve this same problem without posting, I have run out of things to do and am asking for help.

After removing a number of files per other suggestions
(e.g., all the /Temp files in the users' Local Settings filders) and performing a number of actions and running removal tools, key programs
like msconfig immediately close on running despite all of the following actions being done.

I have AVG 7.0 with no virus reported
I have SpyBot 1.3 with only 5 DSO errors showing
I have Norton AntiVirus 2003 with the latest definitions with no virus showing
I have Ad-aware 6.0 with reference file 01R343 04.10.2004 and no problems showing

I also ran a Recovery boot from the installation disk
I ran SFC
I ran the AVG vcleaner utility
I cleaned out my recycle bin
I ran PepiMK's CoolWWWSearch.SmartKiller removal tool

Below is my HijackThis output
Logfile of HijackThis v1.97.7
Scan saved at 12:56:05 PM, on 10/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\QTIMER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\Brad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weekapauggolfclub.com/Club/S ... e/home.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: P3P Client - {00000178-CD4A-447a-BCF9-6FD0096B5527} - C:\PROGRA~1\PRIVAC~1\P3PCLI~1.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Quicktime Runtime] QTIMER.EXE
O4 - HKCU\..\RunOnce: [Quicktime Runtime] QTIMER.EXE
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdat ... t/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C ... 7879.53875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab


Please can somebody help me?

Brad
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Brad -- if no body else gets to it first, I'll try to take a look at it later this evening when I get home.
  • bradcj
  • Born
  • Born
  • bradcj
  • Posts: 2

Post 3+ Months Ago

I believe I have traced down the actual problem. The key, pardon the pun, was the Qtimer entries which I was fooled into thinking was related to QuickTime.

If I have this correctly, this is a variant of an AOL AIM trojan backdoor which goes by several names: msnguyen.exe aolmsngr.exe msginab.exe and now also (apparently) including qtimer.exe (spelled QtimeR.exe for details sake).

I somehow stumbled across several descriptions including:
http://computercops.biz/postp307801.html
http://www.tech-recipes.com/instant_mes ... ps575.html

To resolve this required using a Process Explorer described in this article:
http://www.geocities.com/cumquat18/elimiexplorer.html

I followed the instructions subtituting QtimeR.exe for ElimiExplore.exe everywhere where appropriate (e.g., deleting processes, files, and Registry entries).

I now have control back of my system and full use of system commands from the Run interface for regedit, msconfig, etc.

I plan on rerunning all of my various adware, virus, trojan detectors and to rerun sfc to ensure I haven't messed up things or left the little bugger around someplace else.

Thank you for letting me post here and get help.

Brad
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Hey, thanks for the update and the great info. Timing was perfect. I just got home a bit ago and was just sitting down to look at this.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

I have a similar problem:

opening regedit - closes again straightaway
opening regedt32 - closes again straightaway
ctrl alt del / tsk mge - closes again straightaway
all of the above also happen in safe mode.

I've disabled system restore and I've run spybot 1.3 and fixed all problems. I've also ran full virus check of system with Kasprersky AV (update to today).

I've installed hijack and the file is as below:

Logfile of HijackThis v1.98.2
Scan saved at 22:59:40, on 09/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize

Many thanks in anticipation
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

That's a pretty clean and simple looking log. The only thing that jumps out at me is Explorer.EXE in your running processes. Yes, I know explorere.exe should be there, but in my XP (SP2) it is explorer.exe (all small case) - not Explorer.EXE

I'm wondering if you had a nasty replace your explorer shell. Take a look in C:\WINDOWS\ and see if you have different variations of explorer.exe
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

Hi, the only entries I can see like explorer in c:\windows are:

EXPLORER (no extension - the type is listed as Windows Explorer command)
explorer.exe (981KB modified 29.08.02 06:00)

thanks.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

P.S. yep, on my own PC with SP2 (the one with a problem is a friend's) it also lists explorer.exe and not .EXE.

