Jump to content


I think I am dying over here....HELP

  • Please log in to reply
5 replies to this topic

#1 twocent



  • Full Member
  • Pip
  • 24 posts

Posted 29 July 2004 - 09:49 AM

i apologize in advance for flooding the board but i am in desperate need of some kind of assistance. please, please,please,please help me, i have run out of ideas. i have now tried avg,spysweeper,HJT,CWShredder,trend micro, adaware 6(new version), my own tips, system restore(didn't work) and one other trojan finder. all of which(except for HJT, trend micro, the jury is still out on them) have not worked for me because i think i am in deep sea with no air left. i need someone who knows what they are doing because obviously i am only making it worse.

i'm getting pop ups, internet shuts down once i click on certain links, pop ups, cannot delete certain programs, and did i mention all the pop ups from 680180.net and weatherbug, win a free ipod, free home renovation, search pages, etc. help please.

here is my HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 10:51:11 AM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Microsoft Works\WkDetect.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {119FE4F4-2E6D-47CD-82B7-944B06958029} - C:\WINDOWS\System32\cmrrb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [jwpoqquxamxig] C:\WINDOWS\System32\ydiugsfn.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mps: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8176.5903240741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 mmxx66


    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 12:01 PM

Print out these instructions so you can read them while you clean your system.

Now close all open windows AND browsers and check these items for HJT to fix:
O2 - BHO: (no name) - {119FE4F4-2E6D-47CD-82B7-944B06958029} - C:\WINDOWS\System32\cmrrb.dll
O4 - HKLM\..\Run: [jwpoqquxamxig] C:\WINDOWS\System32\ydiugsfn.exe

Please reboot into safe mode - How do I boot into "Safe" mode?

Delete these files:


You may need to show hidden files to delete them.How to show all hidden and system files

navigate to this file:


Right click it and choose Properties. If the Read Only attribute is checked, uncheck it, then post back all of the information you can about it. Date created, size, company, etc. Close properties then right click the file again and choose Rename. Change the name to cvss.old.

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet
content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

#3 twocent



  • Full Member
  • Pip
  • 24 posts

Posted 29 July 2004 - 03:29 PM

ok thank you for the instructions, i'm trying it now so i will be back in a while. also, i could not find the cvss.exe file at all instead i found some files that look suspect to me, like about 10 that had 4 digit names with nothing in them like 4539 and so on,while i'm here, is there a way for me to get a program that could scan my computer to remove unneeded files, remnants of old programs, left over files, and things that are not harmful to my computer but don't need to be there?

#4 mmxx66


    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 03:43 PM

Norton Systemworks has a component called NortonCleanSweep that is very useful for that ;)

#5 twocent



  • Full Member
  • Pip
  • 24 posts

Posted 29 July 2004 - 05:13 PM

ok when i tried to do what you told me, i couldn't log into my profile which is the only administrator priveleged profile on the computer. plus i am suspicious of some of these files i am finding like c_500 C_737 C_850 C_852 C_855 and so on(about 30 of those, classified as nls files)

and i found a file called perfstringbackup which looks suspect to me as well.
there is more files and i'm not sure what step to take next

#6 mmxx66


    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 05:50 PM

Can you fix the items in Hijack this?
What canīt you do , Reboot in safe mode?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button