Jump to content


Photo

Please help me remove malware


  • Please log in to reply
39 replies to this topic

#1 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 13 July 2004 - 03:01 AM

Hi!
Thanks for the site and all you helpers.

I ran HJT and, according to the results I have one of the sites 'nkvd.us' which is present in the CWS site list.

I have tonight downloaded CWShredder.exe but, when I also tried to download the mini-removal tool I got an error 404 ('Datei nicht gefunden!') from the site indicated in your download instructions -

'www.safer-networking.org/files/delcwssk.zip'

I append details of my 'HijackThis' log -
-------------------------------------------------------------------------------------------

Logfile of HijackThis v1.98.0
Scan saved at 2:34:38 AM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Documents and Settings\Owner\Application Data\Mini\minicontrolpanel-w32-x86-12921.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1507/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex....aid=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://kloun.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.webound.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E43DB53-5AA3-45F8-93E1-038025722DC7} - C:\WINDOWS\System32\jen.dll (file missing)
O2 - BHO: MSM32 Class - {1E1B2879-88FF-11D2-8D96-000000000004} - C:\WINDOWS\system\SSocks32.dll (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HVqatH.exe] C:\documents and settings\owner\local settings\temp\HVqatH.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mini] C:\Documents and Settings\Owner\Application Data\Mini\minicontrolpanel-w32-x86-12921.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: Microsoft® JavaScript® Console - {017293DC-8C35-43A8-8B67-8420DC0175C6} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {017293DC-8C35-43A8-8B67-8420DC0175C6} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft® JavaScript® Console - {017293DC-8C35-43A8-8B67-8420DC0175C6} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {017293DC-8C35-43A8-8B67-8420DC0175C6} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://irc.everywher...va/cfs40301.cab
O16 - DPF: {11111111-2222-3333-4444-555555555555} - https://www.taxsimpl...rix/federal.CAB
O16 - DPF: {2AB65D8C-517B-4830-BDD9-5530A9D9ECA2} (Tax$imple) - https://www.taxsimple.com/citrix/tax$imple.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...299/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CA09691-BD65-4B43-9A08-F63E6D991C13}: NameServer = 216.90.136.1 216.90.136.2
O18 - Filter: text/html - {149D096B-CE93-4C8D-AB24-2F6368B77190} - C:\WINDOWS\System32\jen.dll
O18 - Filter: text/plain - {149D096B-CE93-4C8D-AB24-2F6368B77190} - C:\WINDOWS\System32\jen.dll
------------------------------------------------------------------------------------
Thanks :D

#2 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 13 July 2004 - 01:29 PM

Hi there,

Please do this first, I have given you another location for CWShredder.

Printing this may help you

As you have a variety of issues, I suggest you proceed as follows:
Download the latest version of CWShredder Here by Merijn Bellekom, the creator of Hijack This. Check for updates!!
Run it, press 'Fix', and allow it to fix all it finds.
Next;

Download Spybot - Search & Destroy Here

After installing, you MUST first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot clean all the items marked in red.

Next;

Now download Ad-Aware Here
After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions. Here

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

When you've done all that, re-run Hijack This, and show me a fresh log.

There may be more to do!

#3 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 13 July 2004 - 09:10 PM

OK I downloaded the latest version of CWShredder, checked for updates, ran it and it removed -
CWS.Alfasearch
CWS.Yexe
CWS.Smartfinder
CWS.Searchx
CWS.Jsconsole
- and restored 15 IE registry values.

Next I tried to download Spybot but was unable to find the page
('The page cannot be displayed')
- so I tried to get onto the 'www.safer-networking.org' start page, with the same result.

I then tried to update the copy of Spybot which I downloaded on May 7th, but it found no updates and tried to start checking anyway so I terminated it with the Windows Task Manager and removed the program in -
Control Panel -> Add/Remove Programs
- as I didn't want to take the chance that some bug had altered or infected Spybot.

I have assumed absolutely that your instructions must be entered sequentially so I now have to wait until I can successfully download Spybot and check the updates. If there is a mirror site somewhere I can't get at the safer-networking site to find out. If you have or know of an alternative site I would be grateful if you could let me know when you have time.

As an aside when I looked at the sheer number of cases you guys oversee I was amazed you got to me so fast. Thanks for your efforts. I will post as soon as I have meaningful comment.

#4 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 13 July 2004 - 09:49 PM

Hi there,

Yes there seems to be trouble with that link go here then resume my instructions.

#5 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 14 July 2004 - 01:19 AM

A number of mini-problems with the sequential list of stuff.

First, managed to download Spybot 1.3 successfully, but when I opened the program there was no menu and NO OPPORTUNITY to press anything, let alone ‘Online’ or update! I allowed it to complete and deleted the 8 tracking cookies it highlighted.