By the way I don't know if this is relevant but the install of SP2 on my friend's machine took 24hrs + !!!
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

now then, if I kill the explorer.EXE process using Hijack I can then open Task Mgr ok. However, if I then run regedt32 (which just closes straightaway again) and then ctrl / alt / del tsk mgr closes straightaway again.

Maybe I could copy the explorer.exe from my other pc to this one?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Hidden Danger wrote:
P.S. yep, on my own PC with SP2 (the one with a problem is a friend's) it also lists explorer.exe and not .EXE.

By the way I don't know if this is relevant but the install of SP2 on my friend's machine took 24hrs + !!!


*lol -- that's not surprising if he's on dial-up.

I think your idea might do the trick, although I can't recommend it as I have never tried it.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

That's probably not it. I just ran hijackkthis in XP and it adds the caps like yours did.

That log is incredibly small. Did you do that in safe mode? If so, try running it in regular Windows and repost if different.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

He did the update from an XP SP2 CD-ROM not via a dial-up connection - it probably would have been quicker via dial-up ! (It only took 20 mins on my PC)

Anyway, I tried copying explorer.exe from my pc but this didn't work as the pc would not even boot into windows becuase of a missing .dll file. Good job I made a backup of the explorer.EXE! I've now restored the original explorer.EXE and it is booting into windows as before with the same problems.

I've also noticed that if you click on search in windows explorer that the following message appears:

"Cannot load library for language 'JScript' Path: 'C:\Program files\Common Files\Symantec shared\script blocking\scrauth.dll' Please contact Kaspersky Lab for the solution"

However, the solution at:

http://www.kaspersky.com/faq?qid=148845452

involves editing the registry, which I can't even get into !
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

The hijack was run in normal windows not safe mode. I did clean up a bit with hijack earlier though (should have mentioned that earlier, sorry) - I've restored the backup though now with hijack to before I started cleaning up and here is the original log:

Logfile of HijackThis v1.98.2
Scan saved at 00:13:31, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Temp\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol022.cab
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

I see why you nixed what you did, however, at the moment I'm out of ideas. I can't see anything in your current log that's a problem.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

ok, thanks for your time anyway. I think I might try and uninstall SP2 and see if that makes any difference.

Cheers
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Wait a minute. I'm confused. If you have SP2 installed, then why does your log show SP1?

Now I'm even more confused. You say this was the original log:
Quote:
I've restored the backup though now with hijack to before I started cleaning up and here is the original log:


but the date on the first one you posted was 9/10/2004


So which is current?
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

Good point, looks like the SP2 installation that took over 24hrs really did cause some major problems.

However, I've just finished removing SP2 via add/remove prgrms and the problem remains:

Here's a revised log after the uninstall:

Logfile of HijackThis v1.98.2
Scan saved at 00:53:49, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol022.cab

Off to bed now as its 1am in England ! C U in the morning...
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

P.S. I've noticed that windows task mgr (which I can open after killing explorer.exe in hijack) shows a process called:

csrss.exe

which hijack does not ???
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

That's an OK file
http://www.liutilities.com/products/win ... ary/csrss/
  • trojanmon
  • Born
  • Born
  • trojanmon
  • Posts: 1

Post 3+ Months Ago

I'm also having a similar problem, except most antivirus programs also close and hijack this seems to get killed as well. I get a popup for just a few ms and then it goes away each time I run.

Also, I periodically get some popups that say you must click yes to continue.

This is a family member's computer and I've removed a bunch of viruses and adware removed a bunch too. HouseCall scanner won't work because it crashes IE. I'm sure these are all related. Do you think it might be a root kit? Any ideas how to proceed?

TIA.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

A little progress, I have found that by running regedt32.exe or regedit.exe from c:\i386 I am able to edit the registry. Could this mean that the versions of regedt and regedt32 that are being run by typing a command in at "run" are bogus versions stored elsewhere?

