Jump to content


Photo

msiexec.exe in taskmanager


  • Please log in to reply
8 replies to this topic

#1 sikshot

sikshot

    K-Mang

  • Full Member
  • Pip
  • 20 posts

Posted 26 June 2004 - 10:29 PM

Lately I have had "Windows XP Installer Standard for Students and Teachers" popping up each time I open an internet explorer window or even just be on the net, it's obviously a fake program. I noticed that the process "msiexec.exe" pops up in the task manager when the installer comes up.

I ran HiJackThis, Norton 2004 (53 items detected that Ad-Aware didn't find), and Ad-Aware, and none of them got rid of this spyware. I forgot to run CWShredder but when I did...it removed "CWS.Bootconf" the problem no longer exists. But I'm still convinced I have some spyware on my computer, I get random popups that start out as a redirecting addresses that then pop up dating sites, ebay, etc., also I have that res://random.dll thing, here is my log take a look-see for anything out of the ordinary the obviously the res://random.dll is present....

Logfile of HijackThis v1.97.7
Scan saved at 6:18:09 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\Hi-Jack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://apghr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\apghr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://apghr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\apghr.dll/sp.html#96676
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iWon Messenger Pipe] C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [zsysdll32.dll] C:\WINDOWS\system\sysdll32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AutoLoadero0p71NPgLIPN] "C:\WINDOWS\System32\ifsimg.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [o76h33S] ifsimg.exe
O4 - HKLM\..\Run: [crlg.exe] C:\WINDOWS\crlg.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Personal Coach.lnk = ?
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28177.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...are/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab27571.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28177.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319

Any help would be much appreciated :D

#2 sikshot

sikshot

    K-Mang

  • Full Member
  • Pip
  • 20 posts

Posted 27 June 2004 - 12:03 AM

bump, CWShredder actually removed something else the Office Installer still remains, I just updated ad-aware to the new reference file as well, and it detected a crap-load of stuff, still the res://random.dll and Office Installer remain. Yarh! I understand that you guys are busy and I'm doing my best to try and figure out how to remove this too...

#3 sikshot

sikshot

    K-Mang

  • Full Member
  • Pip
  • 20 posts

Posted 30 June 2004 - 02:58 PM

It has been 4 days and no help yet :(

#4 Helliax

Helliax

    Member

  • New Member
  • Pip
  • 2 posts

Posted 14 July 2004 - 10:57 PM

New here, so let me try to help:

First, it looks liek you got a trojan, Backdoor.g
http://securityrespo...oor.g_door.html

which is is the followign line:

"O4 - HKLM\..\Run: [zsysdll32.dll] C:\WINDOWS\system\sysdll32.exe"



The following lines I have no clue about, except PowerDVD. Which is support for the PowerDVD remote control, if you use it, leave it. (O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe) If not, I guess you can take it out, though it probably won't help your current problem.

O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AutoLoadero0p71NPgLIPN] "C:\WINDOWS\System32\ifsimg.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [o76h33S] ifsimg.exe
O4 - HKLM\..\Run: [crlg.exe] C:\WINDOWS\crlg.exe


With all the recent hijackthis logs an such, it's gotten increasingly hard to find what a certain file does using google, so I'm sorry I cannot help too much. However, it's probably a good idea to get rid of that trojan first, as it seems to be the easiest problem to solve. Also, not sure what drive E is on your comp (Local Hard drive, or optical drive), but a setup file runnign all the time at startup sounds suspicious.

Try running

Spybot S&D: http://www.safer-net...load/index.html
Adaware : http://www.lavasoft....pport/download/


Now to the problem with the darn installer files:

I have just finsihed a two day bout at my work (student pc tech) tryign to fix someone's computer with a similar problem. What I noticed was that in the Event Log of Windows (if you got windows XP, Right-click MY COMPUTER-->Manage, and Event Viewer is there) under Application events, was that everytime the Installer launched it was lookign for HandWritingFiles, which if I rememeber correctly is part of Microsoft Office, and another file. For someone else on the internet, it was ctfmon.exe, for me it was kbd**.dll (forget the rest), both of which are windows XP system files.