Then to AAW – problems when I tried to download. When I clicked on ‘download’ I got a message from my NAV to the effect that my computer was trying to send private information over the internet. The information was my credit card number and at first it was going to ‘dw.com.com’ then to ‘www.download.com.’ I’ve seen this before and wondered if it was a blasted trojan or virus trying to head off trouble by giving me the message from hell! Naturally I blocked it but could not get past this situation without CNET giving up on me because I couldn’t ‘find the right file.’ Eventually I tried the alternative site ‘MajorGeeks’ and the download worked OK from there. The updates worked fine too.

From that point things went OK and AdAware6 did a good job, deleting 33 references to nasties. New HijackThis.log follows -
-----------------------------------------------------------------------------------------
Logfile of HijackThis v1.98.0
Scan saved at 12:53:03 AM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Application Data\Mini\minicontrolpanel-w32-x86-12921.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Mail_shots\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.webound.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Mail_shots\SD\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mini] C:\Documents and Settings\Owner\Application Data\Mini\minicontrolpanel-w32-x86-12921.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://irc.everywher...va/cfs40301.cab
O16 - DPF: {11111111-2222-3333-4444-555555555555} - https://www.taxsimpl...rix/federal.CAB
O16 - DPF: {2AB65D8C-517B-4830-BDD9-5530A9D9ECA2} (Tax$imple) - https://www.taxsimple.com/citrix/tax$imple.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...299/mcfscan.cab
--------------------------------------------------------------------------------------
It certainly looks different - keeping fingers (and legs) crossed. :D

What kind of training do you guys go through to be able to help people like this? It has to be a vocation because you sure as hell can't be doing it for the money!
I'm full of admiration that strangers would put this time and effort into something that has to have a belief and/or a faith as motivation - I'm profoundly grateful too I might add!

#6 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 14 July 2004 - 01:36 AM

Hi there,

NOTE THE OPTIONAL FIXES

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE<<<<These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE<<<<These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


Restart your computer in
Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

c:/spad/start.html<<<<Folder


Reboot, then post a fresh logfile so that I can check to see if it is clean.

#7 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 14 July 2004 - 12:15 PM

OK, 1 important thing I missed before - I have been using msconfig in a limited startup to avoid a couple of programs I thought were giving me problems, so after I did what you told me with HJT (except I left MSOFFICE toolbar in) I started in TM and couldn't find the directory c:/spad/start.html, but before I went to restart back in normal mode I noticed 2 things -
1) msconfig, I set it to full restart (all drivers etc.) so 2 (possibly 3) extra items are present in the HJT log -

O4 - HKLM\..\Run: [HVqatH.exe] C:\documents and settings\owner\local settings\temp\HVqatH.exe

O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe


- I know the above 2. HVqatH.exe was deleted by me a few weeks ago as I was sure it was creating problems (I had not asked for its installation and it just appeared) and the LEX125SU.exe was uninstalled several weeks ago. I will use HJT to delete these entries.

2) Also in c:/documents and settings/owner/local settings/temp/ was a file 'gcjj.dat' - randomly named '****.dat' files have been popping into the 'temp' directory for a few weeks and I think they were responsible for pop-ups enumerating the spyware on my machine and inviting me to seek a download of a 'spyware catcher' program. I never did respond, but I would delete the active file from the 'processes' box of Windows Task Manager, then delete the file from the directory. This one this morning was created at 1036, i.e. when I signed in to IE. It worries me because all the malware should have been removed from my machine, yet this pesky thing was sitting there. It wasn't present in WTM 'processes' list so maybe the last run of HJT has wiped out whatever created it. I hope so because I don't believe in coincidences.

This time I didn't remove the file but sent it to the recycle bin, where it now resides. Now, here is the full HJT log -
------------------------------------------------------------------------------------------
Logfile of HijackThis v1.98.0
Scan saved at 11:44:36 AM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\devldr32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Application Data\Mini\minicontrolpanel-w32-x86-12921.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Mail_shots\HJT\HijackThis.exe
C:\WINDOWS\System32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.webound.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Mail_shots\SD\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HVqatH.exe] C:\documents and settings\owner\local settings\temp\HVqatH.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mini] C:\Documents and Settings\Owner\Application Data\Mini\minicontrolpanel-w32-x86-12921.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://irc.everywher...va/cfs40301.cab
O16 - DPF: {11111111-2222-3333-4444-555555555555} - https://www.taxsimpl...rix/federal.CAB
O16 - DPF: {2AB65D8C-517B-4830-BDD9-5530A9D9ECA2} (Tax$imple) - https://www.taxsimple.com/citrix/tax$imple.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...299/mcfscan.cab
------------------------------------------------------------------------------

Sorry about msconfig and neglecting to inform you.

#8 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 15 July 2004 - 06:51 AM

Hi there,

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';


O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe

O4 - HKLM\..\Run: [HVqatH.exe] C:\documents and settings\owner\local settings\temp\HVqatH.exe

O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe



O4 - Startup: PowerReg SchedulerV2.exe<<<<You have PowerReg Scheduler in your log. This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it...


