Windows XP Task Manager starts and instantly teminates

  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

All of sudden, it seems, task manager will not stay running. I cntl/alt/del it starts an instantly terminates. Anyone know why?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Found this:
http://www.mcse.ms/message899814.html


Google:
Task Manager Closes

Good Luck
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

Ran NAV, AdAware, Spybot, Found no viruses. Still have problem.
???
  • KnightHawk
  • Born
  • Born
  • KnightHawk
  • Posts: 4
  • Loc: Alwayes Here

Post 3+ Months Ago

i'm quite sure that u have a "worm or spam" that make your TASK manager stop no antivirus can detect it try this :-

"SPYBOT" you can find it at download.com it's free ware maybe it can help if not try to go 2 "msconfig" then "startup" tab and disable unknown files that start with unknown letters.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Can you run regedit? or does that terminate also?

If so, my best guess is what's included in the link JrzyCrim provided above

Probably W32.Spybot.Worm
http://securityresponse.symantec.com/av ... .worm.html

You might also check the replies here (scroll down to see):
http://www.experts-exchange.com/Applica ... 77095.html
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

installed an ran spyboth and ad aware.
Still task manager flashes and terminates.
also REGEDIT does the same
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Search through the links provided carefully. If you are still having trouble download Hijack This

Run it, click scan, save your log and post it here. Don't fix anything yet. Just post your log and we'll see what's going on...
  • SimonTemplar
  • Novice
  • Novice
  • User avatar
  • Posts: 21

Post 3+ Months Ago

dude i have seen this before but it is a worm over there in your system
unfourtinatly the only solution was to reinstall the system. i have done all what i know which toke like 5 hours and the same problem still there
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

I have run hijack. What do I look for?
and yes REGEDIT does the same this.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

JrzyCrim wrote:
Run it, click scan, save your log and post it here. Don't fix anything yet. Just post your log and we'll see what's going on...
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

You can post your hijackthis log here. We'll help if possible.
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

Logfile of HijackThis v1.98.2
Scan saved at 9:18:54 PM, on 9/1/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\OHWNBEIU.EXE
C:\QUICKENW\QAGENT.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\KMaestro\KMaestro.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Tom Palmer\My Documents\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AOL Instent Messenger] OHWNBEIU.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\RunOnce: [AOL Instent Messenger] OHWNBEIU.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanButton 2.1.lnk = C:\Program Files\ScanButton 2.1\ScanButton.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

I don't see anything that needs to be fixed. Your log looks clean to me.


Try the online virus scan here and see if it turns up anything:

http://housecall.trendmicro.com/

In the meantime, I'll see if I can turn up any other causes for your problem.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Man -- that looks pretty darn clean to me.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Given the fact that you apparently use AIM, there is a possibility of this:

http://reviews.cnet.com/5208-6132-0.htm ... eID=372092

Although I don't see any evidence of it in your log file. Also checked several variants (under symantec's name)
http://reviews.cnet.com/5208-6132-0.htm ... eID=372092

Looks like you have the same problem as the first link, but I don't see in your log where it might be.

Have you tried MSCONFIG and does it close too, like others are having problems with?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Those sneaky bastards. I think this is the problem: OHWNBEIU.EXE

Kill that process: Enter this in start > Run:

TASKKILL /F /IM OHWNBEIU.EXE


Run Hijack this again, scan and fix these entries:

O4 - HKLM\..\Run: [AOL Instent Messenger] OHWNBEIU.EXE
O4 - HKCU\..\RunOnce: [AOL Instent Messenger] OHWNBEIU.EXE

Go to your system32 directory and delete OHWNBEIU.EXE.


Looking through some other logs on the web I saw various programs masquerading as AOL Instant Messenger. That certainly is an odd name for a file.
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1036
  • Loc: places..

Post 3+ Months Ago

wat about this

Quote:
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe


that looks suspicious..
"Pop up"
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Foxy wrote:
wat about this

Quote:
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe


that looks suspicious..
"Pop up"


That's actually a program used to control pop-ups:
http://www.liutilities.com/products/win ... ary/dpps2/

I think JrzyCrm has it though. I was wondering about that file, and just assumed it to be part of AIM. I couldn't find anything on the net about it period. I'm pretty positive Jim's solution will fix it.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

I glanced over that file the first time. It caught my attention but not enough to really pursue it as a problem. Going over the log again, I noticed it does have an odd filename. The fact that I couldn't find anything about it either increased my suspicion so I did a google search for "O4 - HKLM\..\Run: [AOL Instent Messenger]". There where some posted logs that contained similar entries that needed to be removed:

O4 - HKLM\..\Run: [AOL Instent Messenger] DBDUCTIF.EXE and
O4 - HKCU\..\RunOnce: [AOL Instent Messenger] EEPBIUNJ.EXE for example.

I don't believe AIM places any files in system32; at least not executables. I could be wrong though.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Makes sense. I tried the same search, but used the whole key for the search. No wonder I didn't find anything.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

OMG are we blind or what? Look at the spelling in the regkey:

Quote:
[AOL Instent Messenger]


Since when is "Instant" spelled "Instent"? *lmao
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

!!! I didn't even notice that. Geez, that should have been a dead give away.

*hangs head in shame* :lol:
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1036
  • Loc: places..

Post 3+ Months Ago

Lazy Aol cant spell correctly :P


eh, good to know..
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

heehee...I didn't see it either until I saw them all grouped together in Jims prior post. Then I'm like, "what's up with that"?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

For the benefit of TDP1954x I'm posting the removal instructions (modified) again. In case he missed my first post.
----------------------------------------

I think this is the problem: OHWNBEIU.EXE

Kill that process: Enter this in start > Run:

TASKKILL /F /IM OHWNBEIU.EXE


Run Hijack this again, scan and fix these entries:

O4 - HKLM\..\Run: [AOL Instent Messenger] OHWNBEIU.EXE
O4 - HKCU\..\RunOnce: [AOL Instent Messenger] OHWNBEIU.EXE

Go to your system32 directory and delete OHWNBEIU.EXE.

If you can't delete that file or can't find it, try entering these commands from a command prompt:
Code: [ Select ]
attrib -r -h -s %systemroot%\system32\OHWNBEIU.EXE
del %systemroot%\system32\OHWNBEIU.EXE
  1. attrib -r -h -s %systemroot%\system32\OHWNBEIU.EXE
  2. del %systemroot%\system32\OHWNBEIU.EXE


See if you can launch task manager and regedit. Reboot and try task manager and regedit again. Do another scan with Hijack this and post the new log. Just to be safe...


In my search for a solutution, I did run across a nice little program called Process Explorer.
http://www.sysinternals.com/ntw2k/freew ... cexp.shtml

Its more detailed than Task Manager and it's free.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Try running MSCONFIG as well. This appears to be affected also. What it appears to me what this trojan is doing is attempting to block any means you have of killing it's processes.
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

rab virus check, found no viruses
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Okay. Try following the instructions in my last post and see if that takes care of the problem.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

ATNO/TW wrote:
OMG are we blind or what? Look at the spelling in the regkey:

Quote:
[AOL Instent Messenger]


Since when is "Instant" spelled "Instent"? *lmao


LOL, I saw that at the first glance at Jim's post, but I never tought you didn't notice, in fact, I thought you where telling TDP1954x to fix it because you saw the spelling not the name of the file!! LOL
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

Yes MSCONFIG does the same thing. Looks like my fate is sealed. Probably have to reload the os.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Did you try JrzyCrim's instructions right above where I asked you about MSCONFIG? If not, please try it before reformatting. That should do it.
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

I performed all the steps as instructed. taskmgr, regedit and msconfig now work properly. I did a search on the hard drive for *ohwn*.* and found the following in c:\windows\prefetch\OHWNBEIU.EXE-0BC1DA53.PF. I assume this needs to be deleted as well. The updated hijackthis log is included. Thanks for the help.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\QUICKENW\QAGENT.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\KMaestro\KMaestro.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Documents and Settings\Tom Palmer\My Documents\Download\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Looks good now. Glad you got everything squared away!
Cheers
  • MOC
  • Proficient
  • Proficient
  • User avatar
  • Posts: 490
  • Loc: Ocean City , Maryland

Post 3+ Months Ago

Yea you can never rule out the fact that you may have
some underlying (evil) there in Registry...But

were going to fix you .lol ,,this is a utility that
(just until you get fixed) will make a new MsConfig,
Regedit,and TaskManager

When you run it,it will create a folder : C:\ EmergencyUtils.
I've used it countless times on PC's

http://www.dougknox.com/xp/utils/xp_emergencyutil.zip

Also along with Hijack this,Ad-Aware SE,SpyBot,and a good
(i like free) Virus program....not alot of people have heard of

