• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
Aeroluvr

Huge CPU Spikes Just Started w/AOL!

11 posts in this topic

It's 2am and I have to leave town in 5 hours..of course..for a week but after 11 wasted hours..I SO need some help.

 

First..Windows XP, Ran current Spybot, Adaware, my Norton is updated daily "just in case LOL" and I show no infections and all spyware found has been fixed.

 

I can open ALL programs on my computer just fine and usage stays under 10%. And until yesterday AOL had virtually no impact on that. Then all of a sudden when AOL is opened, the CPU usage goes nuts...I have been able to isolate it to only when AOL is open BUT it is a process called WToolsA.exe that causes the huge CPU spikes and ONLY DOES THIS when AOL browser is open. Very strange. When AOL is NOT open, it stays at normal use level but with AOL open it goes to 69% 80% etc. in spikes every 20 seconds or so.

 

I've had this AOL email account for 12 years so I'm not willing to lose it. What is happened is tied to a "new" svchost maybe that seemed to appear recently. ALSO, THE CURSOR constantly goes from just a pointer to a combined pointer and hourglass when the 100% spikes happen several times per minute while AOL is open and ties to the WToolsA.exe file spikes.

 

I have had various worms, fixed them, trojans, etc. I've never been without antivirus software up to date. Only recently kept up on spyware but this is very scary as it appears to be either sending out or receiving from third party info.

 

I ALSO have IE which works FINE with no extra usage when just opened alone from the desktop. I ALSO have SBC Yahoo DSL custom browser which I rarely use but DID use this week and they have had some attacks I know.

 

I HAVE KEPT ALL CRITICAL WINDOWS XP updates up to date. What a pieceof crap this program was huh? Never seen so many problems. I cannot download Pack 1 which came out long ago due to OEM conflicts but Pack 1 not being installed has never been a problem and that's been almost two years now I believe.

 

I HAVE also restored back to the times when the updates were last downloaded to and various other times and then undid those but no change on this problem which appeared just two days ago and has got much worse.

 

As you can tell, I believe in giving too much rather than not enough info to people willing to help. All other programs work fine. In trying to fix this I corrupted the AOL user file for my main huge account...again which sucks. I have seen a couple of posts over the past two days of AOL users with nothing going BUT AOL with 100% usage issues suddenly so I guess it's an attack on a related DLL file and AOL? Spybot, newly updated did not help. This first scan is WITHOUT AOL OPEN, the second one posted is with AOL open and the problem happening. It is for SURE that ToolsA process that is spiking which appears right before/after waol in the list of processes I believe.

 

I have to leave town and I am scared to death - I havel 55GB of data on this computer and I've only been able to back up some of it.

 

I WILL have a laptop on the road with me for this week so even though I HAVE read all of the guidelines, rules, and the quickstart suggestions, sure would be nice for someone to email me a reading of my hijackthis report. I won't have THIS screwed up computer with me but maybe I will at least know what I am facing when I return unless my computer has blown up.

 

The other complication..this is OEM AOL on a GATEWAY Windows XP also OEM.

 

Here is my first hijackthis file which I'm sure is a mess but right now I am trying ot first address the TOOLS/AOL CPU use issue. All virus/spyware scans are clean right now. And yes the TV MEDIA did just pop up yesterday too. I did open one file that opened AOL's media program which I NEVER use yesterday..wonder if that was tied to it?

 

I don't see many responding here lately...I tried to register on another site called computer cops I think it was but they never sent me a password and I've run out of time. My email address is my user name here @aol.com.

 

I know my registry is a mess as I've been so scared to mess with it. If everything works why fix it and as I said, I've always been one to have as much protection going as possible but this Gateway OEM Windows XP has been a total nightmare. Some of the critical patches in general don't work on this computer but screw it up more!

 

With all of the protection I really have had only minor problems always easily fixable. Not this time. So weird that it is tied to AOL browser NOT IE, NOT Yahoo, etc. It's driving me nuts..I knew it was slow but the CURSOR THING every few seconds is what made me check processes not just appications. I know there was something else in my MAIN AOL account because when Spybot ran and "fixed" I can no longer use that account without deleting all user info yet no file in the list said AOL in it!

 

I have some problems like TV MEDIA, etc. but I am so insecure as this computer is "my life" right now LOL..really just want to fix the use/cursor/AOL issue first then tackle the rest.

