TheTechGuide Forum
General Category => Tech Clinic => Topic started by: evelyn_is_not_real on May 07, 2005, 09:27:32 AM
-
Need some help here. i downloaded Bearshare yesterday and since then, i have many, many problems.
i really don't wanna get rid of Bearshare and am in hopes there is a way i can work around that.
So far, here are the errors:
Pop-ups!
Runtime error: C:\\WINNT\DR10.exe
Runtime error: C:\\WINNT\SYSTEM32.psoft1.exe
wintask.exe (error in startup)
exp.exe (error in startup)
Am unable to bring up Yahoo Messenger & am also unable to remove the program.
i continuously run Ad-aware, but apparently there is a hidden program. Everyime i run this, i get like 400+ bugs.
ANY help would be greatly appreciated.
Thanks!
evie
-
This is the Hi-jack log:
Logfile of HijackThis v1.99.1
Scan saved at 10:49:10 AM, on 5/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\exp.exe
C:\WINNT\system32\atmusr.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\stostmib.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinZip\WINZIP32.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com (http://\"http://www.insightbb.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr51.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SAClient] C:\Program Files\Insight\BBClient\Programs\RegCon.exe /admincheck
O4 - HKLM\..\Run: [SAUpdate] C:\Program Files\Insight\BBClient\Programs\SAUpdate.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSoft1] C:\WINNT\system32\psoft1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINNT\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [wlhnmmir] c:\winnt\system32\wlhnmmir.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitexdx32.exe
O4 - HKLM\..\Run: [ps4V33X] atmusr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [YBv9RTbsW] stostmib.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dt0_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
-
Can you do the following please, with the installation of the free version of Bearshare
You get the added bonus of a whole bunch of Spyware on your computer
Your decision to keep it.....
But now we have to try and remove the crap
Download and Install Spybot S&D 1.3 (http://\"http://software-files.download.com/sd/U9WdtNHVsxUv2WGL1XkoQGNGa5cPAla5vJV-BgUvdpDls4nRFYzrtpfTF0V4kkH-LH6zpBTLwR-bdIA1EFsE86gKvtgEcT5q/c1/dl/software/cache/spybotsd13.exe\")
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
After Spybot is updated, don't run a scan yet, we will in a bit
Also, download and UNZIP to desktop LQFix.zip, so you now have LQFix.bat on your desktop
We'll need this in a bit
[attachment=204:attachment]
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
Close down all browser windows
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr51.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSoft1] C:\WINNT\system32\psoft1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINNT\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [wlhnmmir] c:\winnt\system32\wlhnmmir.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitexdx32.exe
O4 - HKLM\..\Run: [ps4V33X] atmusr.exe
O4 - HKCU\..\Run: [YBv9RTbsW] stostmib.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
In safe mode
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Using Windows Explore, Find and delete these files or folders if found, just delete the exact file names
C:\WINNT\system32\exp.exe <-file
C:\WINNT\system32\atmusr.exe
C:\WINNT\system32\stostmib.exe
C:\WINNT\system32\psoft1.exe
C:\WINNT\system32\wintask.exe
C:\winnt\system32\elitexdx32.exe
c:\winnt\system32\wlhnmmir.exe
C:\WINNT\cfgmgr51.dll
Stay in safe mode and do a disk cleanup
START>>RUN>>type in cleanmgr
Hit OK
Ensure Temp folders are checked and Recycle bin
Double click on LQFix.bat
A dos window will open and close quickly, this is normal
Open Spybot
Click the Search & Destroy button on the left
On the Right
Check for Problems---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer back to Normal mode afterwards
Run another scan with Hijackthis and post back the fresh log
-
Thank you for your help.
In doing this, i was unable to delete two files (they were not available):
C:\\winnt\system32\wlhnmmir.exe &
C:\\winnt\system32\cfgmgr51.dll
below is the new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:11:58 AM, on 5/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com (http://\"http://www.insightbb.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SAClient] C:\Program Files\Insight\BBClient\Programs\RegCon.exe /admincheck
O4 - HKLM\..\Run: [SAUpdate] C:\Program Files\Insight\BBClient\Programs\SAUpdate.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dt0_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
-
That's looking better, but we still may have some cleaning to do
I don't see your running any Anti-Virus software on your computer
If you have yours disabled, please reenable it and run a full system scan
If you don't have your own and need a free solution
I very much recommend that you download and install the free version of AVG 7
from this link
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll down and click on the download link
AVG Free Edition installation files
File Version
avg70free_308a468.exe <-this link
Save the installer to desktop and then double click to install
After installation ensure it is fully updated and run a full system scan
Let it fix what it finds
When it's done, restart your computer and post a fresh hijackthis log and let me know how things are running
-
Well shoot! When i restarted the computer, i had the following errors:
svchost.exe
ypager.exe
Cannot open DrWatson log file
Here is the HijackThis logfile:
Logfile of HijackThis v1.99.1
Scan saved at 10:44:14 AM, on 5/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\svchost.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com (http://\"http://www.insightbb.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SAClient] C:\Program Files\Insight\BBClient\Programs\RegCon.exe /admincheck
O4 - HKLM\..\Run: [SAUpdate] C:\Program Files\Insight\BBClient\Programs\SAUpdate.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dt0_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
-
Can you disable Yahoo messenger on startup and see if the error goes away
Look within Yahoo messenger and see if there is an option to disable it on startup
Also, because Hijackthis makes backups and you can start this manually
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart the computer
If you get any Error messages on startup let me know the exact error