• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
warpalien

Computer Problems!

6 posts in this topic

Ok. So i've had all kinds of fun over the last two weeks. Things keep going down hill, no matter how much I run CWShredder, Adaware, Spybot, and Norton.

 

Major problems:

 

User accounts can not be created. I tried to create several accounts, I login, and it just sits there for hours.

 

Notepad.exe not found. This started this morning, I tried to open up a txt file, Norton popped up with a virus saying it was a Trjoan.Startpage. I scanned three times now, and system "appears to be clean". I've had several CWS style jackings, and it has not been fun.

 

StartupList report, 7/1/2004, 4:39:47 PM

StartupList version: 1.52.2

Started from : C:\Documents and Settings\Administrator\Desktop\HijackThis.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Miraplacid Publisher 4.2\pmanager.exe

C:\Program Files\SETI@home\SETI@home.exe

C:\WINNT\system32\ctfmon.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

Synchronization Manager = mobsync.exe /logon

Logitech Utility = Logi_MwX.Exe

PManager41 = "C:\Program Files\Miraplacid Publisher 4.2\pmanager.exe" /Hidden

NvCplDaemon = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

seticlient = C:\Program Files\SETI@home\SETI@home.exe -min

ctfmon.exe = ctfmon.exe

NvMediaCenter = RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

 

(Default) = "C:\WINNT\notepad.exe" "%1"

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINNT\SETIHOME.SCR

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

HP DArC Task #Hewlett-Packard#7600#MY3B5320BGK3.job

HP Usg Daily.job

Norton AntiVirus - Scan my computer.job

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[QuickTime Object]

InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx

CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

 

[Office Update Installation Engine]

InProcServer32 = C:\WINNT\opuc.dll

CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8070.8093634259

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx

CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\system32\webcheck.dll

SysTray: stobject.dll

Share this post


Link to post
Share on other sites

Can you please post a HijackThis log (not a Startup Log) by starting HijackThis, pressing "scan", and pressing "save log"?

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 7:38:48 PM, on 7/1/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Miraplacid Publisher 4.2\pmanager.exe

C:\Program Files\SETI@home\SETI@home.exe

C:\WINNT\system32\ctfmon.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {F771D30E-91C7-4815-8E29-0FCAA3E9EB46} - C:\WINNT\system32\gdbnm.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [PManager41] "C:\Program Files\Miraplacid Publisher 4.2\pmanager.exe" /Hidden

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

O18 - Filter: text/html - {F4C06ED6-4677-4164-9168-A156B8FC1E15} - C:\WINNT\system32\gdbnm.dll

O18 - Filter: text/plain - {F4C06ED6-4677-4164-9168-A156B8FC1E15} - C:\WINNT\system32\gdbnm.dll

Share this post


Link to post
Share on other sites

the file file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html keeps finding its way back in there. i've deleted it, and spybots deleted it like 50 times. also C:\WINNT\system32\gdbnm.dll which hijack this calls out, is not on my system, i cant find that filename anywhere when i search/look for it.

 

according to my registry tweakui is launching the rundll32.exe, which at first glance I thought was possibly spyware/virus since norton was finding .dll files infected.

Edited by warpalien

Share this post


Link to post
Share on other sites

[edit]Oooops.[/edit]

 

Alright, this is somewhat of a complex fix.

 

First of all, have you rebooted your computer since that log was generated? If so, a .dll file may have renamed itself, just look for the one that wasn't there before when I have you fix things.

 

First, go here to download/install apm.

 

Now, open HijackThis and APM (ALL other windows, including this one, should be CLOSED).

 

In HijackThis please place a checkmark next the following items and "fix" them with the "Fix Selected" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {F771D30E-91C7-4815-8E29-0FCAA3E9EB46} - C:\WINNT\system32\gdbnm.dll <-This file may have renamed itself, just look for the one that wasn't there before.

 

Then, switch back over to APM. In the upper frame of the window choose "explorer.exe" and in the lower frame choose the .dll file you are going to fix in HijackThis. Choose to "Unload DLL" and press OK on any following prompts.

 

Now reboot and scan your computer with Ad-aware and remove anything it finds.

 

Finally (hopefully), post a new HijackThis log.

 

Thanks.

Edited by Gwyrox732

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0