Jump to content


Photo

Huge CPU Spikes Just Started w/AOL!


  • This topic is locked This topic is locked
10 replies to this topic

#1 Aeroluvr

Aeroluvr

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 May 2004 - 04:33 AM

It's 2am and I have to leave town in 5 hours..of course..for a week but after 11 wasted hours..I SO need some help.

First..Windows XP, Ran current Spybot, Adaware, my Norton is updated daily "just in case LOL" and I show no infections and all spyware found has been fixed.

I can open ALL programs on my computer just fine and usage stays under 10%. And until yesterday AOL had virtually no impact on that. Then all of a sudden when AOL is opened, the CPU usage goes nuts...I have been able to isolate it to only when AOL is open BUT it is a process called WToolsA.exe that causes the huge CPU spikes and ONLY DOES THIS when AOL browser is open. Very strange. When AOL is NOT open, it stays at normal use level but with AOL open it goes to 69% 80% etc. in spikes every 20 seconds or so.

I've had this AOL email account for 12 years so I'm not willing to lose it. What is happened is tied to a "new" svchost maybe that seemed to appear recently. ALSO, THE CURSOR constantly goes from just a pointer to a combined pointer and hourglass when the 100% spikes happen several times per minute while AOL is open and ties to the WToolsA.exe file spikes.

I have had various worms, fixed them, trojans, etc. I've never been without antivirus software up to date. Only recently kept up on spyware but this is very scary as it appears to be either sending out or receiving from third party info.

I ALSO have IE which works FINE with no extra usage when just opened alone from the desktop. I ALSO have SBC Yahoo DSL custom browser which I rarely use but DID use this week and they have had some attacks I know.

I HAVE KEPT ALL CRITICAL WINDOWS XP updates up to date. What a pieceof crap this program was huh? Never seen so many problems. I cannot download Pack 1 which came out long ago due to OEM conflicts but Pack 1 not being installed has never been a problem and that's been almost two years now I believe.

I HAVE also restored back to the times when the updates were last downloaded to and various other times and then undid those but no change on this problem which appeared just two days ago and has got much worse.

As you can tell, I believe in giving too much rather than not enough info to people willing to help. All other programs work fine. In trying to fix this I corrupted the AOL user file for my main huge account...again which sucks. I have seen a couple of posts over the past two days of AOL users with nothing going BUT AOL with 100% usage issues suddenly so I guess it's an attack on a related DLL file and AOL? Spybot, newly updated did not help. This first scan is WITHOUT AOL OPEN, the second one posted is with AOL open and the problem happening. It is for SURE that ToolsA process that is spiking which appears right before/after waol in the list of processes I believe.

I have to leave town and I am scared to death - I havel 55GB of data on this computer and I've only been able to back up some of it.

I WILL have a laptop on the road with me for this week so even though I HAVE read all of the guidelines, rules, and the quickstart suggestions, sure would be nice for someone to email me a reading of my hijackthis report. I won't have THIS screwed up computer with me but maybe I will at least know what I am facing when I return unless my computer has blown up.

The other complication..this is OEM AOL on a GATEWAY Windows XP also OEM.

Here is my first hijackthis file which I'm sure is a mess but right now I am trying ot first address the TOOLS/AOL CPU use issue. All virus/spyware scans are clean right now. And yes the TV MEDIA did just pop up yesterday too. I did open one file that opened AOL's media program which I NEVER use yesterday..wonder if that was tied to it?

I don't see many responding here lately...I tried to register on another site called computer cops I think it was but they never sent me a password and I've run out of time. My email address is my user name here @aol.com.

I know my registry is a mess as I've been so scared to mess with it. If everything works why fix it and as I said, I've always been one to have as much protection going as possible but this Gateway OEM Windows XP has been a total nightmare. Some of the critical patches in general don't work on this computer but screw it up more!

With all of the protection I really have had only minor problems always easily fixable. Not this time. So weird that it is tied to AOL browser NOT IE, NOT Yahoo, etc. It's driving me nuts..I knew it was slow but the CURSOR THING every few seconds is what made me check processes not just appications. I know there was something else in my MAIN AOL account because when Spybot ran and "fixed" I can no longer use that account without deleting all user info yet no file in the list said AOL in it!