Bazooka Spyware Scanner
http://www.kephyr.com/spywarescanner/

It has found stuff that all those others ,have not .
it's real small 718kb and has weekly updates
The only problem is ,you have to go into the Registry
manually to correct the problem(and it tells you just
how to do that if you don't have much time in the Registry
Editor
  • MOC
  • Proficient
  • Proficient
  • User avatar
  • Posts: 490
  • Loc: Ocean City , Maryland

Post 3+ Months Ago

disregard.lol
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Contratulations. I was hoping that do it. I was fresh out of idears. :lol:
  • airsa
  • Newbie
  • Newbie
  • airsa
  • Posts: 5

Post 3+ Months Ago

Logfile of HijackThis v1.97.7
Scan saved at 3:00:23 PM, on 9/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\mssetup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cleanup.exe
C:\Documents and Settings\DAR\Desktop\Airsa\Installers\mack.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Msi Setup] mssetup.exe
O4 - HKLM\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Guard] waumgrd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Msi Setup] mssetup.exe
O4 - HKCU\..\RunServices: [Msi Setup] mssetup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/active ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/active ... veData.cab




This is my log file. I experience also the same thing as the other guy did exept i dont use that messenger. Help!!!!!
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Sorry airsa. You caught us at a bad time. Not many people on this early in the morning. If you do come back, please follow these instructions carefully. You have many things that need to be removed.

First Download and install ad-aware and follow these steps:
http://www.lavasoftusa.com/software/adaware/
Close all programs you have running.

1) Check for updates
2) Go to settings (gear at the top), Tweak, Scanning Engine: Make sure 'Unload recognized process during scanning' is checked.
3) Under Cleaning Engine, make sure 'Let Windows remove files in use after next reboot' is checked. Click Proceed. Click Start
4) Use Custom Scanning Options. Make sure 'Activate in-depth scan' is checked.
5) Click Customize, Click Select Drives + Folders, Check the drive on which your OS is installed. Click Proceed, Click Next.
6) After Scanning has completed, Right-click in the found objects area, select all, click Next, click OK and let it remove all items.
7) Reboot.

Run Hijack-this, scan and post your new log. From there we will try to fix whatever remains.
  • airsa
  • Newbie
  • Newbie
  • airsa
  • Posts: 5

Post 3+ Months Ago

Just for clarification, here are the things i experience:

I cannot open MSCONFIG, REGEDIT, TASK MANAGER, Norton Systemworks and Norton AntiVirus

For MSCONFIG, REGEDIT, TASK MANAGER, Norton Systemworks, if i change their names i get to open them

e.g.

NMain.exe to stupid.exe, Norton Systemworks would run but i wont be able to scan.

No OHWN... exe stuff on my logfile as well as my task manager.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Okay. Turn off system restore first then follow the instructions in my last post. We'll go from there.

Also, download the latest version of Hijack This.
  • airsa
  • Newbie
  • Newbie
  • airsa
  • Posts: 5

Post 3+ Months Ago

Sorry about adding to many entries


Just to add more problems, It seems my NAV is completely down. Liveupdate is gone, auto-protect is not working (and no matter what i do, i get errors when i try to activate the auto-protect). And whenever i press scan, NAV dont do any scanning at all...

SPYBOT wasnt able to find anythin
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

It's probably because your system is riddled with spyware/malware.
  • airsa
  • Newbie
  • Newbie
  • airsa
  • Posts: 5

Post 3+ Months Ago

Logfile of HijackThis v1.97.7
Scan saved at 8:44:32 PM, on 9/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\mssetup.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\DAR\Desktop\Airsa\Installers\mack.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Msi Setup] mssetup.exe
O4 - HKLM\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Guard] waumgrd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Msi Setup] mssetup.exe
O4 - HKCU\..\RunServices: [Msi Setup] mssetup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/active ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/active ... veData.cab



II followed what you posted.
Although i get to clean and delete a lot of stuff, i still cant open NAV, Norton Systemworks, regedit, msconfig, and taskmanager
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Ok. That was just the first step. Give me a few minutes and I will tell you what to fix with hijack this.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Make sure you disable system restore.
Copy and paste the following to a text file so you will have it handy:

Close all programs.

Go to start > run and enter: cmd.exe

When the command prompt comes up, enter these commands one at a time:
Code: [ Select ]
taskkill /F /IM "P2P Networking.exe"

taskkill /F /IM mssetup.exe

taskkill /F /IM rundll32.exe

attrib -s -h -r "C:\WINDOWS\System32\P2P Networking\P2P Networking.exe"

attrib -s -h -r C:\WINDOWS\System32\mssetup.exe

del "C:\WINDOWS\System32\P2P Networking\P2P Networking.exe"

del "C:\WINDOWS\System32\mssetup.exe"

rd /Q /S "C:\Program files\NEWDOT~1\"

exit
  1. taskkill /F /IM "P2P Networking.exe"
  2. taskkill /F /IM mssetup.exe
  3. taskkill /F /IM rundll32.exe
  4. attrib -s -h -r "C:\WINDOWS\System32\P2P Networking\P2P Networking.exe"
  5. attrib -s -h -r C:\WINDOWS\System32\mssetup.exe
  6. del "C:\WINDOWS\System32\P2P Networking\P2P Networking.exe"
  7. del "C:\WINDOWS\System32\mssetup.exe"
  8. rd /Q /S "C:\Program files\NEWDOT~1\"
  9. exit


Run hijack this, scan, place a check beside these items and click fix:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Msi Setup] mssetup.exe
O4 - HKLM\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKCU\..\Run: [Msi Setup] mssetup.exe
O4 - HKCU\..\RunServices: [Msi Setup] mssetup.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

Reboot. Run adaware once more. Run hijack this, scan and post new log.
Hopefully by this time you will be able to launch task manager, regedit, etc... Good Luck.
  • airsa
  • Newbie
  • Newbie
  • airsa
  • Posts: 5

Post 3+ Months Ago

Logfile of HijackThis v1.97.7
Scan saved at 12:08:03 AM, on 9/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\DAR\Desktop\Airsa\Installers\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Guard] waumgrd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/active ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/active ... veData.cab


Dang, You're good!
Its workin now. Thanks a lot!
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

*smiles -- JrzyCrim is quite good at this! Nice to see you got it working.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Great! Thank you for a job well done. It was a team effort. :)

Your log is clean.


Here's something you might want to check out:
http://www.javacoolsoftware.com/spywareblaster.html

It's a great program for spyware prevention.


Again, thanks. Come back to Ozzu anytime.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

*grin Another satisfied customer Jim? hehe Congrats :wink:
  • MOC
  • Proficient
  • Proficient
  • User avatar
  • Posts: 490
  • Loc: Ocean City , Maryland

Post 3+ Months Ago

Good JoB,,
I have come to the conclusion that just ART of
deciphering Hijackthis Logs is worth it's weight
in Gold (time consuming) but ,very in demand.lol

I'am getting better in doing it.lol more and more tho
there are log entry's that you cannot find anything
on ,and just have to make a judgement call ,noing
thats what you delete ...you no
  • sadiesmells
  • Born
  • Born
  • sadiesmells
  • Posts: 3

Post 3+ Months Ago

Hey, same problem as the last two.

I ran ad-aware and problem still not solved.

Here is log file...

Logfile of HijackThis v1.97.7
Scan saved at 7:03:46 PM, on 9/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\CTOBGRXQ.EXE
C:\WINDOWS\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DC++2\DCPlusPlus.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\Windows User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/d ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/d ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/d ... .yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AOL Messenger] CTOBGRXQ.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Sophos AntiVirus] SophosAV.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [AOL Messenger] CTOBGRXQ.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Checkers by pogo - http://checkers.pogo.com/applet/checker ... assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet-5.8.6.20/cr ... assets.cab
O16 - DPF: High Stakes Poker by pogo - http://drawpoker.pogo.com/applet-5.8.4. ... assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.6.2 ... assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.2.21 ... assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.8.6.20/ ... assets.cab
O16 - DPF: Spades by pogo - http://spades.pogo.com/applet-5.9.1.28/ ... assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.2.21 ... assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.6.20/p ... assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.8.4.18/ ... assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game6.pogo.com/applet-5.8.6.20/t ... assets.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/c ... /nt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/ ... mv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/C ... 8039236111
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh ... wflash.cab
O16 - DPF: {D61570B1-61E1-6851-CBF7-B7915CBDFA4E} (DownloadUL Class) - http://public.searchbarcash.com/cab/002/zqonalph.cab
O16 - DPF: {E87EA803-2DBB-DE1A-511B-E2A48A8B86A0} - http://public.searchbarcash.com/cab/023/phpwgjpp.cab


Thanks
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Welcome to Ozzu. I'm looking over your log right now and will post what to fix as soon as I can.
  • sadiesmells
  • Born
  • Born
  • sadiesmells
  • Posts: 3

Post 3+ Months Ago

JrzyCrim wrote:
Welcome to Ozzu. I'm looking over your log right now and will post what to fix as soon as I can.