I'm currently perusing the registry now for dodgy entries.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

More info if it will help: although if i run regedt32 .exe and regedit directly from c:\i386 they run fine, if i copy the exact same files (regedt32.exe and regedit.exe) from c:\i386 to the c:\windows folder and run them from c:\windows they just close down straight away??? It's almost as if something is detecting if regedit is being run from c:\windows but not if it is run from c:\i386???? very perplexing.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

I've reinstalled XP SP2 and turned on the firewall, upon rebooting the firewall came up with a message about blocking explorer accessing the internet and the problem remains. Also, every time I enable the firewall it disables itself a few seconds later!!

:cry: :cry: :cry:
Any suggestions anyone?
:cry:
  • amadeus
  • Born
  • Born
  • amadeus
  • Posts: 2

Post 3+ Months Ago

i dont know much, but after trying lots of stuff, i solved my prob by running the house call service of the trend microsystems website. it detected this kind of virus and fixed it for me. u might want to try that.
  • triple5
  • Newbie
  • Newbie
  • triple5
  • Posts: 9

Post 3+ Months Ago

Hi, I'm having the same problem as many of these people and I've read quite a few posts as to how to fix this problem.
My comp has all the same systems as the others ie. besides taskmanager regedit auto closes, msconfig

I've disabled system restore and run virus scans (no virus found), adaware and spybot and removed everything that was previously there. But about 10 minutes after I restart my system my computer will start to get this lag and jerkiness in the mouse unless I do a system restore it'll be fine again until about a day later i get this task manager problem.

Here is a copy of my logfile from HijackThis. Alot of things look weird but I'm not sure what it is. Any help would be grateful. Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 3:24:33 AM, on 11/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\windvsrv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\Bandwidth Monitor\Bandwidth Monitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\a b b i e . c\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {657405F1-D350-4194-8182-FA8E8492C467} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [Microsoft Update Protocols] updr32.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windvsrv] windvsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update Protocols] updr32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Update Protocols] updr32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\RunOnce: [Windvsrv] windvsrv.exe
O4 - Startup: Bandwidth Monitor.lnk = C:\Program Files\Bandwidth Monitor\Bandwidth Monitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b28578.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b28578.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {33E7E377-FA07-4228-93A6-8A340B768140} (Nexon Package Manager Control (Jp)) - http://www.nexon.co.jp/JP/f/ActiveX/Public/nxpmjp.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/A ... ngctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b28578.cab
O16 - DPF: {CDA94496-ED6F-4C72-94C8-2C485DC63390} (VCDS Control) - http://vcds-client.nefficient.co.kr/vcd ... t/vCDS.CAB
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {DD85FDB7-9363-4873-B50C-CC46F3E4B704} (IGOLauncher6 Control) - http://vitalsign.igamesasia.com.sg/acti ... ncher6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b28578.cab
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINDOWS\system32\msc.cpl (file missing)
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello triple5, just hang tight while I go over your log.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Copy or print the following instruction so you will have them handy.

Run Hijack This, scan and check the following items. (don't fix yet):

O2 - BHO: C:\WINDOWS\lbbho.dll - {657405F1-D350-4194-8182-FA8E8492C467} - C:\WINDOWS\lbbho.dll

O4 - HKLM\..\Run: [Microsoft Update Protocols] updr32.exe
O4 - HKLM\..\Run: [Windvsrv] windvsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update Protocols] updr32.exe
O4 - HKCU\..\Run: [Microsoft Update Protocols] updr32.exe
O4 - HKCU\..\RunOnce: [Windvsrv] windvsrv.exe
O4 - Startup: Bandwidth Monitor.lnk = C:\Program Files\Bandwidth Monitor\Bandwidth Monitor.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {33E7E377-FA07-4228-93A6-8A340B768140} (Nexon Package Manager Control (Jp)) - http://www.nexon.co.jp/JP/f/ActiveX/Public/nxpmjp.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/A ... ngctrl.cab
O16 - DPF: {CDA94496-ED6F-4C72-94C8-2C485DC63390} (VCDS Control) - http://vcds-client.nefficient.co.kr/vcd ... t/vCDS.CAB
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINDOWS\system32\msc.cpl (file missing)

The following entries are not harmful but are not needed. Fixing these entries will prevent them from launching at startup but will not remove the programs that they are associated with:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Close all browsers and windows except for Hijack This and click 'Fix Checked'.