I tried doing the following things, in order:

1. Repair office (crash after looking for windows XP CD to restore system files, evne though I put in the right CD)
2. Ran system File Checker (command prompt--> sfc /purgecache, then sfc /scannow) Same error with the incorrect WinXP CD, even though I had the right one.
3. Reinstall Office went further than repair, but ended up with same error.
4. Repair (basically, reinstall) Windows XP Pro. Had some odd Entry Point not Found error during installation finalization, about somethign not being found in wpad.dll. Had to press OK about 50+ times, no kidding.
After Windows XP reinstalled, I must note that the Windows XP Installer messages when opening Internet Explorer went away. But the Office XP messages stayed.

For you others reading this, what basically happens for the lot of us with this problem is that everytime you open IE or any Microsoft office app (and/or Project and Visio), three windows pop-up.

1. One sayign it's going to install some windows component/file
2. Then after that it needs the XP CD because it (the comp) realizes there's system file corruption/changes
3. A last oen for Office XP.

As far as I can guess, the second is lookign for some windows system file which got moved, in the two cases i've seen, they were ctfmon and some kbd*.dll. The third is the MS OFfice HandWritingFiles bit. Which is some component ratehr than a file. The guy with the ctfmon.exe problem found all he had to do was move ctfmon.exe into the place installer was saying it was lookign for it (but couldn't find it), and everythign got better. I did not have such luck, as my kbd file was already there.

here's the ctfmon.exe story: http://www.computerc...ostp220268.html

Since this was a company I was working for, I couldn't afford to spend so much time on one problem, so I ended up re-formatting and re-installing windows to save time. Thank god that worked. Made sure not to save any settings.

Edited by Helliax, 14 July 2004 - 10:59 PM.


#5 Helliax

Helliax

    Member

  • New Member
  • Pip
  • 2 posts

Posted 14 July 2004 - 11:11 PM

I sure hope someone figures this out. Anyhow, here's all the info I gathered:

1. The installer info as posted in previous post.
2. There would be gigantic memory leaks/hang-ups/something. msiexec and svchost would be at 40+ mb of physical ram usage, along with explorer sometimes. (when trying to reinstall stuff, or doign two things at once after openign and initiating the installer mess)
3. It was also infected with the blasted CWS sp.html hack. The one that doesn't go away no matter hwo many tiems you felete the actual html file or reg entries from hijackthis. Though that wasn't the root fo the problem with the installers.
4. Windows Reinstall hung-up during the secodn to last stage (right before Finalizing Installation), and during the last bit of the installation. (The Entry Point not found error)

basically, I am guessing whatever this is, screwed over the system files bad.

I am so glad the worst that's ever happened to my computer was some crap that made me delete all the registry entries for my programs liek a system restore would, makign me reinstall everything. Thank GOD. If you need any help, or if you ever figure this problem out, don't hesitate to contact me via email, at helli[DARN$PAM]ax@gmail.com

#6 sikshot

sikshot

    K-Mang

  • Full Member
  • Pip
  • 20 posts

Posted 12 August 2004 - 08:00 PM

I ended up just deleting the msiexec.exe file from the System32 folder then realized its actually needed for InstallShield Wizard to work to install things. Even though I deleted it the window would still pop up real quick then go away, I wouldn't have to click cancel a bunch of times.

Once I figured out that, that file was needed to install things I got a copy from a friend and I put it back and the problem persists :(

still need help!

#7 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 12 August 2004 - 08:03 PM

can you update your copy of hijackthis and repost it please. newest version is 198.2



#8 sikshot

sikshot

    K-Mang

  • Full Member
  • Pip
  • 20 posts

Posted 24 August 2004 - 06:20 PM

I made a backup of the msiexec.exe file incase I need to install something that uses the InstallShield Wizard, but even though I deleted the file out of the system32 folder, when I start Internet Explorer I can still see the program trying to run but it dissapears so quick its hard to notice, the virus/malware is still there but can't work without the file.

