Post by: arlene on November 19, 2004, 09:46:41 PM
thanks
Post by: guestolo on November 19, 2004, 10:52:04 PM
Ensure you typed it correctly and make sure D is your CD drive
expand X:\i386\rundll32.ex_ c:\windows\rundll32.exe
X being your CD drive
Or try from a command prompt
Start>>>Run>>type in cmd then hit Enter
Type the above and hit Enter
Restart your computer
But this usually happens when your hit by a virus, I suggest you try and Online Virus scan
at RAV's
http://www.ravantivirus.com/scan/ (http://\"http://www.ravantivirus.com/scan/\")
When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and dat files
Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan
Then click the Scan my PC button
Let it completely finish scanning
Copy and Paste the results back here
You should also post a Hijackthis log so we can see if we can Identify any changes in the registry
Important
Create a Permanent Folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
Download Hijackthis from HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder
Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important
Could you also Set Windows to Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Search for rundll32.exe in this folder
C:\WINDOWS\system32
let me know if you can find it and if you can, right click on it and click properties
Let me know file size and date created
Also, let me know if you can find rundll32.exe in this folder
C:\WINDOWS\SYSTEM32\DLLCACHE
Can you open up any programs?
Can you use your Unzipping utility for Windows XP to extract a file downloaded from the net?
Post by: atomilano on November 20, 2004, 02:00:40 PM
Here are the results of the RAV scan:
Scan started at 11/20/2004 12:54:09 PM
Scanning memory...
Scanning boot sectors...
Scanning files...
Scanned
============================
Objects: 42025
Directories: 2802
Archives: 7546
Size(Kb): -1324415
Infected files: 0
Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 327
I am running Hijack next- I will add it to the next post.
I could not complete the expand: or the start>run> cmd, because it kept telling me that cmd.exe could not be found.
Post by: atomilano on November 20, 2004, 02:10:01 PM
Windows cannot open this file
File : Hijackthis.exe
To open this windows needs to know which program created it. Windows can go online to look it up automatically, o you can manually select from a list of programs on your computer.
What do you want to do?
a) Use the web service to find the appropriate program
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' /> Select the program from the listA thought occured to me. Right before this situation happened ( night before) I did something dumb and let the battery run out . When the power cord was put it ,everything was activated and working properly. I did not shut the computer down and restart. Next day I did a shut down and then I received the .dll recovery message and the problems began. I am sorry I forgot this info , I did not think it mattered.
I cannot run Hijack this . I am going to try the last instructions that you gave me which was sending you the hidden files. I will add to the next post.
Post by: guestolo on November 20, 2004, 02:20:55 PM
Try download this registry fix
http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip (http://\"http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip\")
Save it and UNZIP it to your desktop
Double click on xp_exe_fix.reg and Allow it to merge to the registry
Restart your computer and try sending me a Hijackthis log
Post by: atomilano on November 20, 2004, 02:33:47 PM
file size = 32.5 kb
Created March 30, 2003
Rundll32.exe is not found in c"\widonds\system32\DLLCACHE
I cannot open any programs
I am not sure where the Unzipping utility for Windows XP is to extract a file download ? Can you give me some help with this?
Post by: guestolo on November 20, 2004, 02:40:49 PM
If your having problems just download the reg file directly from here
xp_fix_exe.reg
Save it to your desktop
Close out all windows including this one, double click on the reg file and allow it to Merge to the registry
Restart your computer and post back
Post by: atomilano on November 20, 2004, 02:44:56 PM
Window cannot find a program to run this......
Post by: Guest on November 20, 2004, 02:51:48 PM
Try download it from that direct link I gave you
Try restarting into
Safe Mode (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\") and merging it
Post by: atomilano on November 20, 2004, 02:54:57 PM
Post by: atomilano on November 20, 2004, 03:01:31 PM
Post by: guestolo on November 20, 2004, 03:02:25 PM
Download this Zipped file xp_fileassoc.zip (http://\"http://www.dougknox.com/xp/fileassoc/xp_fileassoc.zip\")
UNZIP it to your desktop and Double click on the
xp_fileassoc.bat to run it
Follow the prompts
RESTART your computer afterwards
Post by: atomilano on November 20, 2004, 03:44:53 PM
I was successful with the .Bat file and it looks like everything is working properly.
