• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
armen

Hijack This log

26 posts in this topic

umm after runnin spybot search and destroy... lava ware ... spy sweeper.. and now.. hijackk this... crap keeps renisnstalling itself onto my comp... the most anoying ones are search bars thata install themesleves onto my internet explorer... after i run those programs some of those programs renistall themselves a while later wtf can i do?

 

also there are numerous pop ups that my comp gets.... which doesnt allow me to play games cuz its constantly exiting the game to show the pop up...

 

 

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Windows\system32\HpSrvUI.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for mpk.zip\mpk.exe

C:\program files\steam\steam.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Trillian\trillian.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Downloads\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.111-big.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe

O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [stopMessengerSpam] C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [NTEK] C:\WINDOWS\NTEK.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MyPopupKiller] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for mpk.zip\mpk.exe

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [wstdecod] C:\WINDOWS\System32\wstdecod.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8018.8733564815

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

Edited by armen

Share this post


Link to post
Share on other sites

Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log. Please keep an eye on this message for a resolution shortly :)

Share this post


Link to post
Share on other sites

Hello armen,

 

First, please go to Start>Control Panel>Add/Remove Programs, and search for an entry called Quick Search. If it is there, please remove it.

 

Next, with all other browsers closed, please fix the following items in HijackThis:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)

O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe

O4 - HKCU\..\Run: [wstdecod] C:\WINDOWS\System32\wstdecod.exe

 

Reboot, and in SAFE mode (press F8 after the BIOS loads), delete the following files/folders:

 

C:\Program Files\QuickSearch<---folder

C:\WINDOWS\frsk.exe<---file

C:\WINDOWS\System32\wstdecod.exe<---file

 

Note: If you are unable to delete these files, because they are in use, then hit Ctrl+Alt+Del, and end the process for frsk.exe and wstdecod.exe...it should work then

 

Reboot, and post a fresh HijackThis logfile in this thread :)

Share this post


Link to post
Share on other sites

ok there is a problem.... i beleive i deleted the quick search folder and files before i deleted it throught add/ remove programs... so when i try to delete it through add / remove... it doesnt work. also i retarted in safe mode and i was able to delete frsk.exe but i was unable to find wstdecod.exe.... there was a file called wstdecod.dll in the system 32 file but no wstdecod.EXE.....

 

so this is the new log.. also thanks for your help.. i appreciate it.

 

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Windows\system32\HpSrvUI.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for mpk.zip\mpk.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\program files\steam\steam.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Downloads\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.111-big.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe

O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [stopMessengerSpam] C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [NTEK] C:\WINDOWS\NTEK.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MyPopupKiller] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for mpk.zip\mpk.exe

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8018.8733564815

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

Share this post


Link to post
Share on other sites

armen

Run Hijack This and put a check in these boxes:

 

O4 - HKLM\..\Run: [NTEK] C:\WINDOWS\NTEK.exe

 

O4 - HKCU\..\Run: [MyPopupKiller] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for mpk.zip\mpk.exe

 

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

 

Hit 'fix checked' and reboot into SAFE MODE.

How to reboot into 'SAFE MODE'

 

Delete:

C:\WINDOWS\NTEK.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for mpk.zip\<--folder

 

Reboot into normal mode and post a new log. Let us know if that helped. :D

Share this post


Link to post
Share on other sites

do u want me to log into safe mode and then log in as Administrator or my account.... because when i try to log in as administrator.. it taks a really long time and i think it freezes... well anyways.. i delete those 3 things u wanted me to. but the files u wanted me to delete in safe mode werent there.. i think thats becuase i logged in as ARMEN and not admistrtor. but like i said i think it freezes when trying to log in as admin. as far as new log... here ya go

 

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Windows\system32\HpSrvUI.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\QuickTime\qttask.exe

C:\program files\steam\steam.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Downloads\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.111-big.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe

O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [stopMessengerSpam] C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8018.8733564815

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

That looks pretty good. Are you having any problems while logged in as ARMEN?

If you are then please explain and give more details.

 

Also, I would like you to reboot and login as admin and run a Hijack This log from there. Try in normal mode but if you can't then use SAFE MODE.

Share this post


Link to post
Share on other sites

thats the problem.. if i try to log in.. in safe mod. if i clidk on admin it wont let me. im not seeing any obvious problems now. but there pop ups .. for instance. when i turn on my comp. and i click on internet explorer for the first time i always get a pop up the first time i click on it. when it opens. thats one instance

Share this post


Link to post
Share on other sites

Ok, can you tell me what the popup is selling or what site it is linked to? This is helpful to know. Sometimes you can right click on the popup and select properties to see this info.

 

Also, download VX2Finder from this link:

http://www.downloads.subratam.org/VX2Finder.exe

 

 

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

 

Copy and paste the contents of the log into your next reply here. :D

Share this post


Link to post
Share on other sites

well i didnt get the pop up today like i normaly would so i believe one of the many things u said helped.. so i am thankful on that part. i was wondering if you can help me with the logging in as administrator part. when ever i try to log in as administror in safe mode i think it freezes cuz it takes an uber long time. TY

Share this post


Link to post
Share on other sites

sry i was away fora bit... but heres what i got from the VX2 finder..