Restart your computer inSafe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below:


C:\WINDOWS\System32\services\wmplayer.exe<<<<File
C:\documents and settings\owner\local settings\temp\HVqatH.exe<<<<File
C:\Program Files\Lexmark X125\LEX125SU.exe<<<<Folder

Do not delete:
C:\Program Files\Windows Media Player\wmplayer.exe
Can you verify that the above still exists, if not you can use this version: (wmplayer.exe)
http://www.spywarein...n/winfiles.html

Then while still in Safe Mode run CWShredder and reboot and post a fresh log

Edited by 12g, 15 July 2004 - 10:12 AM.


#9 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 15 July 2004 - 08:48 AM

12g,
While you're at it ... better check this too!

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe

"[xpsystem]" <--typical CWS entry
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#10 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 15 July 2004 - 06:47 PM

In my previous comments I apologized for not informing you of the state of ‘msconfig’ but I was wrong in blaming myself. It seems my ‘msconfig’ has a little quirk. Before I elaborate I refer you to the first ‘04’ item in the HJT log (as mentioned by WinHelp2002) –

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe

As you may be aware, ‘wmplayer.exe’ is normally located at -

C:/Program Files/Windows Media Player/

The registry entry ‘C:\WINDOWS\System32\services\wmplayer.exe’ above was a virus, identified by NAV a couple of months ago and which I deleted. In fact I deleted the whole subdirectory. It seemed that for a few days back then I was plagued with duplicate (and infected) copies of ‘wmplayer.exe’ and similarly named items like ‘wmplayer.exe.tmp’ (also a virus and this time in the correct ‘wmplayer.exe’ directory) and ‘wmplayer.exe.1 (not a virus but ?).

It seems that CWS probably changed the ‘wmplayer’ registry entry to the location shown, which of course does not now exist. The result is that I cannot now use the real ‘wmplayer’ because the registry entry does not tally with its actual location.

Now, to ‘msconfig’. This morning I noticed it in ‘Selective Startup’ mode, although I had yesterday placed it in ‘Normal Startup.’ I experimented this morning, each time checking the ‘wmplayer’ entry (in the ‘Startup’ tab) and ensuring that ‘Normal Startup’ was selected. After exit from ‘msconfig’, no matter whether I selected ‘Restart’ or ‘Exit Without Restart’, the next time I ran ‘msconfig’ it would always come up in ‘Selective Startup’ mode with the ‘wmplayer’ entry on the ‘Startup’ tab unchecked. THEN (and only then, mea culpa) I noticed that there was a duplicate entry in different locations of the ‘startup’ tab (top and bottom entries, both not viewable simultaneously) of ‘msconfig’ for ‘wmplayer’ -

wmplayer HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wmplayer SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

- so maybe that’s why.

The second entry isn’t being picked up by HJT – maybe it’s not designed to pick up stray entries, I don’t know. Even after I ran everything according to 12g’s instructions (plus the extra from WinHelp2002) ‘msconfig’ is still performing the same way, with the (now single) ‘wmplayer’ entry unchecked. HJT is still not picking it up either, although there has to be a mismatch somewhere.

Now the HJT log entry from 200407151111
---------------------------------------------------------------------------
Logfile of HijackThis v1.98.0
Scan saved at 11:11:53 AM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\devldr32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Application Data\Mini\minicontrolpanel-w32-x86-12921.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\Mail_shots\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.webound.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Mail_shots\SD\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mini] C:\Documents and Settings\Owner\Application Data\Mini\minicontrolpanel-w32-x86-12921.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://irc.everywher...va/cfs40301.cab
O16 - DPF: {11111111-2222-3333-4444-555555555555} - https://www.taxsimpl...rix/federal.CAB
O16 - DPF: {2AB65D8C-517B-4830-BDD9-5530A9D9ECA2} (Tax$imple) - https://www.taxsimple.com/citrix/tax$imple.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...299/mcfscan.cab

---------------------------------------------------------------------------------

#11 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 16 July 2004 - 12:15 PM

Hi there,

For HJT to pick them up they need to be checked in startup, so go back into msconfig and run a normal startup. Reboot, rerun HJT and post the log here.

#12 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 16 July 2004 - 06:11 PM

The point is, 12g, that 'msconfig'will not start in 'Normal Startup' mode. I can check the 'wmplayer' entry on the 'Startup' tab and ensure that 'msconfig' is in 'Normal startup' mode until I'm blue in the face but whether, on exit, I select 'Restart' or 'Exit Without Restart', the next time I open 'msconfig' it will be in 'Selective Startup' mode with the 'wmplayer' item unchecked in the 'Startup' tab.
I even had 'msconfig' open with the file in 'Normal Startup' mode applied and ran HJT but it still didn't pick it up. Does 'msconfig' have to have the item checked upon computer startup for HJT to pick it up or what?

#13 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 16 July 2004 - 06:25 PM

Hi there,

Yes these items do have to be checked for HJT to pick them up. Try going Run>type services.msc and see if you can start them from there, you can right click over the item to get the menu.