Ok, thanks a lot. I'll be waiting. :salut:
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Close all programs.

Disable system restore.

Go to start > run and enter: cmd.exe

Enter these commands one at a time in the command window:
Code: [ Select ]
Taskkill /F /IM CTOBGRXQ.EXE

attrib -r -s -h C:\WINDOWS\System32\CTOBGRXQ.EXE

del C:\WINDOWS\System32\CTOBGRXQ.EXE

exit
  1. Taskkill /F /IM CTOBGRXQ.EXE
  2. attrib -r -s -h C:\WINDOWS\System32\CTOBGRXQ.EXE
  3. del C:\WINDOWS\System32\CTOBGRXQ.EXE
  4. exit


Run hijack this, scan, and fix the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [AOL Messenger] CTOBGRXQ.EX
O4 - HKCU\..\RunOnce: [AOL Messenger] CTOBGRXQ.EXE
O16 - DPF: {D61570B1-61E1-6851-CBF7-B7915CBDFA4E} (DownloadUL Class) - http://public.searchbarcash.com/cab/002/zqonalph.cab
O16 - DPF: {E87EA803-2DBB-DE1A-511B-E2A48A8B86A0} - http://public.searchbarcash.com/cab/023/phpwgjpp.cab

Reboot,
Download the latest version of Hijack This, scan, and post new log. We'll see if anything is left.
  • sadiesmells
  • Born
  • Born
  • sadiesmells
  • Posts: 3

Post 3+ Months Ago

Ok, did that. One file that you said to delete was missing from the hijackthis log (R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
), but other than that, everything went fine. I assume if it wasn't there that's ok.

New log...

Logfile of HijackThis v1.97.7
Scan saved at 8:09:20 PM, on 9/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Windows User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/d ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://rd.yn.cometsystems.com/r/cc3un/0 ... yahoo.com/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Sophos AntiVirus] SophosAV.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Checkers by pogo - http://checkers.pogo.com/applet/checker ... assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet-5.8.6.20/cr ... assets.cab
O16 - DPF: High Stakes Poker by pogo - http://drawpoker.pogo.com/applet-5.8.4. ... assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.6.2 ... assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.2.21 ... assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.8.6.2

Task manager opens as usual..so I think it's fine. Anything else I should do?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Quote:
Ok, did that. One file that you said to delete was missing from the hijackthis log (R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
), but other than that, everything went fine. I assume if it wasn't there that's ok.

That missing entry is fine. One less thing to worry about.

Your log looks clean. I see that you are able to use task manager. That's good. :)

You should clean out your temporary internet files (cache) and temp files.

Go to Control Panel > Internet Options, Click Delete Cookies, Delete Files.

Go to C:\Documents and settings\Windows User\Local Settings\Temp and delete everthing you can in that folder.

Glad you got things working again. Come back any time.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

I been told you have this little marks on the side of your keyboard, counting all the spyware you've killed on duty :lol: congrats again man!
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hehe, thanks. Little marks... I should start doing that. :)

Actually, it's not so hard. Especially after doing a few. You can find out what needs to be done through google. Most of the time.
  • chip
  • Newbie
  • Newbie
  • chip
  • Posts: 7
  • Loc: Brighton, Mich

Post 3+ Months Ago

Hi! I've got the same problem where task mgr, msconfig, regedit close right away. I've run Ad-aware and Spybot S&D and AVG scan. I don't seem to have any of the things that were found in the previous posts. Here's my HijackThis output:


Logfile of HijackThis v1.98.2
Scan saved at 8:29:43 AM, on 09/06/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\PROGRA~1\AVG6\avgcc32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\BESCH.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\DIGStream\digstream.exe
D:\Program Files\Voyetra\AudioStation 6\astnscsi.exe
C:\WINDOWS\System32\MSTFX.EXE
D:\PROGRA~1\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Core Library - {E9C1FD9A-46B0-4185-84ED-E2F8ACD4A262} - C:\WINDOWS\System32\KDP488a.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [BackupExecScheduler] BESCH.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Microsoft Autofix Service] MSTFX.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\RunOnce: [Microsoft Autofix Service] MSTFX.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://mail.beethoven.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - http://www.wildtangent.com/install/jvm/ ... 6_3805.exe
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe ... .0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2324a8dab41 ... xIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17B6E73B-CC86-4B6F-900C-56D9FE4A71EB}: NameServer = 68.42.244.5,68.42.244.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43BEAD7-06CC-4843-9941-A95B781D23B3}: NameServer = 68.42.244.5,68.42.244.6

Thanks in advance for the Help.

Chip
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

I'm reviewing your log chip

In the meantime, follow the instructions here to manually remove P2P Networking.exe from your computer. It's known spyware that typically comes bundled with kazaa in is not necessary for it's operation. I don't see you running kazaa anyway. It may have been bundled with somthing else that may be affected, but everything I could find on it recommended removal. After you followed these instructions for removal rerun and repost your log again and let's see what that cleans up:

http://www.pestpatrol.com/PestInfo/p/p2p_networking.asp

In the meantime I'll see what else I can find. There's a couple things that I already see we should get rid of, but this removal may take care of some of it.
  • chip
  • Newbie
  • Newbie
  • chip
  • Posts: 7
  • Loc: Brighton, Mich

Post 3+ Months Ago

Thanks ATNO! I'm trying to follow the instructions for removing P2P Networking but I'm not able to get into either task mgt, msconfig or regedit to kill and remove things.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

*duh -- ok sorry. Can you get into control panel add/remove software? It probably has a removal option there. If not I'll try to write you up an alternate set of instructions.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Chip -- I'm leaving for most of the day. Hang in there. Others will e around to see this who can continue to help. I'll check back in later this evening when I return.
  • chip
  • Newbie
  • Newbie
  • chip
  • Posts: 7
  • Loc: Brighton, Mich

Post 3+ Months Ago

I removed P2P using add/remove programs. Here's the latest HijackThis output:

Logfile of HijackThis v1.98.2
Scan saved at 11:04:52 AM, on 09/06/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\PROGRA~1\AVG6\avgcc32.exe
C:\WINDOWS\System32\BESCH.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\DIGStream\digstream.exe
D:\Program Files\Voyetra\AudioStation 6\astnscsi.exe
C:\WINDOWS\System32\MSTFX.EXE
D:\PROGRA~1\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Symantec\pcAnywhere\WINAW32.EXE
C:\WINDOWS\System32\cmd.exe
D:\Program Files\EditPad\EditPad.exe
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Core Library - {E9C1FD9A-46B0-4185-84ED-E2F8ACD4A262} - C:\WINDOWS\System32\KDP488a.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [BackupExecScheduler] BESCH.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Microsoft Autofix Service] MSTFX.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\RunOnce: [Microsoft Autofix Service] MSTFX.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://mail.beethoven.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - http://www.wildtangent.com/install/jvm/ ... 6_3805.exe
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe ... .0.0.8.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2324a8dab41 ... xIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17B6E73B-CC86-4B6F-900C-56D9FE4A71EB}: NameServer = 68.42.244.5,68.42.244.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43BEAD7-06CC-4843-9941-A95B781D23B3}: NameServer = 68.42.244.5,68.42.244.6



Thanks again.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

I'm still here a few more minutes. I see a browser hijacker Search assistant. I might be able to help you clear up a little more of this. Give me a couple
  • chip
  • Newbie
  • Newbie
  • chip
  • Posts: 7
  • Loc: Brighton, Mich

Post 3+ Months Ago

I still haven't solved the problem, but I have some information on the cause. I asked my kids what they know about it and one of them said she clicked on a link in AOL Instant Messenger that "may have infected the computer with something." I'm not familiar enough with AIM to know what that might have been.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Turn off system restore.

