• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
sikshot

msiexec.exe in taskmanager

9 posts in this topic

Lately I have had "Windows XP Installer Standard for Students and Teachers" popping up each time I open an internet explorer window or even just be on the net, it's obviously a fake program. I noticed that the process "msiexec.exe" pops up in the task manager when the installer comes up.

 

I ran HiJackThis, Norton 2004 (53 items detected that Ad-Aware didn't find), and Ad-Aware, and none of them got rid of this spyware. I forgot to run CWShredder but when I did...it removed "CWS.Bootconf" the problem no longer exists. But I'm still convinced I have some spyware on my computer, I get random popups that start out as a redirecting addresses that then pop up dating sites, ebay, etc., also I have that res://random.dll thing, here is my log take a look-see for anything out of the ordinary the obviously the res://random.dll is present....

 

Logfile of HijackThis v1.97.7

Scan saved at 6:18:09 PM, on 6/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrator\Desktop\Hi-Jack This\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://apghr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\apghr.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://apghr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\apghr.dll/sp.html#96676

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iWon Messenger Pipe] C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

O4 - HKLM\..\Run: [zsysdll32.dll] C:\WINDOWS\system\sysdll32.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [AutoLoadero0p71NPgLIPN] "C:\WINDOWS\System32\ifsimg.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [o76h33S] ifsimg.exe

O4 - HKLM\..\Run: [crlg.exe] C:\WINDOWS\crlg.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Personal Coach.lnk = ?

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab27571.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab

O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...are/install.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab27571.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28177.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?319

 

Any help would be much appreciated :D

Share this post


Link to post
Share on other sites

bump, CWShredder actually removed something else the Office Installer still remains, I just updated ad-aware to the new reference file as well, and it detected a crap-load of stuff, still the res://random.dll and Office Installer remain. Yarh! I understand that you guys are busy and I'm doing my best to try and figure out how to remove this too...

Share this post


Link to post
Share on other sites

New here, so let me try to help:

 

First, it looks liek you got a trojan, Backdoor.g

http://securityresponse.symantec.com/avcen...oor.g_door.html

 

which is is the followign line:

 

"O4 - HKLM\..\Run: [zsysdll32.dll] C:\WINDOWS\system\sysdll32.exe"

 

 

 

The following lines I have no clue about, except PowerDVD. Which is support for the PowerDVD remote control, if you use it, leave it. (O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe) If not, I guess you can take it out, though it probably won't help your current problem.

O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

 

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [AutoLoadero0p71NPgLIPN] "C:\WINDOWS\System32\ifsimg.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [o76h33S] ifsimg.exe

O4 - HKLM\..\Run: [crlg.exe] C:\WINDOWS\crlg.exe

 

With all the recent hijackthis logs an such, it's gotten increasingly hard to find what a certain file does using google, so I'm sorry I cannot help too much. However, it's probably a good idea to get rid of that trojan first, as it seems to be the easiest problem to solve. Also, not sure what drive E is on your comp (Local Hard drive, or optical drive), but a setup file runnign all the time at startup sounds suspicious.

 

Try running

 

Spybot S&D: http://www.safer-networking.org/en/download/index.html

Adaware : http://www.lavasoft.de/support/download/

 

 

Now to the problem with the darn installer files:

 

I have just finsihed a two day bout at my work (student pc tech) tryign to fix someone's computer with a similar problem. What I noticed was that in the Event Log of Windows (if you got windows XP, Right-click MY COMPUTER-->Manage, and Event Viewer is there) under Application events, was that everytime the Installer launched it was lookign for HandWritingFiles, which if I rememeber correctly is part of Microsoft Office, and another file. For someone else on the internet, it was ctfmon.exe, for me it was kbd**.dll (forget the rest), both of which are windows XP system files.

 

I tried doing the following things, in order:

 

1. Repair office (crash after looking for windows XP CD to restore system files, evne though I put in the right CD)

2. Ran system File Checker (command prompt--> sfc /purgecache, then sfc /scannow) Same error with the incorrect WinXP CD, even though I had the right one.

3. Reinstall Office went further than repair, but ended up with same error.

4. Repair (basically, reinstall) Windows XP Pro. Had some odd Entry Point not Found error during installation finalization, about somethign not being found in wpad.dll. Had to press OK about 50+ times, no kidding.