 

Also I did notice another SVCHOST.EXE-08EA1B75.pf in WINNT/Prefetch directory which looked odd as I also have one in WINNT/SYSTEM32 so wondered if that had anything to do with it. Please know I do NOT know what I am doing as far as fixing registry entries and am a bit hesitant so would like step by step help. The timing of this is AWFUL..ruining my week long trip as my entire business may be gone when I get home. AOL was NOT open when I did THIS scan..I will open it and do another in case that makes a difference. Thanks in advance for any help.

 

Logfile of HijackThis v1.97.7

Scan saved at 2:27:31 AM, on 5/20/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\PROMon.exe

C:\WINNT\System32\CTHELPER.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\SBC\Connection Manager\CManager.exe

C:\Program Files\Palm\hotsync.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\NMSSvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aeroforceone.com/af1_forums/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINNT\System32\SbSrch_V22.dll (file missing)

O2 - BHO: (no name) - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB} - C:\WINNT\System32\msvcn.dll

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll

O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINNT\UpdReg.EXE

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [system] dcomx.exe

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\RunServices: [system] dcomx.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [OWMngr] C:\WINNT\System32\OWMngr.exe

O4 - HKCU\..\Run: [ZILLAFTP] C:\Program Files\ZillaFtp\zillaftp.exe /STARTUP

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.240:8000/Java/cfs40300.cab

O16 - DPF: symsupportutil - http://www.symantec.com/techsupp/symsupportutil.CAB

O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gateway.com/support/profiler/PCPitStop.CAB

O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50006/btiein.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7882.1843287037

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} (BHO.clsUrlSearch) - http://64.246.24.68/Aff_Installer_4.exe

O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeterbb.cab

O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://distribution.trafficsyndicate.com/msiein.cab

O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E...04/clearadj.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0014.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A20D74B0-F750-477D-A2DC-26FAE3131200}: NameServer = 206.13.29.12 206.13.30.12

Edited by Aeroluvr

Share this post


Link to post
Share on other sites

OK, here is the second one ran with AOL open and then the file bolded below uses up the process CPU use to the max.

 

I have AOL 7 only because 8 and 9 won't work upgrading on this machine - something about how the OEM version was originally installed and the Windows XP that went on here was a really "bad version as in new". By the way usually both TOOLS files show up A and S but only A on this one and it is the one causing the CPU issue.

 

Logfile of HijackThis v1.97.7

Scan saved at 2:36:18 AM, on 5/20/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\PROMon.exe

C:\WINNT\System32\CTHELPER.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\SBC\Connection Manager\CManager.exe

C:\Program Files\Palm\hotsync.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\NMSSvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\hijackthis\HijackThis.exe

C:\PROGRA~1\AMERIC~1.0\waol.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aeroforceone.com/af1_forums/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINNT\System32\SbSrch_V22.dll (file missing)

O2 - BHO: (no name) - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB} - C:\WINNT\System32\msvcn.dll

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll

O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINNT\UpdReg.EXE

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [system] dcomx.exe

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\RunServices: [system] dcomx.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [OWMngr] C:\WINNT\System32\OWMngr.exe

O4 - HKCU\..\Run: [ZILLAFTP] C:\Program Files\ZillaFtp\zillaftp.exe /STARTUP

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.240:8000/Java/cfs40300.cab

O16 - DPF: symsupportutil - http://www.symantec.com/techsupp/symsupportutil.CAB

O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gateway.com/support/profiler/PCPitStop.CAB

O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50006/btiein.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7882.1843287037

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} (BHO.clsUrlSearch) - http://64.246.24.68/Aff_Installer_4.exe

O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeterbb.cab

O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://distribution.trafficsyndicate.com/msiein.cab

O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E...04/clearadj.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0014.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{90BEF5A2-2FB5-4132-A04D-FC6EC3B3304C}: NameServer = 205.188.146.146

O17 - HKLM\System\CCS\Services\Tcpip\..\{A20D74B0-F750-477D-A2DC-26FAE3131200}: NameServer = 206.13.29.12 206.13.30.12

Edited by Aeroluvr

Share this post


Link to post
Share on other sites

I should ask..I did long ago "fix" the hosts file which for a while denied access to symantec due to one of the worms. I merely renamed the file that had several denial of service sites listed to hosts.bad and a new good one was created but I think now this weird one took over for the standard hosts one perhaps. Not sure but thought I should offer that info as well. Thanks again..and please know I won't be able to get online much but will be checking here and my email (accessed through IE NOT AOL) for any responses. Thanks.seesm all of the support forums are having to move or go hidden due to so many inquiries!