Reboot into Safe Mode
http://www.jayloden.com/SafeMode.htm


Display hidden files and folders
Go to Start > Run
Enter: control folders
Go to the View tab.
Check "Show hidden files and folders"
Uncheck "Hide protected Operating System files"
Click OK


Delete the following files:
C:\WINDOWS\system32\windvsrv.exe


Search for and delete the following files:
updr32.exe < most likely in c:\windows\ or c:\windows\system32\

Clear Temporary Folders\Files and Internet Files
Go to start > run
Enter: cleanmgr

Make sure only the following are checked:
Temporary Internet files
Recycle Bin
Temporary Files

Click OK

Login for each user and repeat the steps for Clearing Temporary Folders\Files and Internet Files.

Flush System Restore
Right Click on "My Computer"
Select Properties
Go to the System Restore Tab
Check 'Turn off System Restore on all drives'.
Click Apply
Unckeck 'Turn off System Restore on all drives'
Click OK

Reboot Normally
Run Hijack This, scan, save and post the new log.

After it has been determined that your system is clean, it is advised that you visit Windows Update:

Microsoft issues security updates on a regular basis. These updates patch vulnerabilities that hackers can exploit. Please visit Windows Update and install all Critical updates for Windows and Internet Explorer.
http://windowsupdate.microsoft.com/
  • triple5
  • Newbie
  • Newbie
  • triple5
  • Posts: 9

Post 3+ Months Ago

I followed all your instructions and it seems to be working fine now. Thanks alot for the help. I really appreciate it.
Here is my log. Couldn't find updr32.exe in any folders to delete after fixing it in hijackthis though, so I guess that is good.
Hmm, just a question. Should I fix those files in hijackthis that say O21 - (no file) at the end? I seem to get new ones everytime I refresh.

Logfile of HijackThis v1.98.2
Scan saved at 5:00:01 AM, on 11/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Documents and Settings\a b b i e . c\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Windvsrv] windvsrv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b28578.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b28578.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {DD85FDB7-9363-4873-B50C-CC46F3E4B704} (IGOLauncher6 Control) - http://vitalsign.igamesasia.com.sg/acti ... ncher6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b28578.cab
O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Your log looks pretty good. Just a couple of more things to fix:

Run Hijack This, scan and check the following items. (don't fix yet):
O4 - HKLM\..\Run: [Windvsrv] windvsrv.exe
O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)

Close all browsers and windows except for Hijack This and click 'Fix Checked'.

Make sure these files are not on your system:
C:\WINDOWS\system32\windvsrv.exe

updr32.exe <-- Use the search feature just to make sure. If you've used housecall, that may have removed it. I don't see it in your running processes. Should be ok.

Reboot, run Hijack this and scan once more. Check and see if any of the bad entries are present. If not, you should be good to go. :)

For the Future Prevention of Spyware/Malware and other Security Issues
-----------------------------------------------------------------------
Microsoft issues security updates on a regular basis. These updates patch vulnerabilities that hackers can exploit. Please visit Windows Update and install all Critical updates for Windows and Internet Explorer.
http://windowsupdate.microsoft.com/

Keep your Anti-Virus program up-to-date. This is very important. New viruses are released at an alarming rate. By keeping your AV program updated, you greatly reduce the risk of being infected.

Spyware cleaning programs such as Spybot Search and Destroy and Adaware are a must have for any internet user. Seemingly benign websites can cause great harm to the unwary user.
  • AdAware
  • Spybot Search and Destroy
I recommend installing both of these and updating them on a regular basis. A good article to read:
So how did I get infected in the first place?

The above article mentions a favorite program of mine: Spywareblaster; This is an excellent program which:
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially dangerous sites in Internet Explorer.