#14 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 16 July 2004 - 11:32 PM

What I was asking is, does 'msconfig' have to be in 'Normal Startup' mode at the time the computer is booted for HJT to get the fix, or can 'msconfig' be in 'Normal Startup' at any other time than computer boot up? So far, if 'msconfig' is in 'Normal Startup' mode other than on boot up, HJT does not include the offending item and 'msconfig' has to be open for 'wmplayer' to be checked. As soon as I close 'msconfig' it changes its value for 'wmplayer'.
The last time I booted up I selected 'Diagnostic Startup' (but that option was not checked - 'Selective Startup' was checked with just 'SYSTEM.INI' and 'Original BOOT.INI' checked) and I changed 'msconfig' in this state - all to no avail. The durned thing still always starts in 'Selective Startup' mode with the 'wmplayer' item unchecked in the 'Startup' box.

I don't understand the 'services.msc' response in connection with this problem. What is it I am looking to change/view please?

#15 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 16 July 2004 - 11:58 PM

Now, to ‘msconfig’.  This morning I noticed it in ‘Selective Startup’ mode, although I had yesterday placed it in ‘Normal Startup.’  I experimented this morning, each time checking the ‘wmplayer’ entry (in the ‘Startup’ tab) and ensuring that ‘Normal Startup’ was selected.  After exit from ‘msconfig’, no matter whether I selected ‘Restart’ or ‘Exit Without Restart’, the next time I ran ‘msconfig’ it would always come up in ‘Selective Startup’ mode with the ‘wmplayer’ entry on the ‘Startup’ tab unchecked.  THEN (and only then, mea culpa) I noticed that there was a duplicate entry in different locations of the ‘startup’ tab (top and bottom entries, both not viewable simultaneously) of ‘msconfig’ for ‘wmplayer’ -

wmplayer HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wmplayer SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

- so maybe that’s why. 

The second entry isn’t being picked up by HJT – maybe it’s not designed to pick up stray entries, I don’t know.  Even after I ran everything according to 12g’s instructions (plus the extra from WinHelp2002) ‘msconfig’ is still performing the same way, with the (now single) ‘wmplayer’ entry unchecked.  HJT is still not picking it up either, although there has to be a mismatch somewhere.

Hi there,

You are saying that in the startup tab in msconfig, there are 2 copies of ‘wmplayer’
for these I tems to show on the HJT log you must be in "normal startup". You are telling me that this is not possible. The other way to try to change that is to go into "services" this is reached by going, RUN>>SERVICES.MSC then you may be able to start those 2 instances of "wmplayer" running there by right clicking over each of them and selecting start. I do not know why "msconfig" is changing from "normal" to "selective". Those instances of "wmplayer" must be fixed.

#16 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 17 July 2004 - 07:08 AM

There were 2 instances of 'wmplayer' but there is now one -

Even after I ran everything according to 12g’s instructions (plus the extra from WinHelp2002) ‘msconfig’ is still performing the same way, with the (now single) ‘wmplayer’ entry unchecked.


- the 1st one was showing in HJT and I deleted it using HJT. The 2nd instance (now the only one) still shows and is the one that, for some reason, will not stay checked in 'msconfig'. It doesn't matter what I do, 'msconfig' is always coming up in 'Selective Startup' mode with 'wmplayer' unchecked in the 'Startup' tab.

To 'Services.msc' - I've started the program but cannot see any mention of 'wmplayer' or 'Media Player' or the like. I've been through every service listed and cannot see anything relevant. Have you a specific entry you could list please?I'm probably missing something obvious but I don't know exactly what I'm supposed to be looking for.

Is it not possible, if this situation continues, that I go into the Registry and simply delete the 'wmplayer' item manually? (That is if I knew where to look!) If an item is unchecked in 'msconfig' doesn't that place a copy of the entry somewhere else within the registry as 'not starting'? Maybe the registry is screwed on this one item.

If the registry isn't screwed it's almost like something's lurking in the background changing 'msconfig's values so HJT won't pick up the offending item (even though there is no sub-directory or file to correlate with the entry). Maybe something got at 'msconfig'! Maybe I'm paranoid :D.

#17 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 17 July 2004 - 07:48 AM

12g, I've just gone back over the entire log and I didn't previously see your amendment to your 200407150651 item. I read your original entry after WinHelp2002's entry at 0848 but before your 1012 edit, printed it off then acted on it (the original) later that day, so I have not carried out a 'Safe Mode', 'CWShredder' run. I will do that now and come back later to post the results.

#18 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 17 July 2004 - 09:04 AM

Ok NormanD :D

Edited by 12g, 17 July 2004 - 09:05 AM.