I did not get prompted for anything, it ran quickly and I rebooted and it looks good
Thank you so much !
Can you tell me how I got into this mess? Was it the battery running out, a virus?
Post by: guestolo on November 20, 2004, 03:48:08 PM
I would of bet a virus, it's possible the registry became corrupt
I can't see it happening with a dead battery
I just plugged my Laptop back in to recharge backup
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> I would still like to see a Hijackthis log, let's make sure you are clean
Post by: atomilano on November 20, 2004, 03:51:59 PM
Post by: atomilano on November 20, 2004, 03:55:21 PM
Scan saved at 4:03:21 PM, on 11/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ (http://\"http://www.cnn.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8l.hpwis.com (http://\"http://qus8l.hpwis.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/ (http://\"http://qus8l.hpwis.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedat...ta/SymAData.cab (http://\"http://www.symantec.com/techsupp/activedata/SymAData.cab\")
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab (http://\"https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab\")
Post by: guestolo on November 20, 2004, 04:05:35 PM
Do another scan with Hijackthis and put a tick next to these entries
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
After you have ticked the above entries, close all open windows, including this one
Leave Hijackthis open and FIX CHECKED
Yes to the prompt and exit Hijackthis
Restart your computer
For a little added protection you may be interested in this free program
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
It doesn't run in the background, just do the above and check for updates every couple of weeks
I see you have Spybot installed.
Is it version 1.3, I would think it would be
You can use Spybot Immunization feature to add a little extra protection too
Simply open Spybot
Click on Immunize>>>OK>>>Click Immunize at the top
Take care atomilano
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: atomilano on November 20, 2004, 05:47:28 PM
Thanks again!
Have a good day and a very nice Thanksgiving!
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: v3rtige on December 01, 2004, 11:02:12 PM
Post by: Guest on December 02, 2004, 12:12:31 AM
Can you post a hijackthis log?, instructions are above in this post
You tried the .bat file
Did you try the other exe fix in this thread from Dougknox?
Have you tried an online virus scan
I recommend trying one at Housecall's---Set to Autoclean
http://housecall.trendmicro.com/ (http://\"http://housecall.trendmicro.com/\")
and/or at Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm (http://\"http://www.pandasoftware.com/activescan/com/activescan_principal.htm\")
Try and post a hijackthis log if you can
Need more info about operating system and such
Post by: v3rtige on December 02, 2004, 08:26:23 PM
Hijackthis wont run, it does the same as the .bat file.
When I tried to run the file from Dougknox i got "Windows cannot open this file: File: xp_exe_fix.reg
To open this file Windows needs to know what program created it. etc...."
Housecall did not work
Panda's worked and found + repaired some viruses' but i still have the same problem
Post by: Guest on December 02, 2004, 08:28:24 PM
Post by: v3rtige/Guest on December 02, 2004, 08:35:43 PM
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
Post by: guestolo on December 02, 2004, 08:36:55 PM
Let me know if it helps, if it does please post a Hijackthis log
http://www.sarc.com/avcenter/FixSirc.com (http://\"http://www.sarc.com/avcenter/FixSirc.com\")
Post by: Guest on December 02, 2004, 08:39:11 PM
do u have aim or msn or anything that u wouldnt mind givin me to try to solve this? my msn is qmncEmail Removed
Post by: v3rtige on December 02, 2004, 08:45:55 PM
and when i run it through start > run and run it through there i get the message "windows cannot open this file....", the same one =[
Post by: Guest on December 03, 2004, 01:59:59 AM
http://windowsxp.mvps.org/exefile.htm (http://\"http://windowsxp.mvps.org/exefile.htm\")
Post by: v3rtige on December 04, 2004, 11:57:21 AM
Post by: Guest on December 04, 2004, 12:14:11 PM
Post by: guestolo on December 04, 2004, 01:56:34 PM
Did you keep not of the infections if any
Try one more Online Virus scan, then we can look in your folders for anything that was renamed
We can try a system restore from a command line, but try this first
Do a free Online AV scan at RAV's
http://www.ravantivirus.com/scan/ (http://\"http://www.ravantivirus.com/scan/\")
When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and definition files
Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan
Then click the 'Scan my PC button'
Let it completely finish scanning
When it's complete, copy and paste the results back here
Post by: queenshawtii on December 05, 2004, 02:23:40 PM
i scanned with RavAV and here is the log.. it could not remove these viruses..