After Windows XP reinstalled, I must note that the Windows XP Installer messages when opening Internet Explorer went away. But the Office XP messages stayed.

 

For you others reading this, what basically happens for the lot of us with this problem is that everytime you open IE or any Microsoft office app (and/or Project and Visio), three windows pop-up.

 

1. One sayign it's going to install some windows component/file

2. Then after that it needs the XP CD because it (the comp) realizes there's system file corruption/changes

3. A last oen for Office XP.

 

As far as I can guess, the second is lookign for some windows system file which got moved, in the two cases i've seen, they were ctfmon and some kbd*.dll. The third is the MS OFfice HandWritingFiles bit. Which is some component ratehr than a file. The guy with the ctfmon.exe problem found all he had to do was move ctfmon.exe into the place installer was saying it was lookign for it (but couldn't find it), and everythign got better. I did not have such luck, as my kbd file was already there.

 

here's the ctfmon.exe story: http://www.computercops.biz/postp220268.html

 

Since this was a company I was working for, I couldn't afford to spend so much time on one problem, so I ended up re-formatting and re-installing windows to save time. Thank god that worked. Made sure not to save any settings.

Edited by Helliax

Share this post


Link to post
Share on other sites

I sure hope someone figures this out. Anyhow, here's all the info I gathered:

 

1. The installer info as posted in previous post.

2. There would be gigantic memory leaks/hang-ups/something. msiexec and svchost would be at 40+ mb of physical ram usage, along with explorer sometimes. (when trying to reinstall stuff, or doign two things at once after openign and initiating the installer mess)

3. It was also infected with the blasted CWS sp.html hack. The one that doesn't go away no matter hwo many tiems you felete the actual html file or reg entries from hijackthis. Though that wasn't the root fo the problem with the installers.

4. Windows Reinstall hung-up during the secodn to last stage (right before Finalizing Installation), and during the last bit of the installation. (The Entry Point not found error)

 

basically, I am guessing whatever this is, screwed over the system files bad.

 

I am so glad the worst that's ever happened to my computer was some crap that made me delete all the registry entries for my programs liek a system restore would, makign me reinstall everything. Thank GOD. If you need any help, or if you ever figure this problem out, don't hesitate to contact me via email, at helli[DARN$PAM]ax@gmail.com

Share this post


Link to post
Share on other sites

I ended up just deleting the msiexec.exe file from the System32 folder then realized its actually needed for InstallShield Wizard to work to install things. Even though I deleted it the window would still pop up real quick then go away, I wouldn't have to click cancel a bunch of times.

 

Once I figured out that, that file was needed to install things I got a copy from a friend and I put it back and the problem persists :(

 

still need help!

Share this post


Link to post
Share on other sites

I made a backup of the msiexec.exe file incase I need to install something that uses the InstallShield Wizard, but even though I deleted the file out of the system32 folder, when I start Internet Explorer I can still see the program trying to run but it dissapears so quick its hard to notice, the virus/malware is still there but can't work without the file.

 

Logfile of HijackThis v1.98.2

Scan saved at 3:19:19 PM, on 8/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Common Files\Symantec Shared\NMain.exe

C:\PROGRA~1\NORTON~1\navw32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Victoria\My Documents\Hi-Jack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ccwef.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iwon.com/?v=1

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {39AC377E-E21B-20CA-D558-675579A92A38} - C:\WINDOWS\System32\ngf.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [iWon Messenger Pipe] C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [netpl32.exe] C:\WINDOWS\netpl32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Personal Coach.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: (no name) - {0A5B96BC-04AC-42C7-A81D-2E2FF6042210} - (no file)

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O9 - Extra button: Microsoft® JavaScript® Console - {2FFB6C21-E4DB-4A98-866B-448953DA5FC2} - C:\WINDOWS\System32\COMDLG32.OCX

O9 - Extra 'Tools' menuitem: JavaScript Console - {2FFB6C21-E4DB-4A98-866B-448953DA5FC2} - C:\WINDOWS\System32\COMDLG32.OCX

O9 - Extra button: (no name) - {3A120552-BC1E-4055-9BF1-3873C5DE44BC} - (no file)