#19 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 17 July 2004 - 10:31 AM

This gets curiouser. Went into 'Safe Mode' and ran 'CWShredder'.
First I ran it in 'Scan only' mode and got the following results -

-----------------------------------------------------------
Found Hosts file: C:\WINDOWS\System32\drivers\etc\hosts (171655 bytes, RAHS)
CWS.Msconfig Registry value: HKLM\..\Run [msconfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
Shell Registry value: HKLM\..\Winlogon [Shell] Explorer.exe
Userinit Registry value: HKLM\..\Winlogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (221 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (0 bytes, A)
-----------------------------------------------------------
Then I ran it in 'Fix' mode and it said the system was perfectly clean!

CWS.Msconfig and the system is perfectly clean?

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe has a last modified date of 8/29/2002 0541, the same as 'helpsvc.exe' and 'hscupd.exe' in the same sub-directory.

What do you make of that?
Do I need to replace 'msconfig'? I'm beginning to think so but you may have a better explanation.

I haven't bothered with a HJT log yet. I'll submit this and come back with a log when I reopen the browser.

#20 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 17 July 2004 - 10:36 AM

Hi there,

Lets try this go RUN>>type "system.ini" without the quotes, cut and paste me the contents here.

#21 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 17 July 2004 - 10:56 AM

system.ini is like the King's clothes - nothing there.
Absolutely blank. Same as the SYSTEM.INI page in 'msconfig'.

#22 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 17 July 2004 - 01:00 PM

Hi there,

Copy and paste this below, in it's entirity, in to the notepad you access through system.ini then reboot and check msconfig.



; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=app850.FON
EGA80WOA.FON=EGA80850.FON
EGA40WOA.FON=EGA40850.FON
CGA80WOA.FON=CGA80850.FON
CGA40WOA.FON=CGA40850.FON

#23 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 17 July 2004 - 02:45 PM

I installed the lines in their entirety into system.ini via notepad, saved.
No difference I'm sorry to say.
Msconfig still coming up in 'Selective Startup' mode with 'wmplayer' unchecked in the 'Startup' tab.

I'm still curious about that 'scan only' run of 'CWShredder' which showed 'msconfig' as 'CWS.msconfig'. Is that of any significance?

#24 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 17 July 2004 - 04:23 PM

Ok now we may get somewhere,

Go here and download the msconfig file, following the instructions, the install instructions are on that page.

#25 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 17 July 2004 - 08:15 PM

What a tale to tell.
1) I downloaded 'msconfig' in the zip file and extracted it to C:\WINDOWS\dllcache as per the instructions. It overwrote the old file. Then I copied it to -
C:\WINDOWS\PCHealth\HelpCtr\Binaries - also as per the instructions. The date on the new file is 20040319.

2) I ran 'msconfig' and it still had the same problem as before. I looked in the 'dllcache' and 'binaries' drives, to find that the date on the files had been replaced by 20020829, the date on the old file as quoted before in this log.

3) I decided to delete the old files before copying the new one in. I deleted the files from both locations preparatory to re-copying. As I sat there watching, 'msconfig.exe' miraculously reappeared, date 20020829 (both locations).

4) I deleted the files again and watched the 'binaries' directory. Lo and behold the file reappeared unprompted, with a date of 20020829.

Is this thing clever or what? You might hate it but you have to admire the adaptability of the bloody thing.

I mentioned before in the log that there were two other files with the same date as the (obviously) corrupt 'msconfig'. Something is obviously reinstating the file and I wonder whether these other 2 (actually 3) files with the same date stamp are the miscreants.

Could you tell me what the function of 'pchsvc.dll', 'helpsvc.exe' and 'hscupd.exe' are please?
If they're not kosher files they may have something to do with this whole scam.

The thing is able to adapt to the date as well. Now the 'msconfig' in both locations has the date '20040319' and the same behaviors are showing. I also noticed another file, 'helpctr.exe' with a date of 20040329. On a whim I deleted it and it came back with a date of 20020829.

This is so pervasive and invasive I don't know what to try next. I'm sure you're familiar with the feeling.

Importantly, does this mean we have a new variant problem-child with which nothing yet devised can deal?

Shall I try and get zipped copies of these things to you?

Over to you 12g!!!!!!!!

I may yet have to re-format!

#26 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 17 July 2004 - 08:45 PM

What a tale to tell.
1) I downloaded 'msconfig' in the zip file and extracted it to C:\WINDOWS\dllcache as per the instructions. It overwrote the old file. Then I copied it to -
C:\WINDOWS\PCHealth\HelpCtr\Binaries - also as per the instructions. The date on the new file is 20040319.

2) I ran 'msconfig' and it still had the same problem as before. I looked in the 'dllcache' and 'binaries' drives, to find that the date on the files had been replaced by 20020829, the date on the old file as quoted before in this log.

3) I decided to delete the old files before copying the new one in. I deleted the files from both locations preparatory to re-copying. As I sat there watching, 'msconfig.exe' miraculously reappeared, date 20020829 (both locations).

4) I deleted the files again and watched the 'binaries' directory. Lo and behold the file reappeared unprompted, with a date of 20020829.