Run CWshreader first:
http://www.merijn.org/files/CWShredder.exe

Boot to safe mode and rerun hijackthis and check the following (if they still exist) and fix.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O2 - BHO: Core Library - {E9C1FD9A-46B0-4185-84ED-E2F8ACD4A262} - C:\WINDOWS\System32\KDP488a.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - http://www.wildtangent.com/install/jvm/ ... 6_3805.exe


Go to c:\ Program FIles\Toolbar\ and delete toolbar.dll (if exists)
and C:\WINDOWS\System32\KDP488a.dll (if exists)

Reboot to safe mode. Run CWShreader again
Reboot: rerun Hijackthis and post the updated log.

There's a couple other things I see I'm not sure of, but let's try that first and see where it gets us.
  • chip
  • Newbie
  • Newbie
  • chip
  • Posts: 7
  • Loc: Brighton, Mich

Post 3+ Months Ago

I've followed the steps in the previous post. Still can't get task mgr, etc to stay open. Here's the latest HijackThis output:

Logfile of HijackThis v1.98.2
Scan saved at 12:09:22 PM, on 09/06/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Voyetra\AudioStation 6\astnscsi.exe
D:\PROGRA~1\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\PROGRA~1\AVG6\avgcc32.exe
C:\WINDOWS\System32\BESCH.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\DIGStream\digstream.exe
D:\PROGRA~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\MSTFX.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Temp\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [BackupExecScheduler] BESCH.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Microsoft Autofix Service] MSTFX.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\RunOnce: [Microsoft Autofix Service] MSTFX.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://mail.beethoven.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe ... .0.0.8.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2324a8dab41 ... xIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17B6E73B-CC86-4B6F-900C-56D9FE4A71EB}: NameServer = 68.42.244.5,68.42.244.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43BEAD7-06CC-4843-9941-A95B781D23B3}: NameServer = 68.42.244.5,68.42.244.6



Thanks again.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

Sorry chip, you got us in a busy monday, I am on a hurry too, haven't check your log deeply but fix this with hijack

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
  • chip
  • Newbie
  • Newbie
  • chip
  • Posts: 7
  • Loc: Brighton, Mich

Post 3+ Months Ago

Thanks Larz!

What are the .cab files in the Downloaded Program Files entries in the HijackThis output and the O17 entries (domain hijack?)?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello chip.

Those DPF entries show the location of the install files for plugins and additions to your browser. Some of them are good, some are bad.

Those O17 entries are fine in your case. They resolved to this: ns01.taylor01.mi.comcast.net. No problem there.

I'm currently going over your log and will post instructions on what to fix next.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Close all programs.

Disable system restore

Open a command prompt: start > run: cmd.exe

In the prompt window, enter these commands one at a time:
Code: [ Select ]
taskkill /F /IM MSTFX.EXE

attrib -r -s -h c:\windows\system32\MSTFX.EXE

del c:\windows\system32\MSTFX.EXE
  1. taskkill /F /IM MSTFX.EXE
  2. attrib -r -s -h c:\windows\system32\MSTFX.EXE
  3. del c:\windows\system32\MSTFX.EXE


Run hijack this, scan, and fix the following items:

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Microsoft Autofix Service] MSTFX.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe ... .0.0.8.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab

Reboot, run hijack this, scan, and post the new log. Hopefully by this time you will be able to use Task manager, regedit, etc.
  • chip
  • Newbie
  • Newbie
  • chip
  • Posts: 7
  • Loc: Brighton, Mich

Post 3+ Months Ago

You da man! You all da men! That did it. Thank you all very much. Here's the latest HijackThis output:

Logfile of HijackThis v1.98.2
Scan saved at 6:15:31 PM, on 09/06/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Voyetra\AudioStation 6\astnscsi.exe
D:\PROGRA~1\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\PROGRA~1\AVG6\avgcc32.exe
C:\WINDOWS\System32\BESCH.EXE
D:\PROGRA~1\POP-UP~1\PSFREE.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Temp\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [BackupExecScheduler] BESCH.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://mail.beethoven.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2324a8dab41 ... xIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17B6E73B-CC86-4B6F-900C-56D9FE4A71EB}: NameServer = 68.42.244.5,68.42.244.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43BEAD7-06CC-4843-9941-A95B781D23B3}: NameServer = 68.42.244.5,68.42.244.6
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Great! :) Glad things are working for you. Your current log looks clean.

If you haven't already done this, I'd recommend installing spywareblaster. This will help prevent future infections:
http://www.javacoolsoftware.com/spywareblaster.html

Feel free to post any other questions you might have.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Crap! I was working on the mstfx thing, I couldn't find anything on it or Microsoft Autofix Service and wasn't liking it at all. But I had to leave before I could get anywhere with it. Just curious how or if you found anything on it, Jim, or if you just had the same gut feeling I did?

Anyway -- nice to come home and see it got resolved as well. Nice job sticking with it Chip.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

ATNO/TW wrote:
Crap! I was working on the mstfx thing, I couldn't find anything in it or Microsoft Autofix Service and wasn't liking it at all. But I had to leave before I could get anywhere with it. Just curious how or if you found anything on it, Jim, or if you just had the same gut feeling I did?

The fact that I couldn't find one scrap of information about Microsoft Autofix Service. Not being able to find any info on a Microsoft product/program is pretty rare. It was a little risky deleting that without any info to go on but I was pretty confident. Looking back, it probably would have been safer to just kill that process and see if task manager would open and then go from there.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Thanks for the explanation. That's sorta on the lines with my thoughts but I'm not quite as good as you are with this. I was hesitant to suggest it, but I'm glad to see you did. I was very close to suggesting it as well, but had to leave and just couldn't get to finish (or get up the nerve when I was here) I suppose now google will show one result on it i for people who have this problem in the future. *lol
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

The closest thing I could find was something called autofix.exe.

Here's an article about autoplay settings for Win XP.
http://support.microsoft.com/default.as ... 22660&fr=1

Here's the download page for Autofix.exe: [url=http://www.microsoft.com/downloads/details.aspx?FamilyID=c680a7b6-e8fa-45c4-a171-1b389cfacdad&DisplayLang=en]
Autoplay Repair Wizard[/url]

Heh, I'm sure some of the others problably found this thread through google. I bet we are going to see a lot more hijack this logs in the future.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

I agree and the one thing I haven't seen with highjackthis is a good educational resource tool on how novices can use it to their advantage. As you've stated before it's not an easy tool and can take time and often takes the advice of experienced people. But it is a great tool. Look for the new thread shortly.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Here's someting interesting:
http://forums.majorgeeks.com/showthread.php?t=38752

Quote:
Notes! Due to Hijack This logs destroying search engine and website searches, we now ask you do not post your Hijack This log file unless requested by us. It is for advanced users, so if you do not understand how to use it, you do not need it....yet. Instead, please tell us in your post what symptoms you are experiencing so we can try and resolve it that way. When, and if, we ask you to post your logfile, please attach it as a file. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, email, items in the tray, anything you can close... Close before running Hijack This!

Do not to install Hijack This to the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT


It then continues with a tutorial. I wonder why you shouldn't run hijack this from the desktop? I understand the last two but not the first.
  • dthames0702
  • Novice
  • Novice
  • dthames0702
  • Posts: 26

Post 3+ Months Ago

Hey, I am having the same problem as everyone else, here is my log.

Logfile of HijackThis v1.97.7
Scan saved at 10:45:40 PM, on 9/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MOUSES~1\bally4d.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\MWWRQOEBN.EXE
C:\WINDOWS\System32\hdrmmzie.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\aolmsngr.exe
C:\WINDOWS\system32\MSCRON.EXE
C:\PROGRA~1\AIM\AIMWDI~1.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\DOCUME~1\Lauren\LOCALS~1\Temp\nst3.tmp
C:\DOCUME~1\Lauren\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {ACB3E0B7-7D0C-40B7-99B3-3EEACDF86BFB} - C:\WINDOWS\mslagent\4b_1,0,1,1_mslagent.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\bally4d.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Yahoo Instant Messenger] MWWRQOEBN.EXE
O4 - HKLM\..\Run: [ygrtrlyklbe] C:\WINDOWS\System32\hdrmmzie.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\Run: [Microsoft CronD Service] MSCRON.EXE
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O4 - HKCU\..\Run: [System MScvb] C:\DOCUME~1\Lauren\LOCALS~1\Temp\approved.pif
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\RunOnce: [Yahoo Instant Messenger] MWWRQOEBN.EXE
O4 - HKCU\..\RunOnce: [Microsoft CronD Service] MSCRON.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: ImTranslator (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/ ... mv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdat ... t/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downloadv3.com/binaries/L ... _EN_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05f352d0bde ... xIE601.cab
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} - http://38.144.58.87/sex/xxxmovies.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://zeus.findlay.edu:8011/webapps/co ... _1-win.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/ ... taller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Man, you need to start by downloading a couple spyware removal tools like Adaware or Spybot...