O9 - Extra button: (no name) - {3D2FC6FB-51E5-4FCB-A458-246FFF86B262} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll

O9 - Extra button: (no name) - {572868E2-D56B-40E0-AC6E-C1394AA7B079} - (no file)

O9 - Extra button: (no name) - {6404EA16-7747-462B-9D5B-1D231BDC5126} - (no file)

O9 - Extra button: (no name) - {738BB284-004B-4377-8596-5199D4BAB82E} - (no file)

O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: (no name) - {BEA74690-B37E-4D66-BD36-8F1303C7C80F} - (no file)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {CF5216C9-7D31-48F1-90B8-D6685F999A35} - (no file)

O9 - Extra button: Microsoft® JavaScript® Console - {D3F26D81-3D46-4F2B-8514-433FB54DBD3A} - C:\WINDOWS\System32\COMDLG32.OCX

O9 - Extra 'Tools' menuitem: JavaScript Console - {D3F26D81-3D46-4F2B-8514-433FB54DBD3A} - C:\WINDOWS\System32\COMDLG32.OCX

O9 - Extra button: (no name) - {DDEC582D-9BFB-412C-9AEE-871F8AFD46E5} - (no file)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Microsoft® JavaScript® Console - {E4B555B5-9746-4909-95D7-30862F71EA70} - C:\WINDOWS\System32\COMDLG32.OCX

O9 - Extra button: (no name) - {E5E4E74E-23B3-48DE-8F82-E838634FE491} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab27571.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...are/install.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab27571.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28177.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?319

Edited by sikshot

Share this post


Link to post
Share on other sites

check and fix the following with hijackthis.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ccwef.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iwon.com/?v=1

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {39AC377E-E21B-20CA-D558-675579A92A38} - C:\WINDOWS\System32\ngf.dll

O4 - HKLM\..\Run: [netpl32.exe] C:\WINDOWS\netpl32.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: (no name) - {0A5B96BC-04AC-42C7-A81D-2E2FF6042210} - (no file)

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O9 - Extra button: Microsoft® JavaScript® Console - {2FFB6C21-E4DB-4A98-866B-448953DA5FC2} - C:\WINDOWS\System32\COMDLG32.OCX

O9 - Extra 'Tools' menuitem: JavaScript Console - {2FFB6C21-E4DB-4A98-866B-448953DA5FC2} - C:\WINDOWS\System32\COMDLG32.OCX

O9 - Extra button: (no name) - {3A120552-BC1E-4055-9BF1-3873C5DE44BC} - (no file)

O9 - Extra button: (no name) - {3D2FC6FB-51E5-4FCB-A458-246FFF86B262} - (no file)

O9 - Extra button: (no name) - {572868E2-D56B-40E0-AC6E-C1394AA7B079} - (no file)

O9 - Extra button: (no name) - {6404EA16-7747-462B-9D5B-1D231BDC5126} - (no file)

O9 - Extra button: (no name) - {738BB284-004B-4377-8596-5199D4BAB82E} - (no file)

O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file)

O9 - Extra button: (no name) - {BEA74690-B37E-4D66-BD36-8F1303C7C80F} - (no file)

O9 - Extra button: (no name) - {CF5216C9-7D31-48F1-90B8-D6685F999A35} - (no file)

O9 - Extra button: Microsoft® JavaScript® Console - {D3F26D81-3D46-4F2B-8514-433FB54DBD3A} - C:\WINDOWS\System32\COMDLG32.OCX

O9 - Extra 'Tools' menuitem: JavaScript Console - {D3F26D81-3D46-4F2B-8514-433FB54DBD3A} - C:\WINDOWS\System32\COMDLG32.OCX

O9 - Extra button: (no name) - {DDEC582D-9BFB-412C-9AEE-871F8AFD46E5} - (no file)

O9 - Extra button: Microsoft® JavaScript® Console - {E4B555B5-9746-4909-95D7-30862F71EA70} - C:\WINDOWS\System32\COMDLG32.OCX

O9 - Extra button: (no name) - {E5E4E74E-23B3-48DE-8F82-E838634FE491} - (no file)

 

reboot and post a new log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0