I have some problems like TV MEDIA, etc. but I am so insecure as this computer is "my life" right now LOL..really just want to fix the use/cursor/AOL issue first then tackle the rest.

Also I did notice another SVCHOST.EXE-08EA1B75.pf in WINNT/Prefetch directory which looked odd as I also have one in WINNT/SYSTEM32 so wondered if that had anything to do with it. Please know I do NOT know what I am doing as far as fixing registry entries and am a bit hesitant so would like step by step help. The timing of this is AWFUL..ruining my week long trip as my entire business may be gone when I get home. AOL was NOT open when I did THIS scan..I will open it and do another in case that makes a difference. Thanks in advance for any help.

Logfile of HijackThis v1.97.7
Scan saved at 2:27:31 AM, on 5/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\PROMon.exe
C:\WINNT\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\Palm\hotsync.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...px?tb_id=%tb_id
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aeroforce...orums/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINNT\System32\SbSrch_V22.dll (file missing)
O2 - BHO: (no name) - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB} - C:\WINNT\System32\msvcn.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [system] dcomx.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [system] dcomx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OWMngr] C:\WINNT\System32\OWMngr.exe
O4 - HKCU\..\Run: [ZILLAFTP] C:\Program Files\ZillaFtp\zillaftp.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.24...va/cfs40300.cab
O16 - DPF: symsupportutil - http://www.symantec....supportutil.CAB
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5....m/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsy...0006/btiein.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5....v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7882.1843287037
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} (BHO.clsUrlSearch) - http://64.246.24.68/...Installer_4.exe
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymet...moryMeterbb.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://distribution.....com/msiein.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.micr...04/clearadj.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathe...utoCAST0014.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A20D74B0-F750-477D-A2DC-26FAE3131200}: NameServer = 206.13.29.12 206.13.30.12

Edited by Aeroluvr, 20 May 2004 - 05:21 AM.


#2 Aeroluvr

Aeroluvr

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 May 2004 - 04:40 AM

OK, here is the second one ran with AOL open and then the file bolded below uses up the process CPU use to the max.

I have AOL 7 only because 8 and 9 won't work upgrading on this machine - something about how the OEM version was originally installed and the Windows XP that went on here was a really "bad version as in new". By the way usually both TOOLS files show up A and S but only A on this one and it is the one causing the CPU issue.

Logfile of HijackThis v1.97.7
Scan saved at 2:36:18 AM, on 5/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\PROMon.exe
C:\WINNT\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\Palm\hotsync.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50038
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aeroforce...orums/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50038
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50038
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINNT\System32\SbSrch_V22.dll (file missing)
O2 - BHO: (no name) - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB} - C:\WINNT\System32\msvcn.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [system] dcomx.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [system] dcomx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OWMngr] C:\WINNT\System32\OWMngr.exe
O4 - HKCU\..\Run: [ZILLAFTP] C:\Program Files\ZillaFtp\zillaftp.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.24...va/cfs40300.cab
O16 - DPF: symsupportutil - http://www.symantec....supportutil.CAB
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5....m/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsy...0006/btiein.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5....v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7882.1843287037
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} (BHO.clsUrlSearch) - http://64.246.24.68/...Installer_4.exe
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymet...moryMeterbb.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://distribution.....com/msiein.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.micr...04/clearadj.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathe...utoCAST0014.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90BEF5A2-2FB5-4132-A04D-FC6EC3B3304C}: NameServer = 205.188.146.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{A20D74B0-F750-477D-A2DC-26FAE3131200}: NameServer = 206.13.29.12 206.13.30.12

Edited by Aeroluvr, 20 May 2004 - 05:08 AM.


#3 Aeroluvr

Aeroluvr

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 May 2004 - 05:15 AM

I should ask..I did long ago "fix" the hosts file which for a while denied access to symantec due to one of the worms. I merely renamed the file that had several denial of service sites listed to hosts.bad and a new good one was created but I think now this weird one took over for the standard hosts one perhaps. Not sure but thought I should offer that info as well. Thanks again..and please know I won't be able to get online much but will be checking here and my email (accessed through IE NOT AOL) for any responses. Thanks.seesm all of the support forums are having to move or go hidden due to so many inquiries!

