1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cannot Create file C:\Windows\xduyefda.zip

Discussion in 'Windows XP' started by VeriChipped, Feb 11, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. VeriChipped

    VeriChipped Thread Starter

    Joined:
    Jan 22, 2003
    Messages:
    147
    Re: Windows xp home e
    Hi Guys,
    I did it again, don't know how, don't know when. But at start up and window first opens ...I get a stack of pop ups all saying..."Cannot create file C:\..\Windows\xduyefda.zip"....can someone help me...for please.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:23:50 PM, on 2/11/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\imapi.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\ati\main\ATISched.EXE
    C:\WINDOWS\windll32.exe
    C:\WINDOWS\ocx32.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\WINDOWS\eBook-Legal Forms (Contracts + More).uzy
    C:\PROGRAM FILES\Internet Explorer\iexplore.exe
    C:\Documents and Settings\RICHARD MORALES\My Documents\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Default
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcsonline.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wcsonline.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [ATI Scheduler] C:\ati\main\ATISched.EXE
    O4 - HKLM\..\Run: [windll] C:\WINDOWS\windll32.exe
    O4 - HKLM\..\Run: [ocx32] C:\WINDOWS\ocx32.exe
    O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [WindowsCriticalUpdate] C:\WINDOWS\windows_critical_update.exe
    O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\svchost.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://chat.msn.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1039_pack_XP.cab
    O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc/java/install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - http://www.entertainmentresource.com/w2hlegacy/express/hostexpress.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37890.8796296296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

    :confused:
    Thanks
    Veri.
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    That log is old, follow this

    SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
    AdAware SE 1.05 http://www.majorgeeks.com/download506.html
    SpyBot S&D 1.3 http://www.safer-networking.org/en/download/

    DL them (they are free), install them, check each for their
    definition updates
    and then run AdAware and Spybot, fixing anything
    they say.

    In SpywareBlaster - Always enable all protection after updates
    SpyBot - After an update run immunize

    Do these and reboot before the next step.

    Then get HiJack This http://www.majorgeeks.com/download3155.html, put
    it in a permanent folder (C:\HJT) , run it , DO NOT fix anything, post the
    log here.
     
  3. VeriChipped

    VeriChipped Thread Starter

    Joined:
    Jan 22, 2003
    Messages:
    147
    Downloaded and ran all except spywareblaster 3.2 ....came across a message during setup... that read "cannot replace MSINET.OCX in FAT 32" had to opt abort. Here's the new HiJack this 1.99:
    Logfile of HijackThis v1.99.0
    Scan saved at 8:15:36 AM, on 2/12/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\imapi.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\ati\main\ATISched.EXE
    C:\WINDOWS\windll32.exe
    C:\WINDOWS\ocx32.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\WINDOWS\eBook-Legal Forms (Contracts + More).uzy
    C:\Documents and Settings\RICHARD MORALES\My Documents\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Default
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wcsonline.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcsonline.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [ATI Scheduler] C:\ati\main\ATISched.EXE
    O4 - HKLM\..\Run: [windll] C:\WINDOWS\windll32.exe
    O4 - HKLM\..\Run: [ocx32] C:\WINDOWS\ocx32.exe
    O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [WindowsCriticalUpdate] C:\WINDOWS\windows_critical_update.exe
    O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\svchost.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://chat.msn.com
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1039_pack_XP.cab
    O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc/java/install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - http://www.entertainmentresource.com/w2hlegacy/express/hostexpress.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
    O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE

    Thanks again
    Veri
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Download CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
    Close all browser windows,
    Open cwshredder.exe then click "Fix" and let it run.


    Print this and boot to safe mode
    Fix these with HJT

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm

    R3 - Default URLSearchHook is missing

    O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O4 - HKLM\..\Run: [windll] C:\WINDOWS\windll32.exe

    O4 - HKLM\..\Run: [ocx32] C:\WINDOWS\ocx32.exe

    O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\svchost.exe

    O4 - HKCU\..\Run: [WindowsCriticalUpdate] C:\WINDOWS\windows_critical_update.exe

    O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\svchost.exe

    O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

    O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binari...039_pack_XP.cab

    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binari...tpe32_EN_XP.cab


    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\windll32.exe
    C:\WINDOWS\ocx32.exe
    C:\WINDOWS\svchost.exe ç in this directory ONLY not in system32
    c:\counter.cab

    Delete these folders

    C:\Program Files\Cool Timer


    START – RUN – key in %temp% OK - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log
     
  5. VeriChipped

    VeriChipped Thread Starter

    Joined:
    Jan 22, 2003
    Messages:
    147
    I can't access HJT or any program in safe mode...which was located in My documents folder on desktop....the entire my documents folder is empty.
    Black foreground...pretty scarry. Could I boot to normal and fix with HJT?
    Veri.
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    No, in regular mode move HJT to a permanent folder like C:\HJT
     
  7. VeriChipped

    VeriChipped Thread Starter

    Joined:
    Jan 22, 2003
    Messages:
    147
    Sorry about that....I access it by going into C:\...\...\my documents and HJT was accessible all the time but not on desktop.
    I'm working on it now.
    I thank you too much.
    Veri.
     