Run these tools first and repost your log

http://www.download.com/3000-2144-10045 ... tag=button

http://www.download.com/3000-2144-10122 ... tag=button

You have a lot of crap on your computer.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Welcome to Ozzu, dthames0702. Hang tight and I'll gladly help you out.

First Download and install ad-aware.
http://www.lavasoftusa.com/software/adaware/

Launch adaware and follow update the definitions:

Close all programs you have running. Everything you can close including Instant messaging programs.

1) Go to settings (gear at the top), Tweak, Scanning Engine: Make sure 'Unload recognized process during scanning' is checked.
2) Under Cleaning Engine, make sure 'Let Windows remove files in use after next reboot' is checked. Click Proceed. Click Start
3) Use Custom Scanning Options. Make sure 'Activate in-depth scan' is checked.
4) Click Customize, Click Select Drives + Folders, Check the drive on which your OS is installed. Click Proceed, Click Next.
5) After Scanning has completed, Right-click in the found objects area, select all, click Next, click OK and let it remove all items.
6) Reboot.

Hopefully that will at least clear out some of the bad stuff.
Run Hijack-this, scan and post your new log. From there we will try to fix whatever remains.

In the meantime, I'll look over your log for things that adaware will not likely fix
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Also, download and run CWShredder after adaware.
http://www.download.com/CWShredder/3000 ... ag=lst-0-1

Download the latest version of Hijack this and use that to create your new log:
https://ssl.perfora.net/tools.radiospla ... ckThis.exe

Make sure you close all other programs before running these.
  • dthames0702
  • Novice
  • Novice
  • dthames0702
  • Posts: 26

Post 3+ Months Ago

I have done everything you said and here is the new log.

Logfile of HijackThis v1.98.2
Scan saved at 11:34:44 PM, on 9/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\MWWRQOEBN.EXE
C:\WINDOWS\System32\hdrmmzie.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\aolmsngr.exe
C:\WINDOWS\system32\MSCRON.EXE
C:\PROGRA~1\AIM\AIMWDI~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\DOCUME~1\Lauren\LOCALS~1\Temp\nst3.tmp
C:\DOCUME~1\Lauren\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {ACB3E0B7-7D0C-40B7-99B3-3EEACDF86BFB} - C:\WINDOWS\mslagent\4b_1,0,1,1_mslagent.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\bally4d.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Yahoo Instant Messenger] MWWRQOEBN.EXE
O4 - HKLM\..\Run: [ygrtrlyklbe] C:\WINDOWS\System32\hdrmmzie.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\Run: [Microsoft CronD Service] MSCRON.EXE
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O4 - HKCU\..\Run: [System MScvb] C:\DOCUME~1\Lauren\LOCALS~1\Temp\approved.pif
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\RunOnce: [Yahoo Instant Messenger] MWWRQOEBN.EXE
O4 - HKCU\..\RunOnce: [Microsoft CronD Service] MSCRON.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downloadv3.com/binaries/L ... _EN_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05f352d0bde ... xIE601.cab
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} - http://38.144.58.87/sex/xxxmovies.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://zeus.findlay.edu:8011/webapps/co ... _1-win.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/ ... taller.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

You still have a couple problems that should be easily fixed from control panel | add/remove software. Get rid of weatherbug. It's known spyware and remove anything associated with that websearch toolbar that you can via add / remove software. (also known spyware). Also follow Jim's instructions about closing all programs before running highjack this again. You still have mulitple things open and it's confusing to decipher through it and find the bad stuf.

//Probably that Viewpoint Toolbar thing as well. Never heard of it or seen it, but it's not something you need, I'm sure.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

You should copy and paste the following instructions to a text file so you will have them handy.

Close all programs, all browser windows, anything you can close on the taskbar system tray; everything.

Go to Start > Run and enter this command: appwiz.cpl
Search through the programs listed for the following and uninstall them if you find them:
myway, myweb, mysearch
Weather bug.

Weather bug is known to be packaged with spyware so I recommend you get rid of it. * :) I was busy writing up this post and didn't see yours, ATNO.

Next, go to start run, enter this: cmd.exe
When the command window opens, enter the following commands:
Code: [ Select ]
Taskkill /F /IM MWWRQOEBN.EXE
Taskkill /F /IM hdrmmzie.exe
Taskkill /F /IM MSCRON.EXE

Attrib -s -r -h C:\WINDOWS\system32\MWWRQOEBN.EXE
attrib -s -r -h C:\WINDOWS\System32\hdrmmzie.exe
attrib -s -r -h C:\WINDOWS\system32\MSCRON.EXE

Del C:\WINDOWS\system32\MWWRQOEBN.EXE
Del C:\WINDOWS\System32\hdrmmzie.exe
Del C:\WINDOWS\system32\MSCRON.EXE

Exit
  1. Taskkill /F /IM MWWRQOEBN.EXE
  2. Taskkill /F /IM hdrmmzie.exe
  3. Taskkill /F /IM MSCRON.EXE
  4. Attrib -s -r -h C:\WINDOWS\system32\MWWRQOEBN.EXE
  5. attrib -s -r -h C:\WINDOWS\System32\hdrmmzie.exe
  6. attrib -s -r -h C:\WINDOWS\system32\MSCRON.EXE
  7. Del C:\WINDOWS\system32\MWWRQOEBN.EXE
  8. Del C:\WINDOWS\System32\hdrmmzie.exe
  9. Del C:\WINDOWS\system32\MSCRON.EXE
  10. Exit


Run Hijack-this, scan, place a check beside the following items and Click Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {ACB3E0B7-7D0C-40B7-99B3-3EEACDF86BFB} - C:\WINDOWS\mslagent\4b_1,0,1,1_mslagent.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Yahoo Instant Messenger] MWWRQOEBN.EXE
O4 - HKLM\..\Run: [ygrtrlyklbe] C:\WINDOWS\System32\hdrmmzie.exe
O4 - HKLM\..\Run: [Microsoft CronD Service] MSCRON.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [System MScvb] C:\DOCUME~1\Lauren\LOCALS~1\Temp\approved.pif
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\RunOnce: [Microsoft CronD Service] MSCRON.EXE
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downloadv3.com/binaries/L ... _EN_XP.cab
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} - http://38.144.58.87/sex/xxxmovies.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/ ... taller.cab

Reboot, run hijack this again, scan, save the log and post it here.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

ATNO/TW wrote:
//Probably that Viewpoint Toolbar thing as well. Never heard of it or seen it, but it's not something you need, I'm sure.


That viewpoint software is packaged with AOL. It's not harmful and if you uninstall it and launch AOL, it get's installed again. :?
  • dthames0702
  • Novice
  • Novice
  • dthames0702
  • Posts: 26

Post 3+ Months Ago

I did everything you said and so far i still cant view task manager or msconfig, here is the new log.

Logfile of HijackThis v1.98.2
Scan saved at 12:20:29 AM, on 9/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\aolmsngr.exe
C:\PROGRA~1\AIM\AIMWDI~1.EXE
C:\WINDOWS\system32\MWWRQOEBN.EXE
C:\WINDOWS\System32\hdrmmzie.exe
C:\WINDOWS\system32\MSCRON.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\bally4d.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [Yahoo Instant Messenger] MWWRQOEBN.EXE
O4 - HKLM\..\Run: [pvmxuwhafmrr] C:\WINDOWS\System32\hdrmmzie.exe
O4 - HKLM\..\Run: [Microsoft CronD Service] MSCRON.EXE
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunOnce: [Yahoo Instant Messenger] MWWRQOEBN.EXE
O4 - HKCU\..\RunOnce: [Microsoft CronD Service] MSCRON.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05f352d0bde ... xIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://zeus.findlay.edu:8011/webapps/co ... _1-win.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

That explains it, then. I have never used AOL. And I have to hit the sack. Work in the AM, you know the routine. You blokes have fun. Still alot to fix here but it'll get done I'm sure.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

This is going to be a long, long thread, 6 pages already. I'm in, as soon as he post the new log, I see if I can help.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

I still see these items in the running processes section:

C:\WINDOWS\system32\MWWRQOEBN.EXE
C:\WINDOWS\System32\hdrmmzie.exe
C:\WINDOWS\system32\MSCRON.EXE

This time, stay online and do this:

Start > Run: cmd.exe
Enter these commands one at a time:
Code: [ Select ]
Taskkill /F /IM MWWRQOEBN.EXE
Taskkill /F /IM hdrmmzie.exe
Taskkill /F /IM MSCRON.EXE

Attrib -s -r -h C:\WINDOWS\system32\MWWRQOEBN.EXE
attrib -s -r -h C:\WINDOWS\System32\hdrmmzie.exe
attrib -s -r -h C:\WINDOWS\system32\MSCRON.EXE

Del C:\WINDOWS\system32\MWWRQOEBN.EXE
Del C:\WINDOWS\System32\hdrmmzie.exe
Del C:\WINDOWS\system32\MSCRON.EXE
  1. Taskkill /F /IM MWWRQOEBN.EXE
  2. Taskkill /F /IM hdrmmzie.exe
  3. Taskkill /F /IM MSCRON.EXE
  4. Attrib -s -r -h C:\WINDOWS\system32\MWWRQOEBN.EXE
  5. attrib -s -r -h C:\WINDOWS\System32\hdrmmzie.exe
  6. attrib -s -r -h C:\WINDOWS\system32\MSCRON.EXE
  7. Del C:\WINDOWS\system32\MWWRQOEBN.EXE
  8. Del C:\WINDOWS\System32\hdrmmzie.exe
  9. Del C:\WINDOWS\system32\MSCRON.EXE


Let me know if you receive any errors when you execute these commands.