 

OH and FYI I for fun installled other versions of AOL and the SAME EXACT PROBLEM happen with 8 and 9 (and other problems) and that tools a file..even worse in fact. So it really screwed up WINDOWS XP and I have hundreds of programs and 54Gig if data plus it's an OEM install so a reinstall is not an option.

Edited by Aeroluvr

Share this post


Link to post
Share on other sites

Geez..this crap delayed me leaving but am now. Anyway...one more thing to add...

 

The processes SCROLL LIKE CRAZY and duplicate when this is happening..ONLY WHEN AOL is opened which never was the case.

 

The same processes/files show up when AOL is close but everything stays put and just reflects current "usage" as it changes. The WToolsA one is "fine" as long as AOL is NOT open and all is well.

 

Pretty sure AOL modifies Windows XP files DLL but even uninstalling various versions did nothing. I tried that and then restored Windows to a much earlier period and then reinstalled but due to AOL being installed on here as an OEM I have a feeling whatever file/process that is "infected" won't "go away in Windows" even by restoring or uninstalling AOL. Especially because it doesn't seem to matter what version, etc and it's the WToolsA process which I've seen others report but never a link to AOL browser hijack like this.

 

Something is happening every few seconds so it goes from under 10% to 80% then back down constantly with the cursor changing from just arrow to arrow/hourglass though you CAN still do things as it happens...just if it's something "large" you will crash. I hope I can find this forum when I get to my desination LOL. Thanks in advance...I know it's hard to try and help someone when they won't be able to try anything for a few days but I figured that would give you guys plenty of time to "analyze" the above. And I'd rather "err" on the side of giving too much info vs not enough..I just hope this is the "active" forum/board.

Edited by Aeroluvr

Share this post


Link to post
Share on other sites

Hi Aeroluvr

Have you looked in add/remove programs to see if wintools is in there? If it is, remove it.

Close all browsers and rerun HJT. Check and click fix checked for the following-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINNT\System32\SbSrch_V22.dll (file missing)

O2 - BHO: (no name) - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB} - C:\WINNT\System32\msvcn.dll

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll

O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O4 - HKLM\..\Run: [system] dcomx.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\RunServices: [system] dcomx.exe

O4 - HKCU\..\Run: [OWMngr] C:\WINNT\System32\OWMngr.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50006/btiein.cab

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} (BHO.clsUrlSearch) - http://64.246.24.68/Aff_Installer_4.exe

O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeterbb.cab

O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB

O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://distribution.trafficsyndicate.com/msiein.cab

O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0014.cab

Restart your computer in safe mode and show all hidden and system files-

Delete-

dcomx.exe<=This file, do a search for it

C:\Program Files\TV Media<=Folder

C:\Program Files\Common files\WinTools<=Folder

C:\WINNT\System32\OWMngr.exe<=File

 

Restart and run a scan at one or all of these sites-

http://housecall.trendmicro.com/housecall/start_corp.asp

http://www.wilders.org/free_services.htm

http://www.pandasoftware.com/activescan/co...n_principal.htm

http://www.bitdefender.com/scan/licence.php

Post another log when you are able.I think you will be OK. B)

Edited by OlTramp

Share this post


Link to post
Share on other sites

Thnanks for the reply..on laptop now at 26.4 LOL. Sucks. But then again..'bout the same as my AOL at home right now LOL. I went into add/remove programs a zillion times...I don't recall seeing WinTools but who knows. So is that something that I can safely remove - what is it? Any idea why/how if would only impact the AOL browser? The reason I ask....out of all of the worms, bugs, viruse, hijacks, etc. I have had happen, all have affected either Windows itself OR IE browser but never AOL due to their automatic firewall, etc.

 

Hopefully I can enjoy my few days away knowing when I get home I can try this...now I wish I had posted BEFORE I screwed up my AOL file but hey...that's happened to me many times over the years so no biggie..just lose history that most programs don't allow you to keep anyway (tons of in/out emails, etc.) Anyway...I will do as you suggest but since there's time....and I don't remember seeing a tools program when I looked, you might consider a possible Plan B LOL. Thanks again.

