Cannot Create file C:\Windows\xduyefda.zip

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

VeriChipped

Thread Starter
Joined
Jan 22, 2003
Messages
147
Re: Windows xp home e
Hi Guys,
I did it again, don't know how, don't know when. But at start up and window first opens ...I get a stack of pop ups all saying..."Cannot create file C:\..\Windows\xduyefda.zip"....can someone help me...for please.

Logfile of HijackThis v1.97.7
Scan saved at 7:23:50 PM, on 2/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\ati\main\ATISched.EXE
C:\WINDOWS\windll32.exe
C:\WINDOWS\ocx32.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\eBook-Legal Forms (Contracts + More).uzy
C:\PROGRAM FILES\Internet Explorer\iexplore.exe
C:\Documents and Settings\RICHARD MORALES\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Default
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcsonline.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wcsonline.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [ATI Scheduler] C:\ati\main\ATISched.EXE
O4 - HKLM\..\Run: [windll] C:\WINDOWS\windll32.exe
O4 - HKLM\..\Run: [ocx32] C:\WINDOWS\ocx32.exe
O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [WindowsCriticalUpdate] C:\WINDOWS\windows_critical_update.exe
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\svchost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1039_pack_XP.cab
O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc/java/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - http://www.entertainmentresource.com/w2hlegacy/express/hostexpress.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37890.8796296296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

:confused:
Thanks
Veri.
 
Joined
Sep 7, 2004
Messages
49,014
That log is old, follow this

SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
AdAware SE 1.05 http://www.majorgeeks.com/download506.html
SpyBot S&D 1.3 http://www.safer-networking.org/en/download/

DL them (they are free), install them, check each for their
definition updates
and then run AdAware and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
SpyBot - After an update run immunize

Do these and reboot before the next step.

Then get HiJack This http://www.majorgeeks.com/download3155.html, put
it in a permanent folder (C:\HJT) , run it , DO NOT fix anything, post the
log here.
 

VeriChipped

Thread Starter
Joined
Jan 22, 2003
Messages
147
Downloaded and ran all except spywareblaster 3.2 ....came across a message during setup... that read "cannot replace MSINET.OCX in FAT 32" had to opt abort. Here's the new HiJack this 1.99:
Logfile of HijackThis v1.99.0
Scan saved at 8:15:36 AM, on 2/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\ati\main\ATISched.EXE
C:\WINDOWS\windll32.exe
C:\WINDOWS\ocx32.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\eBook-Legal Forms (Contracts + More).uzy
C:\Documents and Settings\RICHARD MORALES\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Default
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wcsonline.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcsonline.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [ATI Scheduler] C:\ati\main\ATISched.EXE
O4 - HKLM\..\Run: [windll] C:\WINDOWS\windll32.exe
O4 - HKLM\..\Run: [ocx32] C:\WINDOWS\ocx32.exe
O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [WindowsCriticalUpdate] C:\WINDOWS\windows_critical_update.exe
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\svchost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1039_pack_XP.cab
O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc/java/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - http://www.entertainmentresource.com/w2hlegacy/express/hostexpress.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE

Thanks again
Veri
 
Joined
Sep 7, 2004
Messages
49,014
Download CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
Close all browser windows,
Open cwshredder.exe then click "Fix" and let it run.


Print this and boot to safe mode
Fix these with HJT

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm

R3 - Default URLSearchHook is missing

O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [windll] C:\WINDOWS\windll32.exe

O4 - HKLM\..\Run: [ocx32] C:\WINDOWS\ocx32.exe

O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [WindowsCriticalUpdate] C:\WINDOWS\windows_critical_update.exe

O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\svchost.exe

O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binari...039_pack_XP.cab

O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binari...tpe32_EN_XP.cab


View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files

C:\WINDOWS\windll32.exe
C:\WINDOWS\ocx32.exe
C:\WINDOWS\svchost.exe ç in this directory ONLY not in system32
c:\counter.cab

Delete these folders

C:\Program Files\Cool Timer


START – RUN – key in %temp% OK - Edit – Select all – File – Delete
Empty the recycle bin
Boot and post a new log
 

VeriChipped

Thread Starter
Joined
Jan 22, 2003
Messages
147
I can't access HJT or any program in safe mode...which was located in My documents folder on desktop....the entire my documents folder is empty.
Black foreground...pretty scarry. Could I boot to normal and fix with HJT?
Veri.
 