Is this thing clever or what? You might hate it but you have to admire the adaptability of the bloody thing.

I mentioned before in the log that there were two other files with the same date as the (obviously) corrupt 'msconfig'. Something is obviously reinstating the file and I wonder whether these other 2 (actually 3) files with the same date stamp are the miscreants.

Could you tell me what the function of 'pchsvc.dll', 'helpsvc.exe' and 'hscupd.exe' are please?
If they're not kosher files they may have something to do with this whole scam.

The thing is able to adapt to the date as well. Now the 'msconfig' in both locations has the date '20040319' and the same behaviors are showing. I also noticed another file, 'helpctr.exe' with a date of 20040329. On a whim I deleted it and it came back with a date of 20020829.

This is so pervasive and invasive I don't know what to try next. I'm sure you're familiar with the feeling.

Importantly, does this mean we have a new variant problem-child with which nothing yet devised can deal?

Shall I try and get zipped copies of these things to you?

Over to you 12g!!!!!!!!

I may yet have to re-format!

Hi there,

This is a situation where I am going to ask an expert to have a look at what you have here.

#27 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 18 July 2004 - 12:11 AM

What a tale to tell.
1) I downloaded 'msconfig' in the zip file and extracted it to C:\WINDOWS\dllcache as per the instructions.  It overwrote the old file.  Then I copied it to -
C:\WINDOWS\PCHealth\HelpCtr\Binaries - also as per the instructions.  The date on the new file is 20040319.

Hi there,

I would have copied the file to here, as per your version,
C:\WINDOWS\ServicePackFiles\i386

not to here,
C:\WINDOWS\PCHealth\HelpCtr\Binaries

#28 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 18 July 2004 - 04:04 PM

12g,
I note your point but it clearly says the 'binaries' directory in the 'merijn' instructions, to which you referred me.

Windows XP:
Download the copy for your Windows version and unzip it first into the folder C:\WINDOWS\System32\dllcache (overwriting any existing copy), then into the folder it needs to go for your Windows version.


msconfig.exe 
Located in:
Windows 95: N/A
Windows 98/98SE/ME: C:\WINDOWS\System
Windows NT4/2000: N/A
Windows XP: C:\WINDOWS\PCHealth\HelpCtr\Binaries



Another point, this morning I started up in Safe Mode and tried to do the deleting/copying and even there the deleted files were swiftly recreated so this thing appears to have hijacked 'Safe Mode' too.

As a little background info, I have an HP Pavilion 7905 which was bought in 10/01.
Last year I was having so much trouble with trojans, etc., that I decided to institute 'Destructive System Restore', which effectively reformats the hard drive and reloads the original system and software programs.
Unfortunately, with this model, there were no CDs with the computer. All the software is loaded into a supposedly protected portion of the hard drive and then reloaded upon System Restore. This was done 20030928 and (having learned lesson, etc.) quickly loaded with NAV2003 and all the MS updates and fixes.
I remember remarking to someone after I had loaded the original files (before the backups were reloaded and before anything was updated) that I had seen some files with a date later than2001, which didn't seem right as the computer was bought in 2001. However I thought not too much about it, but within a month I had viruses and trojans on the computer again, despite being fully up-to-date with the 'protection'. Knowing then what I know now I would not have been so complacent in the first place, but it seemed strange even so.

I'm wondering whether this 'secure' portion of the hard disk is as secure as it should be. If your experts can help me get shut of this entity all well and good, but if not I may try the 'Destructive System Restore' again to see what is loaded and this time I'll be ready if anything untoward loads. I'd certainly check all the file dates.

Edited by NormanD, 18 July 2004 - 04:20 PM.


#29 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 18 July 2004 - 04:48 PM

Hi there,

Congratulations on becoming a "helper trainee". As you have access to the "bootcamp" you will see I have posted here asking for input into this problem.

However, try this:

Start/Run/Regedit

For items that were in the Start menu, Programs, Startup folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder. You'll find a subkey for each disabled item.

For items loaded from the Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg. You'll find a subkey for each disabled item.

Also,

If you have no success with that,

Try this here, if you have not already.

Edited by 12g, 18 July 2004 - 04:50 PM.


#30 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 19 July 2004 - 11:14 PM

12g I'm extremely grateful for your time and effort in this case. Thank you for your good advice and suggestions over the last few days.

I don't know what to do next so I'm waiting for an expert to make an appearance (or at least a post! :D ).

My own case has shown me what a difficult path I must follow to be a Helper. I hope I can attain the objectivity and professionalism necessary to be of use.

The registry entry for the 'wmplayer' is in –

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Msconfig\startupreg\Run

- not in the ‘Startupfolder’ sub-directory.

Please note that the ‘msconfig’ I have on my system WILL NOT allow me to enter ‘Diagnostic Startup’ and will not allow ‘Normal Startup’.

#31 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 20 July 2004 - 04:13 AM

12g I'm extremely grateful for your time and effort in this case. Thank you for your good advice and suggestions over the last few days.

