Jump to content


Photo

Windows Error service and more


  • Please log in to reply
12 replies to this topic

#1 colin_m_elliott

colin_m_elliott

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 08 June 2004 - 01:52 AM

Hi, I am living in Japan and have a friend here whos computer was almost unuseable because of viruses, spyware etc. I ran adaware and search and destroy many times and found and fixed almost 200 problems! I also cleaned about 80 viruses out. The computer is starting to work properly but there are still a few problems. As this is a japanese computer there are a few funny things.. no apostrophe that I can find, and in the log instead of the backslash for use in directories it uses the yen symbol etc. Here is the hijack this log, thanks for your help! Oooh now that I have pasted it here, the backslash is back!!

Logfile of HijackThis v1.97.7
Scan saved at 15:43:37, on 2004/06/08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\winampa.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\system32\inetsrv\services.exe
C:\WINDOWS\System32\wupdate.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\uemuratakuya\デスクトップ\HijackThis.exe

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NetLink] netlink32.exe
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\Run: [Windows Login] winlog.exe
O4 - HKLM\..\Run: [WinDNS] windns32.exe
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
O4 - HKLM\..\Run: [Nt System Kernel] ntsyskrnl.exe
O4 - HKLM\..\Run: [Audoi Device Loader] smssv.exe
O4 - HKLM\..\Run: [ccStart] ccStart.exe
O4 - HKLM\..\Run: [winampa] winampa.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [wupdate] wupdate.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [lsass] c:\program files\my app\lsass.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [NetLink] netlink32.exe
O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
O4 - HKLM\..\RunServices: [Windows Login] winlog.exe
O4 - HKLM\..\RunServices: [WinDNS] windns32.exe
O4 - HKLM\..\RunServices: [Nt System Kernel] ntsyskrnl.exe
O4 - HKLM\..\RunServices: [Audoi Device Loader] smssv.exe
O4 - HKLM\..\RunServices: [ccStart] ccStart.exe
O4 - HKLM\..\RunServices: [winampa] winampa.exe
O4 - HKLM\..\RunServices: [wupdate] wupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.....chm::/load.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38132.188599537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D44B52B9-7D35-4278-ABAE-037A084A0CE5}: NameServer = 192.168.11.254

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 08 June 2004 - 06:34 AM

Hi,
Wow! ... what a mess! :whistle:
Note: print this out, as it's going to be rather long ... and you don't want to miss any steps if you want to save the machine. Your best shot is to whack this all at once.

sysconf.exe = WORM_AGOBOT.HW :alarm:
winlog.exe = W32/Agobot-LF :alarm:
windns32.exe = WORM_AGOBOT.WN :alarm:
ntsyskrnl.exe = WORM_AGOBOT.IK :alarm:
smssv.exe = W32/Agobot-ZY :alarm:
ccStart.exe = WORM_AGOBOT.PG :alarm:
wupdate.exe = WORM_SPYBOT.GEN :alarm:
netlink32.exe = WORM_AGOBOT.JW :alarm:

Take a few minutes and read all the above, as you can see most if not all are caused by not patching the machine and not running a Firewall. So the 1st step is to turn on the XP firewall.
http://www.microsoft...ct/firewall.asp

Most of the above worms disable your AV via a HOSTS file, so delete that.

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button.

Next download the HOSTS file (see below)

Navigate to: C:\WINDOWS\SYSTEM32\DRIVERS\ETC (folder)
Right-click on "HOSTS" and select: Delete (note: there is no 3-letter extension)
Unzip the hosts.zip and place in the above folder.

Next: Start | Run (type) Services.msc

Scroll down to the WinTools for IE service
Highlight, right-click and select: Properties
Select "Service Status" option to "Stop"
Select: "Startup type" set it to "Disabled", click Apply, OK
Close the Services Editor.

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O4 - HKLM\..\Run: [NetLink] netlink32.exe
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\Run: [Windows Login] winlog.exe
O4 - HKLM\..\Run: [WinDNS] windns32.exe
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
O4 - HKLM\..\Run: [Nt System Kernel] ntsyskrnl.exe
O4 - HKLM\..\Run: [Audoi Device Loader] smssv.exe
O4 - HKLM\..\Run: [ccStart] ccStart.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [wupdate] wupdate.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [lsass] c:\program files\my app\lsass.exe
O4 - HKLM\..\RunServices: [NetLink] netlink32.exe
O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
O4 - HKLM\..\RunServices: [Windows Login] winlog.exe
O4 - HKLM\..\RunServices: [WinDNS] windns32.exe
O4 - HKLM\..\RunServices: [Nt System Kernel] ntsyskrnl.exe
O4 - HKLM\..\RunServices: [Audoi Device Loader] smssv.exe
O4 - HKLM\..\RunServices: [ccStart] ccStart.exe
O4 - HKLM\..\RunServices: [wupdate] wupdate.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.....chm::/load.exe


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Open Windows Explorer locate and delete the following:

C:\Program Files\TV Media <--this folder
C:\Program Files\Common files\WinTools <--this folder
C:\WINDOWS\system32\inetsrv\services.exe <--this file
C:\WINDOWS\System32\wupdate.exe <--this file
netlink32.exe <--this file
sysconf.exe <--this file
winlog.exe <--this file
windns32.exe <--this file
C:\WINDOWS\system32\drivers\csrss.exe <--this file
C:\WINDOWS\system32\wbem\svchost.exe <--this file
Note: do not delete > C:\WINDOWS\system32\svchost.exe
ntsyskrnl.exe <--this file
smssv.exe <--this file
ccStart.exe <--this file
wupdate.exe <--this file
c:\program files\my app\lsass.exe <--this file
Note: do not delete > C:\WINDOWS\system32\lsass.exe

Restart normally and see if you can get AVG to run.