VeriChipped

Thread Starter
Joined
Jan 22, 2003
Messages
147
Sorry about that....I access it by going into C:\...\...\my documents and HJT was accessible all the time but not on desktop.
I'm working on it now.
I thank you too much.
Veri.
 

VeriChipped

Thread Starter
Joined
Jan 22, 2003
Messages
147
(y)

You got it....I knew that red accordian in the vice grip was bad news....I couldn't get rid of cool timer, complements of downloads.com(freeware)....It goes AaaOOUUGAAh....really loud to remind me that the beer isn't going to burst in the Freezer:

I couldn't find "R3 - Default URLSearchHook is missing"...It wasn't on the HJT scan list to fix(repair or delete)....Safe Mode of course. It just shows up when HJT is scanning in normal windows mode.
Let me know if I still need to get rid of it or if others have got to go:

Logfile of HijackThis v1.99.0
Scan saved at 11:29:53 AM, on 2/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\ati\main\ATISched.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\eBook-Legal Forms (Contracts + More).uzy
C:\Documents and Settings\RICHARD MORALES\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Default
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wcsonline.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcsonline.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [ATI Scheduler] C:\ati\main\ATISched.EXE
O4 - HKLM\..\Run: [windll] C:\WINDOWS\windll32.exe
O4 - HKLM\..\Run: [ocx32] C:\WINDOWS\ocx32.exe
O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [WindowsCriticalUpdate] C:\WINDOWS\windows_critical_update.exe
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\svchost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc/java/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - http://www.entertainmentresource.com/w2hlegacy/express/hostexpress.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE

Thank you.
Veri.
 

VeriChipped

Thread Starter
Joined
Jan 22, 2003
Messages
147
I pulled out registry medic and repaired (or deleted) 3 of the stubborn ones:
O4 - HKLM\..\Run: [windll] C:\WINDOWS\windll32.exe
O4 - HKLM\..\Run: [ocx32] C:\WINDOWS\ocx32.exe
O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\svchost.exe

I still can't get rid of this one:
R3 - Default URLSearchHook is missing

By the HJT log it looks like I have three antivirus software in registry....If preference would allow I'd like to keep AntiVir XP instead of AVG 7 or McAffee.

Logfile of HijackThis v1.99.0
Scan saved at 3:27:51 PM, on 2/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\ati\main\ATISched.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\eBook-Legal Forms (Contracts + More).uzy
C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRAM FILES\Internet Explorer\iexplore.exe
C:\Documents and Settings\RICHARD MORALES\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Default
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wcsonline.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcsonline.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [ATI Scheduler] C:\ati\main\ATISched.EXE
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [microsoft] C:\WINDOWS\SYSTEM32\svchost.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [WindowsCriticalUpdate] C:\WINDOWS\windows_critical_update.exe
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM32\svchost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc/java/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - http://www.entertainmentresource.com/w2hlegacy/express/hostexpress.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE

Veri.
 
Joined
Sep 7, 2004
Messages
49,014
[AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min is part of anti vir

As long as it is curerent with updates that is just fine

the url is not that important

What is the status now???
 

VeriChipped

Thread Starter
Joined
Jan 22, 2003
Messages
147
The latest status is the post before your last one...I can live with that unless you spot something else.....Thanks to you I don't get the stack of pop ups anymore....for that alone I feel I need to do your laundry for the next fifty years. :D

If you don't see anything else threatening I can HJT fix or delete I can consider this thread solved.

Thank you.
Veri.
 

VeriChipped

Thread Starter
Joined
Jan 22, 2003
Messages
147
I justed PM'd you before accessing here....did the scan and deleted one more Virus you know the rest here's HJT:

Logfile of HijackThis v1.99.0
Scan saved at 10:14:00 PM, on 2/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\atievxx.exe
C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\ati\main\ATISched.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Documents and Settings\RICHARD MORALES\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Default
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [ATI Scheduler] C:\ati\main\ATISched.EXE
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM32\svchost.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc/java/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - http://www.entertainmentresource.com/w2hlegacy/express/hostexpress.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\PROGRAM FILES\AVPersonal\AVWUPSRV.EXE
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top