Run hijack this again and post the log.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

labrego wrote:
This is going to be a long, long thread, 6 pages already. I'm in, as soon as he post the new log, I see if I can help.


Howdy Labrego! One of those tasks that are running is causing the problem. They should have been deleted but are still present. The newest log looks substantially better than the original, however.
  • dthames0702
  • Novice
  • Novice
  • dthames0702
  • Posts: 26

Post 3+ Months Ago

this is what it says when i run cmd with those commands

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Lauren>Taskkill /F /IM MWWRQOEBN.EXE
'Taskkill' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Lauren>Taskkill /F /IM MWWRQOEBN.EXE
'Taskkill' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Lauren>Taskkill /F /IM hdrmmzie.exe
'Taskkill' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Lauren>Taskkill /F /IM MSCRON.EXE
'Taskkill' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Lauren>
C:\Documents and Settings\Lauren>Attrib -s -r -h C:\WINDOWS\system32\MWWRQOEBN.E
XE

C:\Documents and Settings\Lauren>attrib -s -r -h C:\WINDOWS\System32\hdrmmzie.ex
e

C:\Documents and Settings\Lauren>attrib -s -r -h C:\WINDOWS\system32\MSCRON.EXE


C:\Documents and Settings\Lauren>
C:\Documents and Settings\Lauren>Del C:\WINDOWS\system32\MWWRQOEBN.EXE
C:\WINDOWS\system32\mwwrqoebn.exe
Access is denied.

C:\Documents and Settings\Lauren>Del C:\WINDOWS\System32\hdrmmzie.exe
C:\WINDOWS\System32\hdrmmzie.exe
The process cannot access the file because it is being used by another process.

C:\Documents and Settings\Lauren>Del C:\WINDOWS\system32\MSCRON.EXE
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Ah, okay. That explains it. Taskkill is not present.

Okay Download this tool, unzip it and place pskill.exe in your system32 folder (C:\windows\system32\).

http://members.aol.com/jrzycrim01/misc/pskill.zip

run these commands:
Code: [ Select ]
pskill MWWRQOEBN.EXE
pskill hdrmmzie.exe
pskill MSCRON.EXE

Del C:\WINDOWS\system32\MWWRQOEBN.EXE
Del C:\WINDOWS\System32\hdrmmzie.exe
Del C:\WINDOWS\system32\MSCRON.EXE
  1. pskill MWWRQOEBN.EXE
  2. pskill hdrmmzie.exe
  3. pskill MSCRON.EXE
  4. Del C:\WINDOWS\system32\MWWRQOEBN.EXE
  5. Del C:\WINDOWS\System32\hdrmmzie.exe
  6. Del C:\WINDOWS\system32\MSCRON.EXE


Run hijack this, scan and fix the following items:
O4 - HKLM\..\Run: [Yahoo Instant Messenger] MWWRQOEBN.EXE
O4 - HKLM\..\Run: [ygrtrlyklbe] C:\WINDOWS\System32\hdrmmzie.exe
O4 - HKLM\..\Run: [Microsoft CronD Service] MSCRON.EXE

Run hijack this, scan, save log, post here: :)
  • dthames0702
  • Novice
  • Novice
  • dthames0702
  • Posts: 26

Post 3+ Months Ago

sorry for so many posts, i just want to thank you in advance for helping me solve this problem
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

Howdy Jim, I see what I can do to help without disturb (man I hate this darn laptop keyboards)

dthames0702 how do yo manage to run taskkill before?, Jim ask you to run it two or three posts before
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

dthames0702 wrote:
sorry for so many posts, i just want to thank you in advance for helping me solve this problem


No worries. Sometimes it takes a few run-throughs to get things sorted.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

labrego wrote:
Howdy Jim, I see what I can do to help without disturb (man I hate this darn laptop keyboards)

dthames0702 how do yo manage to run taskkill before?, Jim ask you to run it two or three posts before


Your not a disturbance. Your input is always helpful. 8)

I'm wondering why taskkill is not there. As far as I know it should be available in XP home/PRO as well as 2000. Maybe something nasty happened to it.
  • dthames0702
  • Novice
  • Novice
  • dthames0702
  • Posts: 26

Post 3+ Months Ago

hey thanks everything works fine now, here is the log

Logfile of HijackThis v1.98.2
Scan saved at 12:50:09 AM, on 9/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\aolmsngr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\bally4d.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05f352d0bde ... xIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://zeus.findlay.edu:8011/webapps/co ... _1-win.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

JrzyCrim wrote:
labrego wrote:
Howdy Jim, I see what I can do to help without disturb (man I hate this darn laptop keyboards)

dthames0702 how do yo manage to run taskkill before?, Jim ask you to run it two or three posts before


Your not a disturbance. Your input is always helpful. 8)

I'm wondering why taskkill is not there. As far as I know it should be available in XP home/PRO as well as 2000. Maybe something nasty happened to it.


hehe, Thanks. Don't relally know what happen... maybe the path... maybe he started cmd.exe some other way... I am thinking.

dthames0702 wrote:
hey thanks everything works fine now, here is the log
mmm I always miss the real action :roll:
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Great. Glad it's working now.

Here's a couple of things for you to do:

Go to internet options (from the control panel or tools menu of IE) and click delete cookies, delete files. That will ensure nothing nasty is left in your cache.

Also, I recommend Spywareblaster for preventing future infections:
http://www.javacoolsoftware.com/spywareblaster.html

Download and install it. Make sure to keep it updated and enable all protection.

And stay away from questionable web sites. ;)

Good luck

Oh yeah, update your virus definitions and do a full scan just to be careful. check this thread later, there are a couple of things I want to look up that may need fixing.

I noticed an entry relating to Wild Tangent:
http://techrepublic.com.com/5208-6239-0 ... dID=157036

It doesn't really seem to be harmful but if you don't use it, you might consider uninstalling it. Read through that thread and decide if you need it or not.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

labrego wrote:
mmm I always miss the real action :roll:


Don't worry, I think there is going to be plenty of action pretty soon. More and more people are going to be directed to Ozzu via google. I'm sure that's how people are finding this thread.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

labrego wrote:
JrzyCrim wrote:
I'm wondering why taskkill is not there. As far as I know it should be available in XP home/PRO as well as 2000. Maybe something nasty happened to it.

Don't relally know what happen... maybe the path... maybe he started cmd.exe some other way... I am thinking.


Normally, taskkill is found in the system32 directory. System32 is in the command path and anything in it should be accessible from the command prompt no matter where you are.

There is also a backup in system32\dllcache which Windows File Protection keeps track of incase the original get's trashed.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

That's why I said this looks like a long thread. I am learning from your skills, now I know what spyware names to look for :wink:

It's good to see people comming here from google, is incredible how many infected computers are out there
  • dthames0702
  • Novice
  • Novice
  • dthames0702
  • Posts: 26

Post 3+ Months Ago

hey JrzyCrim or anyone who can help, I have basicaly the same problem as yesterday but this time i can view task manager and msconfig but i am not able to downlaod any programs. can you help me please
  • dthames0702
  • Novice
  • Novice
  • dthames0702
  • Posts: 26

Post 3+ Months Ago

i am also unable to download any sort of file from the internet
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

dthames0702 -- in case you missed it, the reason you couldn't find your post here again was because it's a different problem. I split it off from this topic and started a new thread on it. Continue in the new post here:

http://www.ozzu.com/mswindows-forum/not-able-download-any-programs-t31100.html
  • welly
  • Newbie
  • Newbie
  • welly
  • Posts: 6

Post 3+ Months Ago

Hi

I stumbled across this site via Google while looking for solutions to a friend's laptop problem - msconfig, regedit and task manager all close immediately after opening.