  8. VeriChipped

    VeriChipped Thread Starter

    Joined:
    Jan 22, 2003
    Messages:
    147
    (y)

    You got it....I knew that red accordian in the vice grip was bad news....I couldn't get rid of cool timer, complements of downloads.com(freeware)....It goes AaaOOUUGAAh....really loud to remind me that the beer isn't going to burst in the Freezer:

    I couldn't find "R3 - Default URLSearchHook is missing"...It wasn't on the HJT scan list to fix(repair or delete)....Safe Mode of course. It just shows up when HJT is scanning in normal windows mode.
    Let me know if I still need to get rid of it or if others have got to go:

    Logfile of HijackThis v1.99.0
    Scan saved at 11:29:53 AM, on 2/12/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\imapi.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\ati\main\ATISched.EXE
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\WINDOWS\eBook-Legal Forms (Contracts + More).uzy
    C:\Documents and Settings\RICHARD MORALES\My Documents\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Default
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wcsonline.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcsonline.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [ATI Scheduler] C:\ati\main\ATISched.EXE
    O4 - HKLM\..\Run: [windll] C:\WINDOWS\windll32.exe
    O4 - HKLM\..\Run: [ocx32] C:\WINDOWS\ocx32.exe
    O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [WindowsCriticalUpdate] C:\WINDOWS\windows_critical_update.exe
    O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\svchost.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://chat.msn.com
    O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc/java/install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - http://www.entertainmentresource.com/w2hlegacy/express/hostexpress.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
    O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE

    Thank you.
    Veri.
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  10. VeriChipped

    VeriChipped Thread Starter

    Joined:
    Jan 22, 2003
    Messages:
    147
    I pulled out registry medic and repaired (or deleted) 3 of the stubborn ones:
    O4 - HKLM\..\Run: [windll] C:\WINDOWS\windll32.exe
    O4 - HKLM\..\Run: [ocx32] C:\WINDOWS\ocx32.exe
    O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\svchost.exe

    I still can't get rid of this one:
    R3 - Default URLSearchHook is missing

    By the HJT log it looks like I have three antivirus software in registry....If preference would allow I'd like to keep AntiVir XP instead of AVG 7 or McAffee.

    Logfile of HijackThis v1.99.0
    Scan saved at 3:27:51 PM, on 2/12/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\imapi.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\ati\main\ATISched.EXE
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\WINDOWS\eBook-Legal Forms (Contracts + More).uzy
    C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\PROGRAM FILES\Internet Explorer\iexplore.exe
    C:\Documents and Settings\RICHARD MORALES\My Documents\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Default
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wcsonline.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcsonline.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [ATI Scheduler] C:\ati\main\ATISched.EXE
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
    O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\SYSTEM32\svchost.exe
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [WindowsCriticalUpdate] C:\WINDOWS\windows_critical_update.exe
    O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM32\svchost.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://chat.msn.com
    O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc/java/install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - http://www.entertainmentresource.com/w2hlegacy/express/hostexpress.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
    O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE

    Veri.
     
  11. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min is part of anti vir

    As long as it is curerent with updates that is just fine

    the url is not that important

    What is the status now???
     
  12. VeriChipped

    VeriChipped Thread Starter

    Joined:
    Jan 22, 2003
    Messages:
    147
    The latest status is the post before your last one...I can live with that unless you spot something else.....Thanks to you I don't get the stack of pop ups anymore....for that alone I feel I need to do your laundry for the next fifty years. :D

    If you don't see anything else threatening I can HJT fix or delete I can consider this thread solved.

    Thank you.
    Veri.
     
  13. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    SCRATCH that you still have the W32.HLLW.Respan releated stuff

    Do a couple of these online scans, we need to get it out

    Do a couple online scans from this list

    http://forums.techguy.org/t110854.html
     
  14. VeriChipped

    VeriChipped Thread Starter

    Joined:
    Jan 22, 2003
    Messages:
    147
    I justed PM'd you before accessing here....did the scan and deleted one more Virus you know the rest here's HJT:

    Logfile of HijackThis v1.99.0
    Scan saved at 10:14:00 PM, on 2/13/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
    C:\WINDOWS\System32\atievxx.exe
    C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\imapi.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\ati\main\ATISched.EXE
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Documents and Settings\RICHARD MORALES\My Documents\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Default
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [ATI Scheduler] C:\ati\main\ATISched.EXE
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM32\svchost.exe
    O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://chat.msn.com
    O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc/java/install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - http://www.entertainmentresource.com/w2hlegacy/express/hostexpress.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
    O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
     
  15. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/329474

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice