Win XP Task Manager opens but instantly closes again

  • cerio
  • Proficient
  • Proficient
  • User avatar
  • Posts: 263
  • Loc: UK

Post 3+ Months Ago

Hi,
I'm having a problem with Task Manager in Windows XP. It was fine until a few days ago and now, when I open it (ctrl Alt Delete), it opens for a split second then immediately closes.

Can anyone suggest why this is happening and how I can fix it?


Thanks

C
  • HelloWorld
  • Newbie
  • Newbie
  • HelloWorld
  • Posts: 5

Post 3+ Months Ago

Don't know but my comp is also playing up and its not just the task manger that is not working but when I had gone in to DOS to see what programs are running (In case I saw any viruses) this also closes on the open command after a couple of seconds
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Most likely Spyware or a Virus.

You should do a complete Virus Scan. If you currently have you own anti-virus program, you should update the definitions and scan.

If you don't have any virus protection, go here:
http://housecall.trendmicro.com/

Next, you should scan for spyware. A good program is Adaware.
http://www.lavasoftusa.com/software/adaware/

Follow the instructions after installing:
Launch adaware and update the definitions:

1) Go to settings (gear at the top), Tweak, Scanning Engine: Make sure 'Unload recognized process during scanning' is checked.
2) Under Cleaning Engine, make sure 'Let Windows remove files in use after next reboot' is checked. Click Proceed. Click Start
3) Use Custom Scanning Options. Make sure 'Activate in-depth scan' is checked.
4) Click Customize, Click Select Drives + Folders, Check the drive on which your OS is installed. Click Proceed, Click Next.
5) After Scanning has completed, Right-click in the found objects area, select all, click Next, click OK and let it remove all items.
6) Reboot.

Next, download hijack this, run it, click scan, save log, and post the log here.
https://ssl.perfora.net/tools.radiospla ... ckThis.exe
  • HelloWorld
  • Newbie
  • Newbie
  • HelloWorld
  • Posts: 5

Post 3+ Months Ago

It see this forum

Windows XP Task Manager starts and instantly teminates
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

:scratchhead:
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23458
  • Loc: Woodbridge VA

Post 3+ Months Ago

cerio -- some people spent a lot of time giving help and answers in this thread:

http://www.ozzu.com/mswindows-forum/windows-task-manager-starts-and-instantly-teminates-t30390.html

Please read it first and see if any of that helps you.
  • HelloWorld
  • Newbie
  • Newbie
  • HelloWorld
  • Posts: 5

Post 3+ Months Ago

Sorry about that lads (and ladies) that was the forum I was suppose to print the link for. However, after being in there I have all the virus software avg, spybout, ad-ware 6, spyhunter2 etc. and I can't find the problem. The task manger is still disappearing as is DOS and hijeckthis does not seem to what to kick-in either? It seem to start but then closes. I am just about to restart in safe mode I will post and results.
  • HelloWorld
  • Newbie
  • Newbie
  • HelloWorld
  • Posts: 5

Post 3+ Months Ago

Right,

once in safe mode I ran hijectthis and the log is as follows

Logfile of HijackThis v1.98.2
Scan saved at 14:52:17, on 12/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Virus software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meshcomputers.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [D4F181E3] C:\WINDOWS\System32\tvvothbzu.exe
O4 - HKLM\..\Run: [Microsoft Update] wssvrs.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\wpras.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [restrictanonymous] 
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\7.tmp.exe

O4 - HKLM\..\Run: [Outlook Express Config] bbkzh.exe
O4 - HKLM\..\Run: [Outlook Express] znoov.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\urslwne.exe
O4 - HKLM\..\Run: [blah service] smnp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [Microsoft Update] wssvrs.exe
O4 - HKLM\..\RunServices: [4212CFD1] C:\WINDOWS\System32\tvvothbzu.exe

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [EnableDCOM] N
O4 - HKLM\..\RunServices: [MSN Messenger] jdkmety.exe
O4 - HKLM\..\RunServices: [Outlook Express Config] bbkzh.exe
O4 - HKLM\..\RunServices: [Outlook Express] znoov.exe
O4 - HKLM\..\RunServices: [blah service] smnp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe

O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {315D1BD2-0165-48AE-9F91-9CC271704FBA} (LRNPrint Class) - file://E:\Webfiles\LRN Viewer\HTML\lrniehlp.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Any ideas would be greatly appreciated

thanks
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23458
  • Loc: Woodbridge VA

Post 3+ Months Ago

Let's start by getting rid of the W32/Rbot-BV worm:
http://www.sophos.com/virusinfo/analyses/w32rbotbv.html

Make sure system restore is disabled.

While in safe mode go to c:\Windows\System32
Delete WSSVRS.EXE

Go to regedit.
Delete the following keys

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wssvrs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = wssvrs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wssvrs.exe

I'll type up a few more instructions to get rid of another worm here in a second. You might as well wait for that before you do the above so you can get rid of both of them at the same time.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23458
  • Loc: Woodbridge VA

Post 3+ Months Ago

The other worm I see is WORM_SPYBOT.BR

http://www.trendmicro.com/vinfo/virusen ... BR&VSect=T

While in safe mode go to
C:\Windows\System32\
delete SCRGRD.EXE.EXE

In regedit delete the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Restore = “scrgrd.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
Microsoft Restore = “scrgrd.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Restore = “scrgrd.exe”

Rerun Hijackthis and check these and "fix"

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [EnableDCOM] N
O4 - HKLM\..\RunServices: [MSN Messenger] jdkmety.exe
O4 - HKLM\..\RunServices: [Outlook Express Config] bbkzh.exe
O4 - HKLM\..\RunServices: [Outlook Express] znoov.exe
O4 - HKLM\..\RunServices: [blah service] smnp.exe


That should get you far enough along to where you can run your other spyware removal tools without these creeping back in. They should have caught them the first time around, but give it a go around again. Do all of this in safe mode with system restore off.
  • HelloWorld
  • Newbie
  • Newbie
  • HelloWorld
  • Posts: 5

Post 3+ Months Ago

ATNO/TW

Excellent Advise put to good use. Comp is working well. The only problem was that I had to do it for ever user on the computer which was a real pain but can't be helped. The only reason I mention it is if any one else is having the same problem. Anyway, thanks again for the advise.
  • helo53
  • Born
  • Born
  • helo53
  • Posts: 2

Post 3+ Months Ago

Hey guys i am having same problem with task manager,reg edit and msconfig. I am posting my hijackthis also.Any help will be appreciated.I am off to work so I will check the forum later this evening. Thanks

Logfile of HijackThis v1.97.7
Scan saved at 11:15:44 AM, on 9/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Protector Plus\PPAVMon.exe
C:\Program Files\Protector Plus\PPServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\icemgr.exe
C:\WINDOWS\System32\CSSRS.EXE
C:\WINDOWS\SYSCFG16.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7A60A650-7737-5241-77F7-D8C1EC8EBCF0} - C:\WINDOWS\Lpaqmkxk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Search - {C6122C8E-5963-D4C9-AF60-9AF6DD4EBAC4} - C:\WINDOWS\Lpaqmkxk.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Winsock2 driver] CSSRS.EXE
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] icemgr.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] icemgr.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] CSSRS.EXE
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] icemgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Royal Vegas Poker (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.38 ... assets.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8853E9D-2756-4137-A186-A723A4323909}: NameServer = 205.188.146.146
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2855

Post 3+ Months Ago

First of all, turn off system restore.

//Edit, in case you are not sure how to turn off system restore:

For Windows XP

Log on an administrative account.
Right-click the My Computer icon on the desktop and click Properties.
Click the System Restore tab.
Select Turn off System Restore.
Click Apply > Yes > OK.
Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
Re-enable System Restore by clearing Turn off System Restore.

----------------
First worm, Backdoor.Win32.Wisdoor.19968:

1- Reboot to safe mode. (You can reboot to safe mode by pressing F8. on startup)

2. Using Windows Explorer, uncheck "Hide file extensions for known file types". - [Tools] -> [Folder Options...] -> [View] -> click "Hide file extensions for known file types", also uncheck "Hide protected operating system files", click Yes to confirm and click ok.

3. Confirm if "SYSCFG16.EXE" is executing and terminate the process. [Window Task Manager] -> [Process]

- Example execution of Window Task Manager: In the Windows 95/98/ME system, press "CTRL+ALT+DELETE" and in the Windows NT/2000/XP system, press "CTRL+SHIFT+ESC".

4. Find out the following file in the window folder and delete it.

- SYSCFG16.EXE (File size : 19,968 bytes, File attribute : Hide)

5. After selecting [Start] -> [Run], type "regedit". (Registry editor is executed.)

6. Search for the value in the following path with the registry editor and delete it.

- HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
Run

- Name : Windows System Configuration
- Data : (Windows folder)\SYSCFG16.EXE

7. Close the registry editor.

8. Reboot the system.

//You have McAffee antivirus, I strongly recommend you to get the last virus definition from Mcafee.

//Rescan with hijack this and post you log again.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2855

Post 3+ Months Ago

Second one, WORM_AGOBOT.FX

1- Again, start in safe mode
2- Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
3- In the left panel, find the following key:
- HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
Run

4- In the right panel, locate and delete the entry:

WinFX = "cssrs.exe"
Display Drivers = "cssrs.exe"

5- In the left panel, find the following key:
- HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
RunServices

6- In the right panel, locate and delete the entry:
WinFX = "cssrs.exe"
Display Drivers = "cssrs.exe"

7- Again in the left panel, locate and delete the following:
HKEY_LOCAL_MACHINE\
System\
CurrentControlSet\
Services\
Driver

8- Close Registry Editor and restart your system
9- Go to C:\WINDOWS\System32\ and delete this file CSSRS.EXE

Note: Check your spelling very well when you delete this file, it is CSSRS.exe NOT CSRSS.exe, this last one is in fact a system file
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2855

Post 3+ Months Ago

Not sure about this ones, I will research on them, if no one came with some information:

O2 - BHO: (no name) - {7A60A650-7737-5241-77F7-D8C1EC8EBCF0} - C:\WINDOWS\Lpaqmkxk.dll
O3 - Toolbar: Search - {C6122C8E-5963-D4C9-AF60-9AF6DD4EBAC4} - C:\WINDOWS\Lpaqmkxk.dll


O4 - HKLM\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] icemgr.exe
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

labrego wrote:
Not sure about this ones, I will research on them, if no one came with some information:

O2 - BHO: (no name) - {7A60A650-7737-5241-77F7-D8C1EC8EBCF0} - C:\WINDOWS\Lpaqmkxk.dll
O3 - Toolbar: Search - {C6122C8E-5963-D4C9-AF60-9AF6DD4EBAC4} - C:\WINDOWS\Lpaqmkxk.dll


No information whatsoever. That is suspicious in itself. I would get rid of them. Hijack this can restore them if necessary and that file can be moved temporarily.

Quote:
O4 - HKLM\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] icemgr.exe

Now these are definitely bad. any task which is is setup to launch at startup from multiple locations is no good. No legitimate windows program or service would be set up like this.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2855

Post 3+ Months Ago

JrzyCrim wrote:
labrego wrote:
Not sure about this ones, I will research on them, if no one came with some information:

O2 - BHO: (no name) - {7A60A650-7737-5241-77F7-D8C1EC8EBCF0} - C:\WINDOWS\Lpaqmkxk.dll
O3 - Toolbar: Search - {C6122C8E-5963-D4C9-AF60-9AF6DD4EBAC4} - C:\WINDOWS\Lpaqmkxk.dll


No information whatsoever. That is suspicious in itself. I would get rid of them. Hijack this can restore them if necessary and that file can be moved temporarily.

Quote:
O4 - HKLM\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] icemgr.exe

Now these are definitely bad. any task which is is setup to launch at startup from multiple locations is no good. No legitimate windows program or service would be set up like this.