Scan started at 12/3/2004 2:27:00 PM
Scanning memory...
C:\pack3_exe.vir->(RARSfx)->40124.exe->(UPXW) - Backdoor:Win32/MoSucker.0_6 -> Infected
C:\Documents and Settings\Fam\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q3I3IXUR\-indianv[1].htm->(SCRIPT0000) - JS/Exploit.ActiveXComponent* -> Suspicious
C:\Documents and Settings\Fam\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q3I3IXUR\-indianv[1].htm->(SCRIPT0001) - JS/Seeker-based.gen* -> Infected
C:\Documents and Settings\Fam\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q3I3IXUR\dtop[1].htm->(SCRIPT0000) - JS/Exploit.ActiveXComponent* -> Suspicious
C:\Documents and Settings\Fam\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q3I3IXUR\dtop[1].htm->(SCRIPT0001) - JS/Seeker-based.gen* -> Infected
C:\Documents and Settings\Fam\Application Data\hsap.exe - TrojanDownloader:Win32/PurityScan.O -> Infected
Scanned
============================
Objects: 38998
Directories: 2475
Archives: 951
Size(Kb): -218294
Infected files: 4
Found
============================
Viruses found: 3
Suspicious files: 2
Disinfected files: 0
Mail files: 82
and Here is the HJT log
Logfile of HijackThis v1.98.2
Scan saved at 5:54:30 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\Documents and Settings\Compaq\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/.../search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl (http://\"http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl (http://\"http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/.../search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl (http://\"http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Documents and Settings\Fam\Desktop\fo-wss3spysweep\patched\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab (http://\"http://www.pestscan.com/scanner/ppctlcab.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab\")
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB (http://\"http://www.windowsecurity.com/trojanscan/TDECntrl.CAB\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab\")
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab (http://\"http://support.f-secure.com/ols/fscax.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - file://C:\WINDOWS\SexDownloader.cab
O20 - AppInit_DLLs: PAVWAIT.DLL
thanks..
Post by: guestolo on December 05, 2004, 03:19:13 PM
Let me know the exact error message
You must also post you Whole hijackthis log from Top to Bottom
Are you posting it all?
Includes all running processes and Operating system and date scanned
Include everything
If you can't view your task manager download this small utility
Process Viewer by SysInternals
http://www.sysinternals.com/ntw2k/freeware...e/procexp.shtml (http://\"http://www.sysinternals.com/ntw2k/freeware/procexp.shtml\")
Open Process Viewer and click File>>Save as
Save the file and post it back here
along with a fresh hijackthis log
Post by: queenshawtii on December 06, 2004, 10:17:15 AM
Here is a fresh HJT log.. this is the entire log.
----------------------------------------------------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 10:09:14 AM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\Documents and Settings\Compaq\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl (http://\"http://yahoo.sbc.com/dsl\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl (http://\"http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Documents and Settings\Fam\Desktop\fo-wss3spysweep\patched\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab (http://\"http://www.pestscan.com/scanner/ppctlcab.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB (http://\"http://www.windowsecurity.com/trojanscan/TDECntrl.CAB\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab (http://\"http://support.f-secure.com/ols/fscax.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - file://C:\WINDOWS\SexDownloader.cab
O20 - AppInit_DLLs: PAVWAIT.DLL
-----------------------------------------------------------------
And here is the Process Explorer log
-----------------------------------------------------------
Process PID CPU Description Company Name
System Idle Process 0 96
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
SMSS.EXE 300 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 404 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 432 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 480 2 Services and Controller app Microsoft Corporation
SVCHOST.EXE 652 Generic Host Process for Win32 Services Microsoft Corporation
ycommon.exe 1448 YCommon Exe Module Yahoo!, Inc.