OH and FYI I for fun installled other versions of AOL and the SAME EXACT PROBLEM happen with 8 and 9 (and other problems) and that tools a file..even worse in fact. So it really screwed up WINDOWS XP and I have hundreds of programs and 54Gig if data plus it's an OEM install so a reinstall is not an option.

Edited by Aeroluvr, 20 May 2004 - 06:30 AM.


#4 Aeroluvr

Aeroluvr

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 May 2004 - 02:23 PM

Geez..this crap delayed me leaving but am now. Anyway...one more thing to add...

The processes SCROLL LIKE CRAZY and duplicate when this is happening..ONLY WHEN AOL is opened which never was the case.

The same processes/files show up when AOL is close but everything stays put and just reflects current "usage" as it changes. The WToolsA one is "fine" as long as AOL is NOT open and all is well.

Pretty sure AOL modifies Windows XP files DLL but even uninstalling various versions did nothing. I tried that and then restored Windows to a much earlier period and then reinstalled but due to AOL being installed on here as an OEM I have a feeling whatever file/process that is "infected" won't "go away in Windows" even by restoring or uninstalling AOL. Especially because it doesn't seem to matter what version, etc and it's the WToolsA process which I've seen others report but never a link to AOL browser hijack like this.

Something is happening every few seconds so it goes from under 10% to 80% then back down constantly with the cursor changing from just arrow to arrow/hourglass though you CAN still do things as it happens...just if it's something "large" you will crash. I hope I can find this forum when I get to my desination LOL. Thanks in advance...I know it's hard to try and help someone when they won't be able to try anything for a few days but I figured that would give you guys plenty of time to "analyze" the above. And I'd rather "err" on the side of giving too much info vs not enough..I just hope this is the "active" forum/board.

Edited by Aeroluvr, 20 May 2004 - 02:50 PM.


#5 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 20 May 2004 - 07:46 PM

Hi Aeroluvr
Have you looked in add/remove programs to see if wintools is in there? If it is, remove it.
Close all browsers and rerun HJT. Check and click fix checked for the following-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...px?tb_id=%tb_id
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...px?tb_id=%tb_id
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINNT\System32\SbSrch_V22.dll (file missing)
O2 - BHO: (no name) - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB} - C:\WINNT\System32\msvcn.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O4 - HKLM\..\Run: [system] dcomx.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [system] dcomx.exe
O4 - HKCU\..\Run: [OWMngr] C:\WINNT\System32\OWMngr.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsy...0006/btiein.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} (BHO.clsUrlSearch) - http://64.246.24.68/...Installer_4.exe
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymet...moryMeterbb.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://distribution.....com/msiein.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathe...utoCAST0014.cab
Restart your computer in safe mode and show all hidden and system files-
Delete-
dcomx.exe<=This file, do a search for it
C:\Program Files\TV Media<=Folder
C:\Program Files\Common files\WinTools<=Folder
C:\WINNT\System32\OWMngr.exe<=File

Restart and run a scan at one or all of these sites-
http://housecall.tre.../start_corp.asp
http://www.wilders.o...ee_services.htm
http://www.pandasoft...n_principal.htm
http://www.bitdefend...can/licence.php
Post another log when you are able.I think you will be OK. B)

Edited by OlTramp, 20 May 2004 - 07:48 PM.


#6 Aeroluvr

Aeroluvr

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 May 2004 - 09:12 PM

Thnanks for the reply..on laptop now at 26.4 LOL. Sucks. But then again..'bout the same as my AOL at home right now LOL. I went into add/remove programs a zillion times...I don't recall seeing WinTools but who knows. So is that something that I can safely remove - what is it? Any idea why/how if would only impact the AOL browser? The reason I ask....out of all of the worms, bugs, viruse, hijacks, etc. I have had happen, all have affected either Windows itself OR IE browser but never AOL due to their automatic firewall, etc.

Hopefully I can enjoy my few days away knowing when I get home I can try this...now I wish I had posted BEFORE I screwed up my AOL file but hey...that's happened to me many times over the years so no biggie..just lose history that most programs don't allow you to keep anyway (tons of in/out emails, etc.) Anyway...I will do as you suggest but since there's time....and I don't remember seeing a tools program when I looked, you might consider a possible Plan B LOL. Thanks again.