I've downloaded the latest versions of AVG, Ad-Aware, Spybot and HijackThis and run scans as per your instructions. Here is the HijackThis log;

Logfile of HijackThis v1.97.7
Scan saved at 4:24:56 p.m., on 11/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\SDK0mCORE.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\LTSMMSG.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\INITIATE.EXE
C:\WINDOWS\System32\SDKc55rezzz.exe
C:\WINDOWS\System32\SDKc55rezzz.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Documents and Settings\Tim\Desktop\Virus Checkers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: GT Indicator - {C733AE47-6AC0-4837-93DA-70278E88E7B2} - C:\Program Files\GTRAN Wireless\GT Dialer\gtindctr.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppletINIT] INITIATE.EXE
O4 - HKLM\..\Run: [SDKCprords] SDKc55rezzz.exe
O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [SDKCprords] SDKc55rezzz.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SDKCprords] SDKc55rezzz.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\RunOnce: [AppletINIT] INITIATE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4867446330
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh ... wflash.cab

Hopefully, you'll be able to help.

Many thanks,

welly
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello welly, welcome to ozzu. I'm looking over your log right now. In the meantime, please download the latest version of hijack this:
http://www.majorgeeks.com/download3155.html

Which version of Windows XP do you have?
  • welly
  • Newbie
  • Newbie
  • welly
  • Posts: 6

Post 3+ Months Ago

Thanks for the prompt attention - you guys are awesome!

My friend is running XP pro SP1.

His place (and the laptop!) is the other side of town so I apologise in advance if I'm a little slow in responding to requests. However, I will make sure to download the latest version of HijackThis when I'm next over there.

Cheers

welly
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

It shouldn't matter too much. Hopefully we can get rid of this in one go. :)

Copy the following instructions so you will have them handy.

Reboot the computer into safe mode and close all programs.
Disable system restore.

Go to Start > Run and enter: cmd.exe
enter the following commands one at a time into the command prompt window:
Code: [ Select ]
taskkill /F /IM SDK0mCORE.exe
taskkill /F /IM SDKc55rezzz.exe

attrib -r -s -h C:\WINDOWS\System32\SDK0mCORE.exe
attrib -r -s -h C:\WINDOWS\System32\SDKc55rezzz.exe

del C:\WINDOWS\System32\SDK0mCORE.exe
del C:\WINDOWS\System32\SDKc55rezzz.exe
  1. taskkill /F /IM SDK0mCORE.exe
  2. taskkill /F /IM SDKc55rezzz.exe
  3. attrib -r -s -h C:\WINDOWS\System32\SDK0mCORE.exe
  4. attrib -r -s -h C:\WINDOWS\System32\SDKc55rezzz.exe
  5. del C:\WINDOWS\System32\SDK0mCORE.exe
  6. del C:\WINDOWS\System32\SDKc55rezzz.exe


Run hijack this, scan, place a check beside the following items and click 'Fix Checked'.

O4 - HKLM\..\Run: [SDKCprords] SDKc55rezzz.exe
O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [SDKCprords] SDKc55rezzz.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe

O4 - HKCU\..\Run: [SDKCprords] SDKc55rezzz.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe

Reboot, run hijack this, save log, post log. Hopefully the above will take care of the problem.
  • welly
  • Newbie
  • Newbie
  • welly
  • Posts: 6

Post 3+ Months Ago

Unfortunately I don't have access to the log file just yet but I got my friend to make the changes you suggest and it hasn't fixed the problem.

Hopefully, I'll be able to get round there tomorrow and double check that he's done it all right.

Thanks again for your quick response.

Cheers

welly
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Add this to the list of commands:

Code: [ Select ]
taskkill /F /IM INITIATE.EXE

attrib -r -s -h C:\WINDOWS\System32\INITIATE.EXE

del C:\WINDOWS\System32\INITIATE.EXE
  1. taskkill /F /IM INITIATE.EXE
  2. attrib -r -s -h C:\WINDOWS\System32\INITIATE.EXE
  3. del C:\WINDOWS\System32\INITIATE.EXE


Fix this with Hijack this:
O4 - HKLM\..\Run: [AppletINIT] INITIATE.EXE
O4 - HKCU\..\RunOnce: [AppletINIT] INITIATE.EXE
  • welly
  • Newbie
  • Newbie
  • welly
  • Posts: 6

Post 3+ Months Ago

Will do!

Out of interest, how do you know which files shouldn't be running? Experience, Googling to see if there is any mention of the file?

Cheers

welly
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

A combination of all of the above. :)

A dead giveaway is when the same program is set to launch at startup in more than one location. Example:

O4 - HKLM\..\Run: [SDKCprords] SDKc55rezzz.exe
O4 - HKCU\..\Run: [SDKCprords] SDKc55rezzz.exe
O4 - HKLM\..\RunServices: [SDKCprords] SDKc55rezzz.exe

O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe

No legimate program will be found in all these different registry locations. That's not to say all programs in a single area are legitimate.

Check out this thread: http://www.ozzu.com/mswindows-forum/highjackthis-and-spyware-removal-resources-and-tips-t31034.html

We've just started dealing with Hijack This logs here at Ozzu but were getting better all the time.
  • welly
  • Newbie
  • Newbie
  • welly
  • Posts: 6

Post 3+ Months Ago

Thanks for all the help. I've emailed all of your instructions to my friend as I'm not able to get over there today. Hopefully he is up to fixing this!

Cheers

welly
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hope he gets things squared away. If he has an internet connection, he can always drop by. If not, feel free to continue asking questions here.

Good luck.
  • knapkin
  • Born
  • Born
  • knapkin
  • Posts: 4

Post 3+ Months Ago

im having the same problem with windows task manager, heres my hijack this log.


Logfile of HijackThis v1.98.2
Scan saved at 11:13:12 PM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Winad Client\Winad.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\active.exe
C:\documents and settings\robert knapp\local settings\temp\2W.exe
C:\WINDOWS\System32\EXPLORERZ.EXE
C:\Program Files\Winad Client\WinClt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\Documents and Settings\Tyler Knapp\Desktop\Shtuff\HijackThis.exe
C:\Documents and Settings\Tyler Knapp\Desktop\Shtuff\aim.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {19FF602A-C36C-5CCF-D652-64557CAC2737} - C:\WINDOWS\System32\kngncuji.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O4 - HKLM\..\Run: [2W] C:\documents and settings\robert knapp\local settings\temp\2W.exe
O4 - HKLM\..\Run: [Windows Explorer] EXPLORERZ.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Windows Explorer] EXPLORERZ.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Tyler Knapp\Desktop\Shtuff\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file. ... 6f8b5fbb1c
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EE24AEC-7493-4A12-ADF8-9563F69241FB}: NameServer = 205.188.146.146

thanks for any help you can give!
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Welcome to Ozzu, knapkin. I'm currently looking over your log right now. It will take a few minutes so hang tight. :). In the meantime, please go to add/remove programs and remove anything related to My search, My way, My web, or My bar.
  • knapkin
  • Born
  • Born
  • knapkin
  • Posts: 4

Post 3+ Months Ago

i cant find anything in add/remove to do with my web, my bar or anthing
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Ok, no problem. Just hang tight and we'll get you fixed up. Do you have xp pro or home edition?
  • knapkin
  • Born
  • Born
  • knapkin
  • Posts: 4

Post 3+ Months Ago

windows xp media edition, its professional with some new microsoft media stuff (pretty nice)
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Okay, first download pskill: http://www.sysinternals.com/ntw2k/freeware/pskill.shtml

Extract the contents of the zip archive (pskill.exe) to c:\windows\system32\

Next, copy the following into notepad and save it as "fix.cmd" with the quotes.