Agreed Jim, just wanted to be sure and wait for the master's return :wink: *igor voice maaaster lol Jk
  • thommata
  • Born
  • Born
  • thommata
  • Posts: 1

Post 3+ Months Ago

Help please.

I am trying to help a freind clean her pc. Here is what I have done. I have updated AV and ran a full scan, multiple virus's were found and cleand. Ran adaware multiple times and clean files. Ran a vb script to remove the disable regedit. I can boot to safemode and launch regedit and it is fine. When I log in as a user with admin rights, regedit opens and closes when ran. I then opened norton av and noticed that the auto protect was not enabled, tried to enable it and could not. Also everytime I launch a browser and try to go to norton site or mcafee it redirects me to some ad123 site that then launches multiple browsers. I have also ran hijackthis, used this to remove the 07 reg reference, still no regedit. Any help would be fantastic. Here is the hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 9:50:36 AM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\ZONEALARMUPDATE.EXE
C:\WINDOWS\System32\ws2_32s.exe
C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\CLBCATQ2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\AIM\aim.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 127.208.109.145 http://www.symantec.com
O1 - Hosts: 127.139.62.44 securityresponse.symantec.com
O1 - Hosts: 127.254.139.74 symantec.com
O1 - Hosts: 127.128.106.240 http://www.mcafee.com
O1 - Hosts: 127.113.55.99 mcafee.com
O1 - Hosts: 127.131.210.24 us.mcafee.com
O1 - Hosts: 127.52.55.3 http://www.sophos.com
O1 - Hosts: 127.148.126.103 sophos.com
O1 - Hosts: 127.140.3.237 http://www.viruslist.com
O1 - Hosts: 127.112.18.5 viruslist.com
O1 - Hosts: 127.214.253.244 f-secure.com
O1 - Hosts: 127.82.182.95 http://www.f-secure.com
O1 - Hosts: 127.86.252.70 kaspersky.com
O1 - Hosts: 127.25.55.68 http://www.avp.com
O1 - Hosts: 127.124.188.120 http://www.kaspersky.com
O1 - Hosts: 127.209.173.136 avp.com
O1 - Hosts: 127.141.200.92 http://www.networkassociates.com
O1 - Hosts: 127.229.67.144 networkassociates.com
O1 - Hosts: 127.183.253.6 http://www.ca.com
O1 - Hosts: 127.85.243.153 ca.com
O1 - Hosts: 127.240.183.142 my-etrust.com
O1 - Hosts: 127.201.94.150 http://www.my-etrust.com
O1 - Hosts: 127.54.65.109 secure.nai.com
O1 - Hosts: 127.95.2.248 nai.com
O1 - Hosts: 127.2.45.139 http://www.nai.com
O1 - Hosts: 127.118.117.194 trendmicro.com
O1 - Hosts: 127.28.141.83 http://www.trendmicro.com
O1 - Hosts: 127.247.125.171 housecall.trendmicro.com
O1 - Hosts: 127.0.81.108 http://www.pandasoftware.com
O1 - Hosts: 127.190.17.75 http://www.bitdefender.com
O1 - Hosts: 127.159.51.235 http://www.ravantivirus.com
O1 - Hosts: 127.55.170.126 www3.ca.com
O1 - Hosts: 127.32.246.16 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.71.116.129 windowsupdate.microsoft.com
O1 - Hosts: 127.228.227.246 http://www.windowsupdate.com
O1 - Hosts: 127.27.50.118 windowsupdate.com
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\faye haas\Local Settings\Temp\wCfruvdA.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kuljblwp.exe
O4 - HKLM\..\Run: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
O4 - HKLM\..\Run: [Winsock2 driver] ZONEALARMUPDATE.EXE
O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] C:\WINDOWS\System32\ws2_32s.exe
O4 - HKLM\..\Run: [DC4j] C:\documents and settings\faye haas\local settings\temp\DC4j.exe
O4 - HKLM\..\Run: [dO6eE] C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\TafqX5mo.exe
O4 - HKLM\..\Run: [fcb8f7189662] C:\WINDOWS\System32\CLBCATQ2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\RunServices: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\RunServices: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKCU\..\Run: [DriveService16] sysserv16.exe -drivers
O4 - HKCU\..\Run: [Microsoft Update] wudmate.exe
O4 - HKCU\..\Run: [d0q3RVeFg] ixstls.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunOnce: [Winsock2 driver] ZONEALARMUPDATE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5197190017
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Adqlai32.dll (file missing)



Thank you in advance,

Tom
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello Tom, welcome to Ozzu. Thanks for the detailed information.