#7 Aeroluvr

Aeroluvr

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 May 2004 - 10:05 PM

You won't believe this..I don't! I downloaded/installed all updates for Windows and Norton on this laptop before I left home...yesterday. I ran a full scan and all was clear. I get here and there are updates for Norton already AND...get this...I open IE and a couple of emails...no attachments or anything and wham..I suddenly have three different worm warnings from Norton...sassar? Welchia? This is off memory...I recognized all three. Anyway, I am using DIALUP through Yahoo DSL provider and someone said even DIALUP PORTS of their's were attacked...do you think that could be it? My system froze, my usage went nuts and then all of the worm alerts. Geez. I'm NOT gonna spend my time away from home trying to fix THIS machine too! So much for dial up being safe. And no, nothing is shared (files/connection/software) between this machine and my home one. So I suppose when I get home I'll have to have you guys help me fix this as I have no idea if I will be able to stay online here or not! Grrr!

#8 Aeroluvr

Aeroluvr

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 May 2004 - 10:41 PM

Bobax virus in a temp1 file that will not allow to be quarantened or deleted. And it must have screwed my hosts file cuz I can't get to Norton site now either. I know this is not related to my Hijack post for my other computer..but...geez..I cannot believe this. I scanned this thing and it was totally clean. Now I have 4 files infected and this is too slow for me to look up if I can delete them or not so I quarantened the 3 that would allow it and of course I still get "your computer is still infected" because of the temp one that will not let me do anything to it. I tried all different ways..through windows explorer, etc. So hey if you want to take pity on this poor girl who is totally freaked out now....I mean I have NEVER hooked this computer up to anything BUT SBC Yahoo dialup! In a matter of minutes I have 4 infected files in a new scan PLUS alerts of other worms as I stated above...the four files were all bobax but the other two are popping up as alerts. This had really ruined this trip as I need safe access for work purposes. So if you have any FAST FIXES I can do with this stuff..though I don't know if it fits under malware or not, please feel free to share...if you don't hear anything back it means I blew up...the computer too.

#9 Aeroluvr

Aeroluvr

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 May 2004 - 11:14 PM

LAPTOP HJT SCAN (MIGHT AS WELL IN CASE I END UP OFF LINE COMPLETELY LOL! THIS IS A DIFFERENT COMPUTER FROM THE ABOVE ONE...SHOULD I HAVE STARTED ANOTHER THREAD? WASN'T SURE. THANKS AGAIN!

Logfile of HijackThis v1.97.7
Scan saved at 9:11:22 PM, on 5/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\EzButton\CPLBTS88.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\dsrss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Terry\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CPLBTS88] C:\PROGRA~1\EzButton\CPLBTS88.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [C8BAF7E5] C:\WINDOWS\System32\fpxbdnxwcsyf.exe
O4 - HKLM\..\Run: [WSAConfiguration] dsrss.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] dsrss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2847F99-7592-46B0-9EE3-32139C33AD3E}: NameServer = 209.244.0.3 209.244.0.4

#10 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 21 May 2004 - 05:48 PM

Hi Aeroluvr
First let's empty your temp files.Go to this site
http://www.personal-...ngtempfiles.htm After getting the instructions make sure you start in safe mode and show all hidden and system files.
How To Show Hidden Files
How to Start In Safe Mode
Then on your computer with the most recent log- you need to place HiJack This into a folder of itís own.
Go into your documents and make a new folder and name it HJT or something you like. Then unzip HJT into your new folder. If you ever need to restore an item you may not have that option, or be able to find them from a temp dir.
Close all browsers and rerun HJT. Check and click fix checked for the following-
O4 - HKLM\..\Run: [C8BAF7E5] C:\WINDOWS\System32\fpxbdnxwcsyf.exe
O4 - HKLM\..\Run: [WSAConfiguration] dsrss.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] dsrss.exe
Now find this file dsrss.exe and submit here for analysis.
Restart in safe mode and delete-
C:\WINDOWS\System32\fpxbdnxwcsyf.exe<=This file
dsrss.exe<=This file
Let me know how it goes. I'll be in and out all weekend so I may not answer as quickly as you hope, but "I'll be back".