 

Files Found---

C:\WINDOWS\System32\2adsrch.dll

C:\WINDOWS\System32\2bdsrch.dll

C:\WINDOWS\System32\2cdsrch.dll

C:\WINDOWS\System32\2ddsrch.dll

C:\WINDOWS\System32\2edsrch.dll

C:\WINDOWS\System32\2fdsrch.dll

C:\WINDOWS\System32\2gdsrch.dll

C:\WINDOWS\System32\2hdsrch.dll

C:\WINDOWS\System32\2idsrch.dll

C:\WINDOWS\System32\2jdsrch.dll

C:\WINDOWS\System32\2kdsrch.dll

C:\WINDOWS\System32\2ldsrch.dll

C:\WINDOWS\System32\2mdsrch.dll

C:\WINDOWS\System32\2ndsrch.dll

C:\WINDOWS\System32\2odsrch.dll

C:\WINDOWS\System32\2pdsrch.dll

C:\WINDOWS\System32\2qdsrch.dll

C:\WINDOWS\System32\2rdsrch.dll

C:\WINDOWS\System32\2sdsrch.dll

C:\WINDOWS\System32\2udsrch.dll

C:\WINDOWS\System32\2vdsrch.dll

C:\WINDOWS\System32\2wdsrch.dll

C:\WINDOWS\System32\2ydsrch.dll

C:\WINDOWS\System32\6go4svc.dll

C:\WINDOWS\System32\6wo4svc.dll

C:\WINDOWS\System32\aed.dll

C:\WINDOWS\System32\afd.dll

C:\WINDOWS\System32\araamon.dll

C:\WINDOWS\System32\aud.dll

C:\WINDOWS\System32\awaamon.dll

 

 

Guardian Key--- is called: GuardianJRRTK

Asynchronous 000

DllName C:\WINDOWS\system32\2gdsrch.dll

Impersonate 000

Logon WinLogon

Logoff WinLogoff

Version 124

ID {A55B2079-4FCC-4651-A932-F9EA4A6B6902}

IDex DS3

 

User Agent String---

{A55B2079-4FCC-4651-A932-F9EA4A6B6902}

Share this post


Link to post
Share on other sites

Good, there is the problem. :D

 

Sign off and stay off the internet until the entire procedure is complete.

 

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

 

Put a check by all the files.

Then select the *Delete these files* button.

You will be left with notice about one to be deleted on reboot.

It will ask to reboot on deletion of the last file (Reboot)

 

-----------------

Once back in Windows

 

 

Open VX2Finder again and click on these buttons in the right pane:

 

user agent, Guardian.reg, restore policy

 

Exit and reboot.

 

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Post it here with a fresh HijackThis log please.

Share this post


Link to post
Share on other sites

OMG I THINK THIS SOLVED MY POP UP PROBLEM!!!!!.

 

Ok.. usually when i opend Internet Explorer for the first time when i turned on my comp, there would be another pop that came with it! ALL THE TIME!....

 

BUT NOT THIS TIME!!!... ok dude i cant wait to see if this completly takes them ouT! SWEET DOOD!

 

Ok thanks for all the help uve gave me soo far... what else can you suggest and what do u think about my comp freezeing when trying to log in as Admin?

Share this post


Link to post
Share on other sites

This may solve the admin problem as well but I'm not positive.

 

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Post it here with a fresh HijackThis log please.

Share this post


Link to post
Share on other sites

ok VX2 Finder . nothing comes up when i click on the better internet . i think its becauase u had me delete everything yesterday. so theres no log for that.

 

 

hijack this log is as follows:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:16:39 AM, on 6/14/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\windows\system\hpsysdrv.exe

C:\Windows\system32\HpSrvUI.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\QuickTime\qttask.exe

C:\program files\steam\steam.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Trillian\trillian.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Downloads\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O1 - Hosts: 69.20.16.183 ieautosearch

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.111-big.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe

O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [stopMessengerSpam] C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8018.8733564815

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Ok, run Hijack This and check this box:

O1 - Hosts: 69.20.16.183 ieautosearch

 

Hit fix.

 

The VX2 stuff you just fixed may have caused the

safe mode problem.

 

Try booting into safe mode now and see if you can.

 

Let me know. :D

Share this post


Link to post
Share on other sites

umm i deleted that 1 file but apparently the admin log in hasnt been fixed yet... thankx for your help dude!

Share this post


Link to post
Share on other sites

Try this and let me know what turns up.

 

Get an online virus scan here:

http://housecall.trendmicro.com/

 

Check the 'autoclean' box and scan.

 

Also, update your Spybot and Ad-aware definitions and perform a full scan.

 

Report back. :D

 

Edit to add:

 

Also, on the VX2Finder:

 

When you click find and then make log it should look like this:

Log for VX2.BetterInternet File Finder

 

Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

 

All fields should be blank. Verify that yours are all blank as above. :D

Edited by sspears

Share this post


Link to post
Share on other sites

ok i didnt do the online virus scan mainly becuase i have norton 03 and i updated it and scaned.... nothing!

 

umm i updated spybot and adware .. many things were found in both.. they were deleted.

 

this is the VX2 thing.

 

Files Found---

 

 

Guardian Key--- is called: GuardianBCNIG

Asynchronous 000

DllName C:\WINDOWS\system32\2gdsrch.dll

Impersonate 000

Logon WinLogon

Logoff WinLogoff

Version 124

ID {A55B2079-4FCC-4651-A932-F9EA4A6B6902}

IDex DS3

 

User Agent String---

Share this post


Link to post
Share on other sites

You are still infected. Try the procedure again and make sure you do ALL the steps. If you don't understand the instructions then ask.

 

Sign off and stay off the internet until the entire procedure is complete.

 

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

 

Put a check by all the files.

Then select the *Delete these files* button.

You will be left with notice about one to be deleted on reboot.

It will ask to reboot on deletion of the last file (Reboot)

 

-----------------

Once back in Windows

 

 

Open VX2Finder again and click on these buttons in the right pane:

 

user agent, Guardian.reg, restore policy

 

Exit and reboot.

 

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Post it here with a fresh HijackThis log please.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0