Print or save the following so that you will have these instructions handy.

Run Hijack This, Go to Config > Misc Tools > Open Process Manager.
Select the following one at a time and click Kill Process:

C:\WINDOWS\System32\ws2_32s.exe
C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
C:\WINDOWS\System32\CLBCATQ2.exe
C:\PROGRA~1\Web Offer\wo.exe


Click Back in the lower right of hijack this.

Click Scan and check the following items. Don't Fix yet.

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 127.208.109.145 http://www.symantec.com
O1 - Hosts: 127.139.62.44 securityresponse.symantec.com
O1 - Hosts: 127.254.139.74 symantec.com
O1 - Hosts: 127.128.106.240 http://www.mcafee.com
O1 - Hosts: 127.113.55.99 mcafee.com
O1 - Hosts: 127.131.210.24 us.mcafee.com
O1 - Hosts: 127.52.55.3 http://www.sophos.com
O1 - Hosts: 127.148.126.103 sophos.com
O1 - Hosts: 127.140.3.237 http://www.viruslist.com
O1 - Hosts: 127.112.18.5 viruslist.com
O1 - Hosts: 127.214.253.244 f-secure.com
O1 - Hosts: 127.82.182.95 http://www.f-secure.com
O1 - Hosts: 127.86.252.70 kaspersky.com
O1 - Hosts: 127.25.55.68 http://www.avp.com
O1 - Hosts: 127.124.188.120 http://www.kaspersky.com
O1 - Hosts: 127.209.173.136 avp.com
O1 - Hosts: 127.141.200.92 http://www.networkassociates.com
O1 - Hosts: 127.229.67.144 networkassociates.com
O1 - Hosts: 127.183.253.6 http://www.ca.com
O1 - Hosts: 127.85.243.153 ca.com
O1 - Hosts: 127.240.183.142 my-etrust.com
O1 - Hosts: 127.201.94.150 http://www.my-etrust.com
O1 - Hosts: 127.54.65.109 secure.nai.com
O1 - Hosts: 127.95.2.248 nai.com
O1 - Hosts: 127.2.45.139 http://www.nai.com
O1 - Hosts: 127.118.117.194 trendmicro.com
O1 - Hosts: 127.28.141.83 http://www.trendmicro.com
O1 - Hosts: 127.247.125.171 housecall.trendmicro.com
O1 - Hosts: 127.0.81.108 http://www.pandasoftware.com
O1 - Hosts: 127.190.17.75 http://www.bitdefender.com
O1 - Hosts: 127.159.51.235 http://www.ravantivirus.com
O1 - Hosts: 127.55.170.126 www3.ca.com
O1 - Hosts: 127.32.246.16 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.71.116.129 windowsupdate.microsoft.com
O1 - Hosts: 127.228.227.246 http://www.windowsupdate.com
O1 - Hosts: 127.27.50.118 windowsupdate.com
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\faye haas\Local Settings\Temp\wCfruvdA.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kuljblwp.exe
O4 - HKLM\..\Run: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] C:\WINDOWS\System32\ws2_32s.exe
O4 - HKLM\..\Run: [DC4j] C:\documents and settings\faye haas\local settings\temp\DC4j.exe
O4 - HKLM\..\Run: [dO6eE] C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\TafqX5mo.exe
O4 - HKLM\..\Run: [fcb8f7189662] C:\WINDOWS\System32\CLBCATQ2.exe
O4 - HKLM\..\RunServices: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\RunServices: [DriveService16] sysserv16.exe -services
O4 - HKLM\..\RunServices: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
O4 - HKCU\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKCU\..\Run: [DriveService16] sysserv16.exe -drivers
O4 - HKCU\..\Run: [Microsoft Update] wudmate.exe
O4 - HKCU\..\Run: [d0q3RVeFg] ixstls.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Adqlai32.dll (file missing)


Close all browsers and windows except Hijack this and click Fix Checked.