#11 Aeroluvr

Aeroluvr

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 11:14 PM

Hi...thanks for all of this. I don't think I can take the time on my trip to do all of this and I don't have a printer so it's hard to "get instructions" and then do them unless they are very quick and easy..I usually print everything out.

BUT I can ask my questions now so when I get home I can fix BOTH computers...

I'm a bit confused by one direction. On BOTH computers I added a folder in the raw C: drive and named it hijack or hijackthis and downloaded it there on both..but I just realized the site I downloaded it from for this laptop was a zip file so I just went and unzipped it and made sure the hijackthis.exe is in it's own directory and reran again below just in case.

I haven't had any problems or even has any warnings the last three times I signed on...weird. I was going to delete all temp files BUT it won't let me delete the infected one. I very easily found it and yes it starts with a ~ but whatever virus is attached to it will not allow it to be deleted via any method LOL. AND the virus warnings go nuts when I tried to. I am a bit gunshy deleting the "unseen" TEMP files as instructed...I did that once and crashed my entire system and the results were horrendous.

Here are the files found in the search...I don't really feel comfortable deleting any of them other than maybe the ones in the bin...especially not the ones with no new date listed.

Weird...even with hidden and system enables..the one that is denying access did not show up in the search BUT I did find it yesterday using regular explorer but it wouldn't let me delete it. I have no way to recover on the road (and even at home really don't want to risk it as it's not clean XP LOL). I need to do either very little or only 100% safe/easy steps since I'm still "running" knock on wood. Here are the 9 files found when doing the temp files search suggested:

C:\Windows\system32\CatRoot2\edb.chk Recovered File Fragments 5/20/04
----------------------------------------------------------
C:\Windows\Security\edb.chk Recovered File Fragments 4/11/03
----------------------------------------------------------
C:\ProgramFiles\NortonAntiVirus\Quarantene\35FC7D69.tmp 5/20/04
----------------------------------------------------------
h2r3E.tmp in Recycle Bin 5/1/2003
----------------------------------------------------------
datA.tmp in Recycle Bin 5/20/2004
----------------------------------------------------------
C:\Windows\system32\CONFIG.TMP 8/29/02
----------------------------------------------------------
C:Windows\Temp FOLDER ~offfilt (empty) 4/23/03
----------------------------------------------------------
C:Windows\SUPPORT\TOOLS\SUPPORT.CAB\ntdetect 7/21/01
----------------------------------------------------------
C:Windows\LastGood.Tmp FOLDER with lots of other folders in it. Nothing dated 2004 in here and I think itís best not to delete this. Folders in it include AppPatch, INF, pchealth, Downloaded Program Files, Java, System32, hh.exe
----------------------------------------------------------

I know most don't care but I do...can you kinda explain...for BOTH computers as to how/what we are doing and why a bit more. I'd like to learn a bit more so I maybe can figure out some things more on my own in the future..up until now I have pretty much. Just to clarify..the post just above this one is for my laptop issue right...? Did you see my questions on the home computer...about what is Windows Tools? The reason I ask...I have no Windows CDs as this came OEM Toshiba and my home computer OEM Gateway.

I have no printer and not much time but in the mean time here is the hijackthis log rerun after unzipping...as I wasn't sure if you saw something that made you think I had not created a new folder in the root directory for it..I had but I hadn't unzipped. ON BOTH COMPUTERS IT IS IN C:\

Logfile of HijackThis v1.97.7
Scan saved at 8:56:33 PM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\EzButton\CPLBTS88.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\dsrss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CPLBTS88] C:\PROGRA~1\EzButton\CPLBTS88.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [C8BAF7E5] C:\WINDOWS\System32\fpxbdnxwcsyf.exe
O4 - HKLM\..\Run: [WSAConfiguration] dsrss.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] dsrss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2847F99-7592-46B0-9EE3-32139C33AD3E}: NameServer = 209.244.0.3 209.244.0.4

Edited by Aeroluvr, 22 May 2004 - 12:36 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button