Share this post


Link to post
Share on other sites

You won't believe this..I don't! I downloaded/installed all updates for Windows and Norton on this laptop before I left home...yesterday. I ran a full scan and all was clear. I get here and there are updates for Norton already AND...get this...I open IE and a couple of emails...no attachments or anything and wham..I suddenly have three different worm warnings from Norton...sassar? Welchia? This is off memory...I recognized all three. Anyway, I am using DIALUP through Yahoo DSL provider and someone said even DIALUP PORTS of their's were attacked...do you think that could be it? My system froze, my usage went nuts and then all of the worm alerts. Geez. I'm NOT gonna spend my time away from home trying to fix THIS machine too! So much for dial up being safe. And no, nothing is shared (files/connection/software) between this machine and my home one. So I suppose when I get home I'll have to have you guys help me fix this as I have no idea if I will be able to stay online here or not! Grrr!

Share this post


Link to post
Share on other sites

Bobax virus in a temp1 file that will not allow to be quarantened or deleted. And it must have screwed my hosts file cuz I can't get to Norton site now either. I know this is not related to my Hijack post for my other computer..but...geez..I cannot believe this. I scanned this thing and it was totally clean. Now I have 4 files infected and this is too slow for me to look up if I can delete them or not so I quarantened the 3 that would allow it and of course I still get "your computer is still infected" because of the temp one that will not let me do anything to it. I tried all different ways..through windows explorer, etc. So hey if you want to take pity on this poor girl who is totally freaked out now....I mean I have NEVER hooked this computer up to anything BUT SBC Yahoo dialup! In a matter of minutes I have 4 infected files in a new scan PLUS alerts of other worms as I stated above...the four files were all bobax but the other two are popping up as alerts. This had really ruined this trip as I need safe access for work purposes. So if you have any FAST FIXES I can do with this stuff..though I don't know if it fits under malware or not, please feel free to share...if you don't hear anything back it means I blew up...the computer too.

Share this post


Link to post
Share on other sites

LAPTOP HJT SCAN (MIGHT AS WELL IN CASE I END UP OFF LINE COMPLETELY LOL! THIS IS A DIFFERENT COMPUTER FROM THE ABOVE ONE...SHOULD I HAVE STARTED ANOTHER THREAD? WASN'T SURE. THANKS AGAIN!

 

Logfile of HijackThis v1.97.7

Scan saved at 9:11:22 PM, on 5/20/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\PROGRA~1\EzButton\CPLBTS88.EXE

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\toshiba\ivp\ism\pinger.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\WINDOWS\System32\dsrss.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Terry\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [CPLBTS88] C:\PROGRA~1\EzButton\CPLBTS88.EXE

O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [C8BAF7E5] C:\WINDOWS\System32\fpxbdnxwcsyf.exe

O4 - HKLM\..\Run: [WSAConfiguration] dsrss.exe

O4 - HKLM\..\RunServices: [WSAConfiguration] dsrss.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B2847F99-7592-46B0-9EE3-32139C33AD3E}: NameServer = 209.244.0.3 209.244.0.4

Share this post


Link to post
Share on other sites

Hi Aeroluvr

First let's empty your temp files.Go to this site

http://www.personal-computer-tutor.com/deletingtempfiles.htm After getting the instructions make sure you start in safe mode and show all hidden and system files.

How To Show Hidden Files

How to Start In Safe Mode

Then on your computer with the most recent log- you need to place HiJack This into a folder of it’s own.

Go into your documents and make a new folder and name it HJT or something you like. Then unzip HJT into your new folder. If you ever need to restore an item you may not have that option, or be able to find them from a temp dir.

Close all browsers and rerun HJT. Check and click fix checked for the following-

O4 - HKLM\..\Run: [C8BAF7E5] C:\WINDOWS\System32\fpxbdnxwcsyf.exe

O4 - HKLM\..\Run: [WSAConfiguration] dsrss.exe

O4 - HKLM\..\RunServices: [WSAConfiguration] dsrss.exe

Now find this file dsrss.exe and submit here for analysis.

Restart in safe mode and delete-

C:\WINDOWS\System32\fpxbdnxwcsyf.exe<=This file

dsrss.exe<=This file

Let me know how it goes. I'll be in and out all weekend so I may not answer as quickly as you hope, but "I'll be back".