Reboot into Safe Mode.

Find and delete the following files:
C:\WINDOWS\System32\ws2_32s.exe
C:\documents and settings\faye haas\local settings\temp\dO6eE.exe
C:\WINDOWS\System32\CLBCATQ2.exe
C:\WINDOWS\System32\kuljblwp.exe
C:\WINDOWS\System32\ws2_32s.exe
C:\WINDOWS\System32\TafqX5mo.exe
C:\WINDOWS\System32\CLBCATQ2.exe


Delete the following folders:
C:\PROGRA~1\Web Offer\

Search for these files and delete if found:
mssecure.exe
sysserv16.exe
wudmate.exe
ipconfigs.exe
ixstls.exe


Go to start > run, enter: cleanmgr

Make sure only the following are checked:

Temporary Internet files
Recycle Bin
Temporary Files


Click OK

Reboot into normal mode. Run Hijack This, Scan and save the log. Post the new log here.
  • helo53
  • Born
  • Born
  • helo53
  • Posts: 2

Post 3+ Months Ago

Sorry guys no update on my system yet i have been so busy i haven't had time to repair the problems on my pc although i am very confident it will be a good fix. I will keep posted and post my hijack this when finished.

Thanks Helo53
  • amadeus
  • Born
  • Born
  • amadeus
  • Posts: 2

Post 3+ Months Ago

hi, im new here and am experiencing similar problems, like the task manager isn't working, as well as reg edit and my antivirus software (norton). the window appears for a split-second then disappears suddenly.
also, when i start up my computer, the internet connection speed is fine. but after a few mintues or so, it quickly begins to slow down until my pc cannot detect a connection anymore. when i reboot, the internet speed is fine again but the same problem occurs after a few minutes. something is eating up the bandwith.
i think i know what the problem is though i cannot fix it. the file "hjdjhaid.exe" is running in the background (as seen in my task list), and fails to end when i shut down my computer causing a popup window to appear everytime. i manually tried to delete the file in the windows/prefetch folder where it is located, but whenever i do, it disappears and reappears again in the same folder.
anyway, here is the log file from hijackthis...hope someone can help me because im lost. thanks!

Logfile of HijackThis v1.98.2
Scan saved at 12:18:37 AM, on 10/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Toby Corona\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Msi Setup] mssetup.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\tixbmquj.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe
O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
O4 - HKLM\..\Run: [MS FIREWALL] msfirewall.exe
O4 - HKLM\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunServices: [MS FIREWALL] msfirewall.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] wuagmsd.exe
O4 - HKCU\..\Run: [Msi Setup] mssetup.exe
O4 - HKCU\..\Run: [Windows Monitor] winmon.exe
O4 - HKCU\..\Run: [MS FIREWALL] msfirewall.exe
O4 - HKCU\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKCU\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunServices: [MS FIREWALL] msfirewall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Hcoklfqh.dll
  • bradcj
  • Born
  • Born
  • bradcj
  • Posts: 2

Post 3+ Months Ago

Despite trying to solve this same problem without posting, I have run out of things to do and am asking for help.

After removing a number of files per other suggestions
(e.g., all the /Temp files in the users' Local Settings filders) and performing a number of actions and running removal tools, key programs
like msconfig immediately close on running despite all of the following actions being done.