SVCHOST.EXE 696 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 768 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 1456 Windows Security Center Notification App Microsoft Corporation
SVCHOST.EXE 828 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 936 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 1096 Spooler SubSystem App Microsoft Corporation
pavFnSvr.exe 1248 Panda Function Service Panda Software
PAVPROT.EXE 1268 PavProt Application Panda Software
PavPrSrv.exe 1528 Panda Process Protection Service Panda Software
PAVSRV51.EXE 1556 On-Access Antivirus Scanner Service. Panda Software
AVENGINE.EXE 1708 Enhanced On-Access Antivirus Scanner Process. Panda Software
Prevsrv.exe 1584 Panda Preventium+ © service Panda Software
PSIMSVC.EXE 1736 Common Interface Manager Panda Software Internacional
WDFMGR.EXE 1876 Windows User Mode Driver Manager Microsoft Corporation
WANMPSVC.EXE 1932 Wan Miniport (ATW) Service America Online, Inc.
ALG.EXE 764 Application Layer Gateway Service Microsoft Corporation
LSASS.EXE 492 LSA Shell (Export Version) Microsoft Corporation
CSRSS.EXE 3264 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 2864 Windows NT Logon Application Microsoft Corporation
wscntfy.exe 3612 Windows Security Center Notification App Microsoft Corporation
ycommon.exe 3020 YCommon Exe Module Yahoo!, Inc.
EXPLORER.EXE 3932 Windows Explorer Microsoft Corporation
YBRWICON.EXE 568 YBrwIcon Yahoo!, Inc.
realsched.exe 2156 RealNetworks Scheduler RealNetworks, Inc.
msmsgs.exe 2456 Windows Messenger Microsoft Corporation
aoltray.exe 1840 AOL Tray Icon America Online, Inc.
Ymsgr_tray.exe 2300
EXPLORER.EXE 3352 Windows Explorer Microsoft Corporation
YBRWICON.EXE 1688 YBrwIcon Yahoo!, Inc.
msmsgs.exe 2356 Windows Messenger Microsoft Corporation
spydoctor.exe 3656 PCTools
aoltray.exe 2624 AOL Tray Icon America Online, Inc.
iexplore.exe 3124 Internet Explorer Microsoft Corporation
procexp.exe 1512 2 Sysinternals Process Explorer Sysinternals
Process: Procexp Pid: -2
Type Name
-----------------------------------------------------------------------------------
Post by: guestolo on December 06, 2004, 08:22:47 PM
Rundll32.exe (http://\"http://www.freewebs.com/benditup/rundll32.exe\")
Save that file to your C:\WINDOWS\SYSTEM32 folder
Allow it to overwrite if prompted
That file is from an Windows XP SP2 machine
If you have trouble with the link, just right click on it and copy the shortcut and paste it in IE's address bar and hit GO
Do another scan with Hijackthis and put a check next to these entries
Keep in mind that red.clientapps is red sheriff spyware
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/.../search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/.../search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - file://C:\WINDOWS\SexDownloader.cab
After you have ticked the above entries, close down all other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit hijackthis
RESTART your computer
Is everything running better?