I don't know what to do next so I'm waiting for an expert to make an appearance (or at least a post! :D ).

My own case has shown me what a difficult path I must follow to be a Helper. I hope I can attain the objectivity and professionalism necessary to be of use.

The registry entry for the 'wmplayer' is in –

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Msconfig\startupreg\Run

- not in the ‘Startupfolder’ sub-directory.

Please note that the ‘msconfig’ I have on my system WILL NOT allow me to enter ‘Diagnostic Startup’ and will not allow ‘Normal Startup’.

Hi there,

You should delete that entry,

The registry entry for the 'wmplayer' is in –

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Msconfig\startupreg\Run



#32 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 20 July 2004 - 05:54 AM

Hey guys,
A couple of observations here ...

Norman: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe has a last modified date of 8/29/2002 0541, the same as 'helpsvc.exe' and 'hscupd.exe' in the same sub-directory.

That sounds to me like the valid version.

The reason the deleted file returns is most likely SFP (system file protection)

Use the System File Checker tool to scan all of the protected files on your computer:
Click Start, and then click Run.
In the Open box, type sfc /scannow, and then click OK.
http://support.micro...om/?kbid=318378

What version of wmplayer are you using? (8.0, or 9.0)

Norman: The registry entry ‘C:\WINDOWS\System32\services\wmplayer.exe’ above was a virus, identified by NAV a couple of months ago and which I deleted. In fact I deleted the whole subdirectory.

That concerns me a little ...
Try renaming wmplayer.exe (wmplayer.old) then install v9.0 (9.0.0.2980)
Posted Image from here

You may still have some Registry entries that are corrupt or missing or?
Download: RegSeeker 1.35 Take your time doing this and on the first scan just look for the "Msconfig" and "Wmplayer" entries that may be incorrect\corrupt, etc.

Norman,
1) Are you the only user on this machine? Is there more than one "profile"?
2) Do you have full "Administrator" right?
3) Have you scanned (SpyBot, Ad-Aware) the machine as the Administrator?
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#33 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 20 July 2004 - 09:58 AM

First WinHelp2002, answers to your 3 questions -

1) There is only 1 user on this machine 'Owner'. 'Guest' is not activated.
2) 'Owner' is defined as 'Computer Administrator' in Control Panel > User Groups.
When is 'Safe Mode' I have used 'Administrator'.
3) I have scanned the machine as 'Owner (Computer Administrator)'.

-----------------------------------------------------------------------------------------
Windows Media Player

I have version 8.0.0.4490, created 20031008 and modified 20040703 (not sure how modified!). I downloaded v9 together with other MS updates, only to revert to a previous version because I began having problems with WORD97.

I must make it clear that 'wmplayer.exe' resides where it should do, in

C:\Program Files\Windows Media Player

The virus entry wasn't at the standard location but at -

C:\WINDOWS\System32\services\wmplayer.exe

The '\services\' sub-directory was deleted after NAV identified that copy of 'wmplayer' as a virus.

When I started this on 20040713 there were 2 entries in 'msconfig' 'startup' tab for 'wmplayer' -

wmplayer HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wmplayer SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


- a run of HJT identified and deleted the first entry. The second entry still exists and is the one which 'msconfig' refuses to keep checked in the 'startup' tab.

I found a 'wmplayer' entry in 'regedit' at this location -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Msconfig\startupreg\Run
with command 'C:\WINDOWS\System32\services\wmplayer.exe'
and key 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'

- and I have not yet deleted it. I still cannot play 'wmplayer' no doubt due to the 'registry/actual file location' mismatch.

Question
Do I still sequentially
1) delete the registry entry for 'wmplayer'
2) rename 'wmplayer.exe' to 'wmplayer.old'
3) download v9.0 (or a fresh v8) ?
---------------------------------------------------------------------------------------
msconfig

Concerning this remember I downloaded a new version of 'msconfig' (dated 20040319) and replaced the file in -

C:\WINDOWS\System32\dllcache

- and then copied it to -

C:\WINDOWS\PCHealth\HelpCtr\Binaries

- and both entries were overwritten almost immediately by the one dated 20020829. You know far more than I but I have to question whether that was 'normal' SFP. My first effort replaced the old file in the correct locations so there was no reason for SFP to be activated on what you have told me so far, unless Windows tries to correct updates as a normal occurrence in certain circumstances.
----------------------------------------------------------------------------------------
sfc /scannow

I ran this and it asked me to insert the original installation CD, which of course I cannot do because of this ridiculous HP system of having all installation files on a protected portion of the hard-drive. Not only that but my original files would be dated 20010818 or thereabouts because I bought it in October 2001.
Some system files have been overwritten, principally by those dated 20020829. That date may have been on a legitimate patch or update from microsoft or may have been the date I was hijacked the first time.
----------------------------------------------------------------------------------------
I have still to download RegSeeker but this posting has been open too long now so I'll post what I have already and come back after using RegSeeker.