I have AVG 7.0 with no virus reported
I have SpyBot 1.3 with only 5 DSO errors showing
I have Norton AntiVirus 2003 with the latest definitions with no virus showing
I have Ad-aware 6.0 with reference file 01R343 04.10.2004 and no problems showing

I also ran a Recovery boot from the installation disk
I ran SFC
I ran the AVG vcleaner utility
I cleaned out my recycle bin
I ran PepiMK's CoolWWWSearch.SmartKiller removal tool

Below is my HijackThis output
Logfile of HijackThis v1.97.7
Scan saved at 12:56:05 PM, on 10/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\QTIMER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\Brad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weekapauggolfclub.com/Club/S ... e/home.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: P3P Client - {00000178-CD4A-447a-BCF9-6FD0096B5527} - C:\PROGRA~1\PRIVAC~1\P3PCLI~1.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Quicktime Runtime] QTIMER.EXE
O4 - HKCU\..\RunOnce: [Quicktime Runtime] QTIMER.EXE
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdat ... t/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C ... 7879.53875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab


Please can somebody help me?

Brad
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23458
  • Loc: Woodbridge VA

Post 3+ Months Ago

Brad -- if no body else gets to it first, I'll try to take a look at it later this evening when I get home.
  • bradcj
  • Born
  • Born
  • bradcj
  • Posts: 2

Post 3+ Months Ago

I believe I have traced down the actual problem. The key, pardon the pun, was the Qtimer entries which I was fooled into thinking was related to QuickTime.

If I have this correctly, this is a variant of an AOL AIM trojan backdoor which goes by several names: msnguyen.exe aolmsngr.exe msginab.exe and now also (apparently) including qtimer.exe (spelled QtimeR.exe for details sake).

I somehow stumbled across several descriptions including:
http://computercops.biz/postp307801.html
http://www.tech-recipes.com/instant_mes ... ps575.html

To resolve this required using a Process Explorer described in this article:
http://www.geocities.com/cumquat18/elimiexplorer.html

I followed the instructions subtituting QtimeR.exe for ElimiExplore.exe everywhere where appropriate (e.g., deleting processes, files, and Registry entries).

I now have control back of my system and full use of system commands from the Run interface for regedit, msconfig, etc.

I plan on rerunning all of my various adware, virus, trojan detectors and to rerun sfc to ensure I haven't messed up things or left the little bugger around someplace else.

Thank you for letting me post here and get help.

Brad
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23458
  • Loc: Woodbridge VA

Post 3+ Months Ago

Hey, thanks for the update and the great info. Timing was perfect. I just got home a bit ago and was just sitting down to look at this.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

I have a similar problem:

opening regedit - closes again straightaway
opening regedt32 - closes again straightaway
ctrl alt del / tsk mge - closes again straightaway
all of the above also happen in safe mode.

I've disabled system restore and I've run spybot 1.3 and fixed all problems. I've also ran full virus check of system with Kasprersky AV (update to today).

I've installed hijack and the file is as below:

Logfile of HijackThis v1.98.2
Scan saved at 22:59:40, on 09/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize

Many thanks in anticipation
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23458
  • Loc: Woodbridge VA

Post 3+ Months Ago

That's a pretty clean and simple looking log. The only thing that jumps out at me is Explorer.EXE in your running processes. Yes, I know explorere.exe should be there, but in my XP (SP2) it is explorer.exe (all small case) - not Explorer.EXE

I'm wondering if you had a nasty replace your explorer shell. Take a look in C:\WINDOWS\ and see if you have different variations of explorer.exe
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

Hi, the only entries I can see like explorer in c:\windows are:

EXPLORER (no extension - the type is listed as Windows Explorer command)
explorer.exe (981KB modified 29.08.02 06:00)

thanks.
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

P.S. yep, on my own PC with SP2 (the one with a problem is a friend's) it also lists explorer.exe and not .EXE.

By the way I don't know if this is relevant but the install of SP2 on my friend's machine took 24hrs + !!!
  • Hidden Danger
  • Newbie
  • Newbie
  • Hidden Danger
  • Posts: 12
  • Loc: The Moon

Post 3+ Months Ago

now then, if I kill the explorer.EXE process using Hijack I can then open Task Mgr ok. However, if I then run regedt32 (which just closes straightaway again) and then ctrl / alt / del tsk mgr closes straightaway again.

Maybe I could copy the explorer.exe from my other pc to this one?

Post Information

  • Total Posts in this topic: 62 posts
  • Users browsing this forum: No registered users and 14 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.