Share this post


Link to post
Share on other sites

Hi...thanks for all of this. I don't think I can take the time on my trip to do all of this and I don't have a printer so it's hard to "get instructions" and then do them unless they are very quick and easy..I usually print everything out.

 

BUT I can ask my questions now so when I get home I can fix BOTH computers...

 

I'm a bit confused by one direction. On BOTH computers I added a folder in the raw C: drive and named it hijack or hijackthis and downloaded it there on both..but I just realized the site I downloaded it from for this laptop was a zip file so I just went and unzipped it and made sure the hijackthis.exe is in it's own directory and reran again below just in case.

 

I haven't had any problems or even has any warnings the last three times I signed on...weird. I was going to delete all temp files BUT it won't let me delete the infected one. I very easily found it and yes it starts with a ~ but whatever virus is attached to it will not allow it to be deleted via any method LOL. AND the virus warnings go nuts when I tried to. I am a bit gunshy deleting the "unseen" TEMP files as instructed...I did that once and crashed my entire system and the results were horrendous.

 

Here are the files found in the search...I don't really feel comfortable deleting any of them other than maybe the ones in the bin...especially not the ones with no new date listed.

 

Weird...even with hidden and system enables..the one that is denying access did not show up in the search BUT I did find it yesterday using regular explorer but it wouldn't let me delete it. I have no way to recover on the road (and even at home really don't want to risk it as it's not clean XP LOL). I need to do either very little or only 100% safe/easy steps since I'm still "running" knock on wood. Here are the 9 files found when doing the temp files search suggested:

 

C:\Windows\system32\CatRoot2\edb.chk Recovered File Fragments 5/20/04

----------------------------------------------------------

C:\Windows\Security\edb.chk Recovered File Fragments 4/11/03

----------------------------------------------------------

C:\ProgramFiles\NortonAntiVirus\Quarantene\35FC7D69.tmp 5/20/04

----------------------------------------------------------

h2r3E.tmp in Recycle Bin 5/1/2003

----------------------------------------------------------

datA.tmp in Recycle Bin 5/20/2004

----------------------------------------------------------

C:\Windows\system32\CONFIG.TMP 8/29/02

----------------------------------------------------------

C:Windows\Temp FOLDER ~offfilt (empty) 4/23/03

----------------------------------------------------------

C:Windows\SUPPORT\TOOLS\SUPPORT.CAB\ntdetect 7/21/01

----------------------------------------------------------

C:Windows\LastGood.Tmp FOLDER with lots of other folders in it. Nothing dated 2004 in here and I think it’s best not to delete this. Folders in it include AppPatch, INF, pchealth, Downloaded Program Files, Java, System32, hh.exe

----------------------------------------------------------

 

I know most don't care but I do...can you kinda explain...for BOTH computers as to how/what we are doing and why a bit more. I'd like to learn a bit more so I maybe can figure out some things more on my own in the future..up until now I have pretty much. Just to clarify..the post just above this one is for my laptop issue right...? Did you see my questions on the home computer...about what is Windows Tools? The reason I ask...I have no Windows CDs as this came OEM Toshiba and my home computer OEM Gateway.

 

I have no printer and not much time but in the mean time here is the hijackthis log rerun after unzipping...as I wasn't sure if you saw something that made you think I had not created a new folder in the root directory for it..I had but I hadn't unzipped. ON BOTH COMPUTERS IT IS IN C:\

 

Logfile of HijackThis v1.97.7

Scan saved at 8:56:33 PM, on 5/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\PROGRA~1\EzButton\CPLBTS88.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\WINDOWS\System32\dsrss.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\toshiba\ivp\ism\ivpsvmgr.exe

C:\hijackthis\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [CPLBTS88] C:\PROGRA~1\EzButton\CPLBTS88.EXE

O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [C8BAF7E5] C:\WINDOWS\System32\fpxbdnxwcsyf.exe

O4 - HKLM\..\Run: [WSAConfiguration] dsrss.exe

O4 - HKLM\..\RunServices: [WSAConfiguration] dsrss.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B2847F99-7592-46B0-9EE3-32139C33AD3E}: NameServer = 209.244.0.3 209.244.0.4

Edited by Aeroluvr

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0