Edited by NormanD, 20 July 2004 - 10:04 AM.


#34 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 20 July 2004 - 11:10 AM

Norman,

I began having problems with WORD97

You shouldn't as Media Player doesn't really have anything to do with Word97 <--rather outdated don't you think?

with command 'C:\WINDOWS\System32\services\wmplayer.exe'
- and I have not yet deleted it.

Do that, then close Regedit then open it again. Click Edit (up top) select: Find and enter:

C:\WINDOWS\System32\services\wmplayer.exe

Click Find Now and let it search the Registry, either delete or edit any instances found depending on the entry found. Press "F3" to continue until you see the "completed" message.

Do the same for: C:\WINDOWS\System32\services
Since that is now a dead folder, nothing should show up ...

Then see if RegSeeker finds anything else ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#35 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 20 July 2004 - 12:41 PM

I downloaded v9 together with other MS updates, only to revert to a previous version because I began having problems with WORD97


I didn't say it was wmplayer v9 causing the problem, just that I downloaded several fixes AND wmp v9 and began having problems with WORD97 immediately after installation. Therefore I used System Restore to go back. Theoretically there's nothing to stop me loading v9 I suppose.

Yes, Office 97 is now considered 'legacy' but it's certainly not outdated for our home use. Frankly I couldn't afford the upgrade a few years ago.
---------------------------------------------------------------------------------------
Regedit

I deleted the registry reference to 'wmplayer' and searched for anything to do with (1) the path/file and (2) the path - there were none.

Before I deleted as above, 'RegSeeker' listed 641 references to 'wmplayer' and afterwards listed 373. I need to get to know the items to check before I make another run. A few entries are present saying that -

C:\Program Files\Windows Media Player\wmplayer.exe
or
C:\PROGRA~1WINDOW~3\wmplayer.exe

- File or Path does not exist, when actually it does (but not, of course, through the registry).
------------------------------------------------------------------------------------------

'msconfig' now starts in 'Normal' mode.

#36 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 20 July 2004 - 01:05 PM

CWShredder scan only results
--------------------------------------------------------------------------------

CWShredder v1.59.1 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.or.../hijackthis.zip
http://www.spywarein.../hijackthis.zip

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\System32
AppData folder: C:\Documents and Settings\Owner\Application Data
Username: Owner

Found Hosts file: C:\WINDOWS\System32\drivers\etc\hosts (171655 bytes, RAHS)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (221 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (228 bytes, A)

- END OF REPORT -
---------------------------------------------------------------------------------------

Maybe the 2nd/3rd replacement of 'msconfig' worked - maybe it was just my paranoia. The only thing I don't understand is the date changes on 'msconfig' when I copied the new files over. Certainly getting rid of the registry entry for 'wmplayer' seems to have fixed things.
Ah well, it goes to show I have much to learn. That's why 12g is a fully-fledged 'Helper', WinHelp2002 is a 'Forum Deity' and I'm just a 'grunt'. :D
I apologize if I've wasted time by overreacting.

HJT log
------------------------------------------------------------------------------------------
Logfile of HijackThis v1.98.0
Scan saved at 12:47:43 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Application Data\Mini\minicontrolpanel-w32-x86-12921.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Mail_shots\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webound.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.webound.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Mail_shots\SD\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mini] C:\Documents and Settings\Owner\Application Data\Mini\minicontrolpanel-w32-x86-12921.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://irc.everywher...va/cfs40301.cab
O16 - DPF: {11111111-2222-3333-4444-555555555555} - https://www.taxsimpl...rix/federal.CAB
O16 - DPF: {2AB65D8C-517B-4830-BDD9-5530A9D9ECA2} (Tax$imple) - https://www.taxsimple.com/citrix/tax$imple.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...299/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CA09691-BD65-4B43-9A08-F63E6D991C13}: NameServer = 216.90.136.1 216.90.136.2

Edited by NormanD, 20 July 2004 - 01:12 PM.


#37 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 20 July 2004 - 02:46 PM

Norman,
Your log looks clean to me ... but I'll let 12g give his final approval since this is his post.

Last Step:

1) Empty the Recycle Bin
2) "Flush System Restore" (see "How To" below)
Basically turn off System Restore, reboot, run a full (updated) NAV scan, reboot and turn System Restore back on and create a new Restore Point.

How To: Configure Norton AntiVirus to scan all files

I would suggest adding some "Defense" to your system ...
Posted Image How To: Prevent this from happening again? :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#38 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 21 July 2004 - 05:26 AM

Hi there,

First my thanks go to WinHelp2002 for the expert intervention on this thread!!

Second, as WinHelp2002 has said your log is clean. Please follow the advice given and please do take steps to protect your system from further abuse :wave:

#39 NormanD

NormanD

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 22 July 2004 - 11:21 AM

Thank you for your invaluable assistance with my problems.
I hope to become as useful.

#40 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 22 July 2004 - 11:30 AM

You are very welcome, study study study :wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button