Post back with another Hijackthis log
If .exe's are still not opening properly
Try download this registry fix
http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip (http://\"http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip\")
Save it and UNZIP it to your desktop
Double click on xp_exe_fix.reg and Allow it to merge to the registry
EDIT>>Getting this fix confused with another user in this thread
Try downloading rundll32.exe and do the fixes I suggested and post back a fresh hijackthis log after a restart
Post by: guestolo on December 06, 2004, 08:33:31 PM
Can you also set Windows to Show Hidden Files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Restart your computer into Safe mode
You can do this by tapping the F8 key on the keyboard and when the computer is booting up
Navigate to and delete this file if found
C:\Documents and Settings\Fam\Application Data\hsap.exe <--file
Also navigate to these folders
Delete the WHOLE contents, including subfolders, DON'T delete the Temp folders themselves
# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Look for the other file found bad by Rav's and delete it
Restart back into Normal mode
Post by: Guest on December 07, 2004, 09:05:03 PM
Post by: queenshawtii on December 07, 2004, 09:14:27 PM
Post by: guestolo on December 07, 2004, 09:32:45 PM
Quote
If you have trouble with the link, just right click on it and copy the shortcut and paste it in IE's address bar and hit GO
Post by: queenshawtii on December 08, 2004, 03:47:11 PM
Post by: Guest_guest on December 12, 2004, 09:04:28 PM
Post by: Guest on December 12, 2004, 09:33:56 PM
Scan saved at 7:45:03 PM, on 12/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seekerbar.com/ie.aspx?tb_id=50154 (http://\"http://www.seekerbar.com/ie.aspx?tb_id=50154\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.big-boys.com/ (http://\"http://www.big-boys.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net (http://\"http://www.comcast.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154 (http://\"http://www.seekerbar.com/ie.aspx?tb_id=50154\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=153472 (http://\"http://www.couldnotfind.com/search_page.html?&account_id=153472\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154 (http://\"http://www.seekerbar.com/ie.aspx?tb_id=50154\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.big-boys.com/ (http://\"http://www.big-boys.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=sas.se1.attbb.net:8000;gopher=sas.se1.attbb.net:8000;http=sas.se1.attbb.net:
8000;https=sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\mjdarby\Application Data\Mozilla\Profiles\default\o2hnjsts.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\mjdarby\Application Data\Mozilla\Profiles\default\o2hnjsts.slt\prefs.js)
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\m3tsp8.dll (file missing)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll (file missing)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: TChkBHO Class - {114D3CF7-0E70-4C62-851F-E019A0C5DF45} - C:\WINDOWS\SYSTEM32\ggdiooz.dll
O2 - BHO: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CSBHO Class - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\COMETS~1\Platform\Bin\csbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\COMETS~1\Platform\Bin\csietb.dll (file missing)
O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [wfwvmjux] C:\WINDOWS\wfwvmjux.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Startup: Mercora Network.lnk = C:\Program Files\Mercora\MercoraClient.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\AdDestroyerInner.EXE
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: service.bfaast.com
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab (http://\"http://chat.privatefeeds.com:8000/java/cr.cab\")
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/do...oad/tgctlcm.cab (http://\"http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab\")
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shiz...pside_web18.cab (http://\"http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab\")
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab (http://\"http://www.ipix.com/viewers/ipixx.cab\")
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_286.cab (http://\"http://dm.cometsystems.com/dm/dm_286.cab\")
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowse...5.26/Hiwire.cab (http://\"http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab\")
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab (http://\"http://mirror.worldwinner.com/games/v44/pool/pool.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe (http://\"http://a1408.g.akamai.net/7/1408/9955/20031016/akamai.info.apple.com/iTunes4/WW/win/061-0848.20031022.TtzS4/iTunesSetup.exe\")
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.victechsoftware.com/iftwinst/iftwclix.cab (http://\"http://www.victechsoftware.com/iftwinst/iftwclix.cab\")
O16 - DPF: {5242A5A1-EF1E-11D5-B3EE-0050DAC5EBD0} (printQuick Browser Add In (Ver4)) - http://www.pqpc.com/plugin/axversion/1410/...ntQuick1410.cab (http://\"http://www.pqpc.com/plugin/axversion/1410/printQuick1410.cab\")
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab (http://\"http://www.gocyberlink.com/winxp/CheckDVD.cab\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/052b8bea235ec27e1605/...tzip/RdxIE6.cab (http://\"http://207.188.7.150/052b8bea235ec27e1605/netzip/RdxIE6.cab\")
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/...eAutoLaunch.ocx (http://\"http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx\")
O16 - DPF: {6F3D49A9-8DC8-4566-BF95-9A7776C56F8B} - http://rssexplorer.planet-hood.com/PlanetNews.cab (http://\"http://rssexplorer.planet-hood.com/PlanetNews.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab (http://\"http://64.124.45.181/chaincast/proxy/CCMP.cab\")
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab (http://\"http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab\")
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab (http://\"http://toolbar.google.com/data/GoogleActivate.cab\")
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB (http://\"http://ftp.us.dell.com/fixes/PROFILER.CAB\")
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://prod1.centra.com/SiteRoots/main/Ins...aDownloader.cab (http://\"http://prod1.centra.com/SiteRoots/main/Install/CentraDownloader.cab\")
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/Pho...UC/MsnPUpld.cab (http://\"http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab\")
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{11FC3F27-FA4B-4A27-910E-9A2E42F68ADF}: NameServer = 205.152.37.254,205.152.144.235
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
this is my hijack this log..i think i have got my computer fixed..thnx
Post by: .s1 on December 12, 2004, 11:12:54 PM
Hi,
First off let me just mention that i am anything but computer illiterate , but this problem is getting even the better of me.