Logfile of HijackThis v1.98.2
Scan saved at 3:19:19 PM, on 8/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Victoria\My Documents\Hi-Jack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ccwef.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iwon.com/?v=1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {39AC377E-E21B-20CA-D558-675579A92A38} - C:\WINDOWS\System32\ngf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iWon Messenger Pipe] C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [netpl32.exe] C:\WINDOWS\netpl32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {0A5B96BC-04AC-42C7-A81D-2E2FF6042210} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Microsoft® JavaScript® Console - {2FFB6C21-E4DB-4A98-866B-448953DA5FC2} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {2FFB6C21-E4DB-4A98-866B-448953DA5FC2} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {3A120552-BC1E-4055-9BF1-3873C5DE44BC} - (no file)
O9 - Extra button: (no name) - {3D2FC6FB-51E5-4FCB-A458-246FFF86B262} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: (no name) - {572868E2-D56B-40E0-AC6E-C1394AA7B079} - (no file)
O9 - Extra button: (no name) - {6404EA16-7747-462B-9D5B-1D231BDC5126} - (no file)
O9 - Extra button: (no name) - {738BB284-004B-4377-8596-5199D4BAB82E} - (no file)
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {BEA74690-B37E-4D66-BD36-8F1303C7C80F} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {CF5216C9-7D31-48F1-90B8-D6685F999A35} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {D3F26D81-3D46-4F2B-8514-433FB54DBD3A} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {D3F26D81-3D46-4F2B-8514-433FB54DBD3A} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {DDEC582D-9BFB-412C-9AEE-871F8AFD46E5} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Microsoft® JavaScript® Console - {E4B555B5-9746-4909-95D7-30862F71EA70} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {E5E4E74E-23B3-48DE-8F82-E838634FE491} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28177.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...are/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab27571.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28177.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319

Edited by sikshot, 24 August 2004 - 06:21 PM.


#9 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 24 August 2004 - 07:39 PM

check and fix the following with hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ccwef.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iwon.com/?v=1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {39AC377E-E21B-20CA-D558-675579A92A38} - C:\WINDOWS\System32\ngf.dll
O4 - HKLM\..\Run: [netpl32.exe] C:\WINDOWS\netpl32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {0A5B96BC-04AC-42C7-A81D-2E2FF6042210} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Microsoft® JavaScript® Console - {2FFB6C21-E4DB-4A98-866B-448953DA5FC2} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {2FFB6C21-E4DB-4A98-866B-448953DA5FC2} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {3A120552-BC1E-4055-9BF1-3873C5DE44BC} - (no file)
O9 - Extra button: (no name) - {3D2FC6FB-51E5-4FCB-A458-246FFF86B262} - (no file)
O9 - Extra button: (no name) - {572868E2-D56B-40E0-AC6E-C1394AA7B079} - (no file)
O9 - Extra button: (no name) - {6404EA16-7747-462B-9D5B-1D231BDC5126} - (no file)
O9 - Extra button: (no name) - {738BB284-004B-4377-8596-5199D4BAB82E} - (no file)
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file)
O9 - Extra button: (no name) - {BEA74690-B37E-4D66-BD36-8F1303C7C80F} - (no file)
O9 - Extra button: (no name) - {CF5216C9-7D31-48F1-90B8-D6685F999A35} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {D3F26D81-3D46-4F2B-8514-433FB54DBD3A} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {D3F26D81-3D46-4F2B-8514-433FB54DBD3A} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {DDEC582D-9BFB-412C-9AEE-871F8AFD46E5} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {E4B555B5-9746-4909-95D7-30862F71EA70} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {E5E4E74E-23B3-48DE-8F82-E838634FE491} - (no file)

reboot and post a new log.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button