Then visit Windows Update and install all the Critical Updates.

Reboot, run Ad-Aware and SpyBot, reboot and post a fresh log ...

That ought to keep you busy for a while! :D
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 colin_m_elliott

colin_m_elliott

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 08 June 2004 - 08:22 PM

Okay, I did most of what you told me... I had already updated XP.. am just going to check again now. And will post a log soon. Thanks for all your help. Here are the problems:

O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG

I couldn't delete them.. it was unable to delete

netlink32.exe <--this file
sysconf.exe <--this file
winlog.exe <--this file
windns32.exe <--this file

I didn't delete these 4 files.. I wasn't sure what directory to delete them from and wanted to be sure before deleting them.

Thanks again!
(log to follow soon!)

#4 colin_m_elliott

colin_m_elliott

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 08 June 2004 - 08:39 PM

Logfile of HijackThis v1.97.7
Scan saved at 10:36:05, on 2004/06/09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\uemuratakuya\デスクトップ\HijackThis.exe

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [winampa] winampa.exe
O4 - HKLM\..\RunServices: [winampa] winampa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38132.188599537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D44B52B9-7D35-4278-ABAE-037A084A0CE5}: NameServer = 192.168.11.254

#5 colin_m_elliott

colin_m_elliott

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 08 June 2004 - 08:54 PM

Last note, I noticed that it lists: C:\WINDOWS\System32\winampa.exe but this computer does not have winamp on it.. maybe it is unrelated, but just in case

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 08 June 2004 - 09:11 PM

Hi,

O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
I couldn't delete them.. it was unable to delete

I never said to delete those files, it's just odd that they would show up in the "Startup" entry. It may be a language version problem?

I didn't delete these 4 files.. I wasn't sure what directory to delete them from

Start | Search (type desired file)

Anyway ...

Next: Start | Run (type) Services.msc

Scroll down to the WinTools for IE service
Highlight, right-click and select: Properties
Select "Service Status" option to "Stop"
Select: "Startup type" set it to "Disabled", click Apply, OK
Close the Services Editor.

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) Regedit
Navigate to the following location:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]

Expand the "+Services" key (left pane)
Highlight the "WinTools" key, right-click and select: Delete, Ok the prompt, close Regedit.

Open Windows Explorer, locate and delete the following:

C:\Program Files\Common files\WinTools
netlink32.exe <--this file via Start | Search
sysconf.exe <--this file
winlog.exe <--this file
windns32.exe <--this file

Restart normally ...

Does AVG run now? If so "Flush System Restore" (see "How To" below)

Basically turn off System Restore, reboot run a full AVG scan, reboot and turn System Restore back on and create a new Restore Point.

After the above post a fresh log ...

but this computer does not have winamp on it

It should be listed in Add Remove
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 colin_m_elliott

colin_m_elliott

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 08 June 2004 - 09:15 PM

Sorry, I didn't explain clearly... I don't think this computer has ever had winamp on it. On my way to do the rest.. sorry some of it is such a pain trying to match up the japanese on his computer to the english on mine. I hope it seems clear.

#8 colin_m_elliott

colin_m_elliott

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 08 June 2004 - 09:16 PM

And I misspoke when I said delete about those files, I meant the fix checked command in HJT

#9 colin_m_elliott

colin_m_elliott

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 08 June 2004 - 09:53 PM

Logfile of HijackThis v1.97.7
Scan saved at 11:51:21, on 2004/06/09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\uemuratakuya\デスクトップ\HijackThis.exe

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [winampa] winampa.exe
O4 - HKLM\..\RunServices: [winampa] winampa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38132.188599537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D44B52B9-7D35-4278-ABAE-037A084A0CE5}: NameServer = 192.168.11.254

the latest log.. still cant find those four files...

#10 colin_m_elliott

colin_m_elliott

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 08 June 2004 - 09:55 PM

Logfile of HijackThis v1.97.7
Scan saved at 11:51:21, on 2004/06/09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\uemuratakuya\デスクトップ\HijackThis.exe

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [winampa] winampa.exe
O4 - HKLM\..\RunServices: [winampa] winampa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38132.188599537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D44B52B9-7D35-4278-ABAE-037A084A0CE5}: NameServer = 192.168.11.254

This is the latest log, still havent found those 4 files

#11 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 08 June 2004 - 10:20 PM

Hi,
Your log looks clean now ... good job!

I think the below is language related, so ignore for now ...

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini

Is AVG up and running?

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#12 colin_m_elliott

colin_m_elliott

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 08 June 2004 - 10:57 PM

Great! Thanks a lot, the only question I have left is that Adaware is freeking out about that hosts file you had me put on.. is it okay? Should I just ignore it?

Edited by colin_m_elliott, 08 June 2004 - 11:01 PM.


#13 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 June 2004 - 04:20 AM

Hi,

Adaware is freeking out about that hosts file

See here: Attention Ad-Aware users
Ad-Aware has decided to include a new detection when scanning the HOSTS file. This now creates a "Bad hosts file entry" in the log file generated at the end of a scan. The best thing to do is to place a check in each entry, right-click and select: "Add selection to ignorelist". Otherwise if you let AWW "fix" these items it will trash the HOSTS file! Even if you have it "locked" by [example] SpywareBlaster or Winpatrol. It does not return the attributes and renames the HOSTS file incorrectly to hosts.
[more info - Lavasoft article]
Several HOSTS File Entries Indicated By Ad-aware Despite No Other Items Being Indicated
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button