- Im havin the same problem as everyone in the past 3 pages.
I have tried the fix.zip, i have tried the expand thru start >run as well as thru the command prompt, I have scanned with that virus thingy, found nothing. I scanned with the symantec.com virus scanner, nothing. Hell, i even downloaded the friggin rundll32.exe itself , added it to windows & windows\sys32 , (over wrote in both areas ) restarted my computer and same thing.
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> Before & After restart
(http://s1pwnsyou.camaroz.net/error.jpg) - Error shown here; Same one as everyone else
Only way to open ICONS
- Icons (http://\"http://s1pwnsyou.camaroz.net/testmy/icons.jpg\")
- Icons 2 (http://\"http://s1pwnsyou.camaroz.net/testmy/icons2.jpg\")
- Icons 3 (http://\"http://s1pwnsyou.camaroz.net/testmy/icons3.jpg\")
- Icons 4 (http://\"http://s1pwnsyou.camaroz.net/testmy/icons4.jpg\")
[ Text Version ]
Right click on the icon, click "run as" then UNCHECK the
"Protect my computer and data from unauthorized program activity.
This option can prevent computer viruses from harming your computer or personal data, but selecting it might cause the program to function improperly. "
[ / Text Version ]
But as far as opening add/remove programs or anything else that may be "important" im screwed.
Ill post my findings from that 1 virus scan place, as well as hijack.
Virus Scanner
Scan started at 12/12/2004 10:12:25 PM
Scanning memory...
Scanning boot sectors...
Scanning files...
Scanned
============================
Objects: 31384
Directories: 2211
Archives: 6284
Size(Kb): -963095
Infected files: 0
Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 134
Hijack
Logfile of HijackThis v1.98.2
Scan saved at 10:19:33 PM, on 12/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\----- HUB ------\yhub386f\YHub.exe
C:\Program Files\Samurize\Client.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Multimedia\BSPlayer\bsplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Globe Software\StatBar\StatBar.exe
C:\Documents and Settings\.s1\Desktop\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "D:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: Shortcut to YHub.lnk = D:\----- HUB ------\yhub386f\YHub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
Post by: .s1 on December 12, 2004, 11:18:28 PM
Post by: guestolo on December 12, 2004, 11:47:08 PM
What is the exact error message your getting, I believe the other users couldn't run .exe files
I see you posted a hijackthis log, so that's not it
Also look in your C:\WINDOWS\system32 folder
Do you see rundll32.exe?
What other files do you see that begin with run
Would you be able to start a fresh topic in this forum and post your log
May not be as confusing
Whoever posted as GUEST
I see a lot of problems in your log
Let me know what spyware removal tools your using...
I have links to some, don't go download the first one you see
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' /> Please start your own topic, thanks
Post by: RobertMfromLI on September 21, 2009, 09:56:53 PM
Download this Zipped file xp_fileassoc.zip (http://\"http://www.dougknox.com/xp/fileassoc/xp_fileassoc.zip\")
UNZIP it to your desktop and Double click on the
xp_fileassoc.bat to run it
Follow the prompts
RESTART your computer afterwards[/quote]
Guestolo,
Thank you... the two files you pointed out did the trick for me. I'd already removed the pesky menace that caused the problem and was left with the registry & association damage.
Thanks again!
Robert
Post by: guestolo on September 21, 2009, 10:06:47 PM
Here's the instructions
http://www.thetechguide.com/forum/index.php?showtopic=22942 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=22942\")
There may be leftovers, it's up to you RobertMfromLI
But it may not be a bad idea, I'll look at it first chance I can
but since this topic is so old, I'll now lock it