A firewall is also an important tool for system security. I recommend reading this article:
Understanding and Using Firewalls

Again, it is essential to keep all of these programs up-to-date. The longer you go without updating them, the less effective they become.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

triple5 wrote:
Hmm, just a question. Should I fix those files in hijackthis that say O21 - (no file) at the end? I seem to get new ones everytime I refresh.


Let me check on that. In your first log, this was listed:
C:\WINDOWS\system32\msc.cpl (file missing)

I'm not sure what msc.cpl is but it was missing to begin with. Let me get back to you on that.

Just another reminder, you should really visit Windows Update.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Here's what I've discovered about msc.cpl:
Quote:
I'M NOT SURE WHAT TO CALL IT, BUT IT IS NOT LEGAL (msc.cpl) (changed to RED 14. september after research from Fromsej)

O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:WINDOWS\System32\msc.cpl

The CLSID stays the same but the name changes throughout the fix:

changed to this after fixing 1st time:

O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)

changed to this after fixing 2nd time:

O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)


From http://www.fbeej.dk/NewHJTEntries.htm
about a 3rd of the way down the page. Nothing really definitive.

It seems to change after fixing with hijack this.

Trend Micro's Housecall may have removed that file. Were you having any problems with your control panel in the past?

Try rebooting and posting a new HJT log.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

There is definitely something funny going on with that.

If you have the time and are willing, open regedit and search for this string:

E61B5E20-DE35-11CF-9C87-1579005127ED

Go to start > run, enter: regedit

Go to Edit > Find and enter that long string above. When the search finds that string, right-click on the open Key folder in the left pane, select 'export' and save the file.

Hit f3 to continue the search, export and save any other positive search results using a different filename for each. Open those saved files with notepad and post the contents here.
  • triple5
  • Newbie
  • Newbie
  • triple5
  • Posts: 9

Post 3+ Months Ago

Here is my logfile after cleaning all the bad files out besides the last one that says (no file). Problem with updating windows though. The downloads just keep failing. :roll: So many problems.

Logfile of HijackThis v1.98.2
Scan saved at 7:08:19 AM, on 11/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\a b b i e . c\Desktop\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 9591691795
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b28578.cab
O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)



and here is the content of the registry key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
@="{E61B5E20-DE35-11CF-9C87-1579005127ED}"
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Okay. Sorry for the delay on finding info on this. I finally found some useful info but you already gave me the info I need. Thanks for doing that.

Copy and paste the following into notepad and save as "fix.reg", include the quotes around the filename when saving in notepad:
Code: [ Select ]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
@=-
  1. Windows Registry Editor Version 5.00
  2. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
  3. @=-


After saving, double click fix.reg to merge this file into the registry. Actually, it will remove the offending value.

Reboot, run hijack this, scan and post a fresh log.

*whew* :)

I found a similar problem here in case your interested:
http://spywarewarrior.com/viewtopic.php ... 05c3#37649

The same entry kept reapearing over and over until the registry was fixed.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

triple5 wrote:
Here is my logfile after cleaning all the bad files out besides the last one that says (no file). Problem with updating windows though. The downloads just keep failing. :roll: So many problems.


hmm, after you do that last fix, try Windows Update one more time. If it fails, right click on 'My computer', select properties, go to the 'Automatic Updates' tab and turn off Automatic updates.

Next, with all browsers closed, open "C:\Windows\Downloaded Program Files", right click on 'WUWebControl Class' and select 'Remove'

Then go to "C:\Program Files\Windows Update" and delete the 'V4' folder.

Next, go to http://v4.windowsupdate.microsoft.com/en/default.asp
It should reinstall the update software.

If you still have problems, refer to this page:
http://v4.windowsupdate.microsoft.com/troubleshoot/
  • triple5
  • Newbie
  • Newbie
  • triple5
  • Posts: 9

Post 3+ Months Ago

Thanks alot. You were very helpful.
I believe it's fixed besides the winxp updates which I'll figure out. Thanks again :)

Logfile of HijackThis v1.98.2
Scan saved at 7:50:30 AM, on 11/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\a b b i e . c\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b28578.cab
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Great! Glad to be of help. That {E61B5E20-DE35-11CF-9C87-1579005127ED} problem had me worried for a while. I didn't know what to make of it. Fortunately, we got it taken care of. Looking back, it probably wouldn't have hurt if you left that since msc.cpl was gone but I didn't want to take a chance.

Don't hesitate to come back if you can't get Windows Update to work.

Good Luck. :)
  • stuiek
  • Born
  • Born
  • stuiek
  • Posts: 1
  • Loc: London

Post 3+ Months Ago

Hi Guys,

This my first post here, my sister is having the same problems as those in this topic and for some strange reason she thinks I can fix it !!
The symptoms are task manager, msconfig, regedit and Norton Antivirus all close immediately after opening, also when she goes on the web as soon as she clicks away from her homepage she gets a "page cannot be found" error. Here is the Hijackthis log, hope someone can help....

Logfile of HijackThis v1.98.2
Scan saved at 19:12:30, on 18/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator.BORO\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVComS.exe
O4 - HKLM\..\Run: [A0481379] C:\WINDOWS\System32\jryzapur.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vtygbvs.exe
O4 - HKLM\..\Run: [Windows Update] host32.exe
O4 - HKLM\..\Run: [Spool Server Daemon] SPOOLSVD32.EXE
O4 - HKLM\..\Run: [Microsoft Protection Subsystems] msm32.exe
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Microsoft Windows Secure Server] rpcxWindows.exe
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
O4 - HKLM\..\Run: [Microsoft Secure Server Config] rpcxConfig.exe
O4 - HKLM\..\Run: [Microsoft Config] msconf.exe
O4 - HKLM\..\Run: [Norton SpySweeper AutoUpdate] navsw.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] winxpini.exe
O4 - HKLM\..\Run: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\Run: [Win Updator Services] ctfnom.exe
O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [Spool Server Daemon] SPOOLSVD32.EXE
O4 - HKLM\..\RunServices: [Microsoft Protection Subsystems] msm32.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Secure Server] rpcxWindows.exe
O4 - HKLM\..\RunServices: [Microsoft Secure Server Config] rpcxConfig.exe
O4 - HKLM\..\RunServices: [Microsoft Config] msconf.exe
O4 - HKLM\..\RunServices: [Norton SpySweeper AutoUpdate] navsw.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winxpini.exe
O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\RunServices: [Win Updator Services] ctfnom.exe
O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunOnce: [Norton SpySweeper AutoUpdate] navsw.exe
O4 - HKLM\..\RunOnce: [Win Updator Services] ctfnom.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol012.cab

Thanks in advance.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello stuiek. Your sister's computer is full of viruses and trojons. If you have an antivirus program, you should update it and do a full scan. Also, if you are able, use Trend Micro's online scanner:

http://housecall.trendmicro.com/houseca ... t_corp.asp
Select your location and click go. Check 'Auto Clean' before scanning.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

If you have problems using the online scanner, just go through the following steps.

Copy or print the following instruction so you will have them handy.

Run Hijack This, scan and check the following items. (don't fix yet):

O4 - HKLM\..\Run: [A0481379] C:\WINDOWS\System32\jryzapur.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vtygbvs.exe
O4 - HKLM\..\Run: [Windows Update] host32.exe
O4 - HKLM\..\Run: [Spool Server Daemon] SPOOLSVD32.EXE
O4 - HKLM\..\Run: [Microsoft Protection Subsystems] msm32.exe
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Microsoft Windows Secure Server] rpcxWindows.exe
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
O4 - HKLM\..\Run: [Microsoft Secure Server Config] rpcxConfig.exe
O4 - HKLM\..\Run: [Microsoft Config] msconf.exe
O4 - HKLM\..\Run: [Norton SpySweeper AutoUpdate] navsw.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] winxpini.exe
O4 - HKLM\..\Run: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\Run: [Win Updator Services] ctfnom.exe
O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [Spool Server Daemon] SPOOLSVD32.EXE
O4 - HKLM\..\RunServices: [Microsoft Protection Subsystems] msm32.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Secure Server] rpcxWindows.exe
O4 - HKLM\..\RunServices: [Microsoft Secure Server Config] rpcxConfig.exe
O4 - HKLM\..\RunServices: [Microsoft Config] msconf.exe
O4 - HKLM\..\RunServices: [Norton SpySweeper AutoUpdate] navsw.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winxpini.exe
O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\RunServices: [Win Updator Services] ctfnom.exe
O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunOnce: [Norton SpySweeper AutoUpdate] navsw.exe
O4 - HKLM\..\RunOnce: [Win Updator Services] ctfnom.exe

Close all browsers and windows except for Hijack This and click 'Fix Checked'.

Reboot into Safe Mode
http://www.jayloden.com/SafeMode.htm

Display hidden files and folders
Go to Start > Run
Enter: control folders
Go to the View tab.
Check "Show hidden files and folders"
Uncheck "Hide protected Operating System files"
Click OK

Delete the following files:
C:\WINDOWS\System32\jryzapur.exe
C:\WINDOWS\System32\vtygbvs.exe


Search for and delete the following files, most likely they will be in Windows\ or Windows\system32\:
wserv32.exe
host32.exe
SPOOLSVD32.EXE
msm32.exe
videosd32.exe
rpcxWindows.exe
rpcxConfig.exe
msconf.exe
navsw.exe
winxpini.exe
winnt.exe
ctfnom.exe
winmon.exe

*Be careful when deteting these files. many legitimate windows files have similar names. Double check and make sure each file you delete is on the list.

Clear Temporary Folders\Files and Internet Files
Go to start > run
Enter: cleanmgr

Make sure only the following are checked:
Temporary Internet files
Recycle Bin
Temporary Files

Click OK

Reboot Normally

Login for each user and repeat the steps for Clearing Temporary Folders\Files and Internet Files.

Flush System Restore
Right Click on "My Computer"
Select Properties
Go to the System Restore Tab
Check 'Turn off System Restore on all drives'.
Click Apply
Unckeck 'Turn off System Restore on all drives'
Click OK

Run Hijack This, scan, save and post the new log.
  • obaid740
  • Born
  • Born
  • obaid740
  • Posts: 1

Post 3+ Months Ago

this is my result, after running hijackthis.

Logfile of HijackThis v1.99.1
Scan saved at 01:17:06, on 5/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\scvhost.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\WDelMgr20.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\Explorer.exe
G:\Softwares\Anti Attacking Virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = 172.16.0.1:8080
R3 - URLSearchHook: SrchHook Class -

{F4F10C1D-87C7-404A-B4B3-000000000000} -

D:\PROGRA~1\DAP\SBSearch.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} -

(no file)
O2 - BHO: Groove GFS Browser Helper -

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe"

/WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo Messengger]

C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O8 - Extra context menu item: &Clean Traces - C:\Program

Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program

Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program

Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download all links with IDM -

C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM

- C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program

Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo

Upload Tool) -

http://gfx1.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class)

- http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://www.update.microsoft.com/windows ... rols/en/x8

6/client/wuweb_site.cab?1211743932625
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Me ... ient.cab56

907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent

ActiveX Control) -

http://plugin.driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS -

{88FED34C-F0CA-4636-A375-3CB6248B04CD} -

C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F}

- C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294}

- C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml -

{807563E5-5146-11D5-A672-00B0D022E945} -

C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Update Service (gupdate1c996a8d08d7b58)

(gupdate1c996a8d08d7b58) - Unknown owner - C:\Program

Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) -

Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service

-config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file

missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) -

Unknown owner - C:\Program Files\Microsoft SQL

Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file

missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset -

C:\Program Files\Eset\nod32krn.exe
O23 - Service: WDelMgr20 - Unknown owner -

C:\WINDOWS\system32\drivers\WDelMgr20.exe

Post Information

  • Total Posts in this topic: 62 posts
  • Users browsing this forum: No registered users and 34 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2016. Ozzu® is a registered trademark of Unmelted, LLC.