Code: [ Select ]
@echo off

pskill active.exe >"%userprofile\desktop\log.txt"
pskill 2W.exe >>"%userprofile\desktop\log.txt"

attrib -r -s -h C:\active.exe >>"%userprofile\desktop\log.txt" >>"%userprofile\desktop\log.txt"
attrib -r -s -h "C:\documents and settings\robert knapp\local settings\temp\2W.exe" >>"%userprofile\desktop\log.txt"
attrib -r -s -h C:\WINDOWS\System32\kngncuji.dll >>"%userprofile\desktop\log.txt"

regsvr32 /u /s C:\WINDOWS\System32\kngncuji.dll >>"%userprofile\desktop\log.txt"

del C:\active.exe >>"%userprofile\desktop\log.txt" >>"%userprofile\desktop\log.txt"
del "C:\documents and settings\robert knapp\local settings\temp\2W.exe" >>"%userprofile\desktop\log.txt"
del C:\WINDOWS\System32\kngncuji.dll >>"%userprofile\desktop\log.txt"
  1. @echo off
  2. pskill active.exe >"%userprofile\desktop\log.txt"
  3. pskill 2W.exe >>"%userprofile\desktop\log.txt"
  4. attrib -r -s -h C:\active.exe >>"%userprofile\desktop\log.txt" >>"%userprofile\desktop\log.txt"
  5. attrib -r -s -h "C:\documents and settings\robert knapp\local settings\temp\2W.exe" >>"%userprofile\desktop\log.txt"
  6. attrib -r -s -h C:\WINDOWS\System32\kngncuji.dll >>"%userprofile\desktop\log.txt"
  7. regsvr32 /u /s C:\WINDOWS\System32\kngncuji.dll >>"%userprofile\desktop\log.txt"
  8. del C:\active.exe >>"%userprofile\desktop\log.txt" >>"%userprofile\desktop\log.txt"
  9. del "C:\documents and settings\robert knapp\local settings\temp\2W.exe" >>"%userprofile\desktop\log.txt"
  10. del C:\WINDOWS\System32\kngncuji.dll >>"%userprofile\desktop\log.txt"


Next copy the following into anothe text file, "fix.txt"; this is what you will need to fix with hijack this:
Code: [ Select ]
O2 - BHO: (no name) - {19FF602A-C36C-5CCF-D652-64557CAC2737} - C:\WINDOWS\System32\kngncuji.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O4 - HKLM\..\Run: [2W] C:\documents and settings\robert knapp\local settings\temp\2W.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
  1. O2 - BHO: (no name) - {19FF602A-C36C-5CCF-D652-64557CAC2737} - C:\WINDOWS\System32\kngncuji.dll
  2. O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
  3. O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
  4. O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
  5. O4 - HKLM\..\Run: [2W] C:\documents and settings\robert knapp\local settings\temp\2W.exe
  6. O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
  7. O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
  8. O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
  9. O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab


Okay. Once you have copied everything and saved it, reboot into safe mode. Double click the file, "fix.cmd".

Next, run hijack this, scan and place a check beside the items listed in fix.txt. Click 'Fixed checked'.

Reboot, run hijack this, scan and save the log. There should be a text file on your desktop called log.txt. Post that and your new hijack this log. Hopefull, the problem will be taken care of by this time.
  • under3p
  • Born
  • Born
  • under3p
  • Posts: 1

Post 3+ Months Ago

Having the same problem with the task manager, etc.

here's my hijack this log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\pctspk.exe
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Archivos de programa\TELMEX\Prodigy Infinitum\app\TangoService.exe
C:\WINDOWS\System32\taskmqr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\ARCHIV~1\TELMEX\PRODIG~1\app\TangoManager.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\tftp.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ponchin\Configuración local\Archivos temporales de Internet\Content.IE5\6JU1IJ69\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.prodigy.com.mx/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Archivos de programa\iMesh Light\iMeshBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [TangoManager] C:\ARCHIV~1\TELMEX\PRODIG~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [WindowsRegKey update] winupdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Media Player] taskmqr.exe
O4 - HKLM\..\Run: [MSConfig] C:\EmergencyUtils\Copy_of_MSConfig.exe /auto
O4 - HKLM\..\RunServices: [WindowsRegKey update] winupdate.exe
O4 - HKLM\..\RunServices: [Windows Media Player] taskmqr.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] flunkw.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WindowsRegKey update] winupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Media Player] taskmqr.exe
O4 - HKCU\..\RunServices: [Windows Media Player] taskmqr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Shared ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{050067AD-6B3D-4DBE-B9BA-9910EC2C0B26}: NameServer = 200.33.146.217 200.33.146.209
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello under3p, just hang tight and I will be with you in a moment. Welcome to Ozzu. :)
  • knapkin
  • Born
  • Born
  • knapkin
  • Posts: 4

Post 3+ Months Ago

Logfile of HijackThis v1.98.2
Scan saved at 12:19:52 AM, on 9/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Winad Client\Winad.exe
C:\WINDOWS\System32\EXPLORERZ.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Winad Client\WinClt.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tyler Knapp\Desktop\Shtuff\aim.exe
C:\Documents and Settings\Tyler Knapp\Desktop\Shtuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [Windows Explorer] EXPLORERZ.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Windows Explorer] EXPLORERZ.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Tyler Knapp\Desktop\Shtuff\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie...
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EE24AEC-7493-4A12-ADF8-9563F69241FB}: NameServer = 205.188.146.146
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

under3p, first download this file: http://www.sysinternals.com/files/pskill.zip
Extract pskill.exe to C:\windows\system32\

Next, copy the following command into notepad and save as, "fix.cmd". Include the quotes when saving,
Code: [ Select ]
@echo off

pskill taskmqr.exe >%userprofile\desktop\log.txt"
pskill winupdate.exe >>%userprofile\desktop\log.txt"

attrib -r -s -h C:\WINDOWS\System32\taskmqr.exe >>%userprofile\desktop\log.txt"

del C:\WINDOWS\System32\taskmqr.exe >>%userprofile\desktop\log.txt"
  1. @echo off
  2. pskill taskmqr.exe >%userprofile\desktop\log.txt"
  3. pskill winupdate.exe >>%userprofile\desktop\log.txt"
  4. attrib -r -s -h C:\WINDOWS\System32\taskmqr.exe >>%userprofile\desktop\log.txt"
  5. del C:\WINDOWS\System32\taskmqr.exe >>%userprofile\desktop\log.txt"


Next, copy the following items into notepad and save as "fix.txt". These will be the items you will fix with Hijack This:
Code: [ Select ]
O4 - HKLM\..\Run: [WindowsRegKey update] winupdate.exe
O4 - HKLM\..\Run: [Windows Media Player] taskmqr.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] winupdate.exe
O4 - HKLM\..\RunServices: [Windows Media Player] taskmqr.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] flunkw.exe
O4 - HKCU\..\Run: [WindowsRegKey update] winupdate.exe
O4 - HKCU\..\Run: [Windows Media Player] taskmqr.exe
O4 - HKCU\..\RunServices: [Windows Media Player] taskmqr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  1. O4 - HKLM\..\Run: [WindowsRegKey update] winupdate.exe
  2. O4 - HKLM\..\Run: [Windows Media Player] taskmqr.exe
  3. O4 - HKLM\..\RunServices: [WindowsRegKey update] winupdate.exe
  4. O4 - HKLM\..\RunServices: [Windows Media Player] taskmqr.exe
  5. O4 - HKLM\..\RunServices: [Microsoft Update Machine] flunkw.exe
  6. O4 - HKCU\..\Run: [WindowsRegKey update] winupdate.exe
  7. O4 - HKCU\..\Run: [Windows Media Player] taskmqr.exe
  8. O4 - HKCU\..\RunServices: [Windows Media Player] taskmqr.exe
  9. O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  10. O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Once you have copied the above to the appropriate files, reboot into safe mode. Once in safe mode, double click "fix.cmd".

Next, run hijack this, scan, and place a check next to the items listed in fix.txt and click 'Fixed checked'.

Reboot, Run Hijack This, Scan, save the log. There should be a file called 'log.txt' on your desktop, Post that and your new Hijack This log here. Hopefully the problem will be fixed by this time. Good luck.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Knapkin, are you still having problems? also, post the contents of "log.txt" that's on your desktop.
  • welly
  • Newbie
  • Newbie
  • welly
  • Posts: 6

Post 3+ Months Ago

Just wanted to say thank you for your time and solving the problem so quickly. My friend's laptop is now running as good as new and even if he doesn't know what Task Manager, regedit and msconfig are at least I know that they are running okay!

Once again, thank you

welly
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

No problem. Glad things are working again. :)
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Anyone wanting to post their Hijack This log, please make a new topic with the title: Hijack This Log - Description of the problem.

This thread is becoming untenable.

Also, before posting your Hijack This Log, please use either Spybot S&D or Adaware.

See this thread for further resources: http://www.ozzu.com/mswindows-forum/highjackthis-and-spyware-removal-resources-and-tips-t31034.html

Post Information

  • Total Posts in this topic: 132 posts
  • Users browsing this forum: No registered users and 21 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2016. Ozzu® is a registered trademark of Unmelted, LLC.