1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Computer is super slow and has trouble starting up sometimes.

Discussion in 'Virus & Other Malware Removal' started by ERDuke, Sep 4, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. ERDuke

    ERDuke Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    14
    My computer is really slow, it even has trouble keeping up while I'm typing this. I have pest patrol corporate and google popup blocker and I still get adware, which pest patrol eventually removes and I still get pop ups specifically stopguard, winantivirus, and hotlivegirls. Sometimes when I start up the computer it sticks and I hit cad and stop binfont.exe in the process because that is what is sticking. It seems as if the program has changed its name to binadr. Something is really wrong with my computer. So i looked at the posts here and downloaded the hijacker software and here is the log:

    Logfile of HijackThis v1.98.2
    Scan saved at 6:21:12 PM, on 9/4/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\basfipm.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WLTRYSVC.EXE
    C:\WINNT\System32\bcmwltry.exe
    C:\WINNT\system32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\System32\DSentry.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Program Files\AT&T Wireless\Communication Manager\Communication Manager.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    C:\Program Files\New Moon Client\iqclntmgr.exe
    c:\Program Files\PestPatrol\CookiePatrol.exe
    c:\Program Files\PestPatrol\PPMemCheck.exe
    c:\Program Files\PestPatrol\PPControl.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    C:\WINNT\security\Database\binabr.exe
    C:\Documents and Settings\nuchimse\My Documents\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.windowenhancer.com/nph-search.cgi?affid=sesm1&look=stmpl1&sstring=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.windowenhancer.com/nph-search.cgi?affid=sesm1&look=stmpl1&sstring=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.windowenhancer.com/nph-search.cgi?affid=sesm1&look=stmpl1&sstring=
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\tnofnib.dat
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\ipatcvsm.dat
    O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\ipatcvsm.dat
    O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\tnofnib.dat
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\rbanib.dat
    O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [bascstray] BascsTray.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\ p:\ /hard /nosound /onceaday /nologafter /delete /nopause /RunAfterFile="C:\Progra~1\PestPatrol\PPUpdater.exe" /RunAfterParams=/autoexit /RunAfterShow=Minimized
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe /nosound /delete
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [*binabr] C:\WINNT\security\Database\binabr.exe rerun
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINNT\Config\srvnet.exe ren
    O4 - Startup: No Outlook Express Icons.vbs
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: AT&T Wireless Communication Manager.lnk = C:\Program Files\AT&T Wireless\Communication Manager\Communication Manager.exe
    O4 - Global Startup: CorelCENTRAL 10.lnk = C:\Program Files\Corel\WordPerfect Office 2002\Programs\CCWin10.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    O4 - Global Startup: Refresh Canaveral Shortcuts.lnk = C:\Program Files\New Moon Client\iqclntmgr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.corp.ene.com
    O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2266ab6136c58b154418/netzip/RdxIE601.cab
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.epaosc.net/viewer/activeXViewer/activexviewer.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ene.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{71601F56-842B-49D0-B937-3387BD9357D0}: NameServer = 10.2.0.12,10.2.0.14
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ene.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.ene.com,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{71601F56-842B-49D0-B937-3387BD9357D0}: NameServer = 10.2.0.12,10.2.0.14
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.ene.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.ene.com,
    O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\msdhmd.dll

    I know thats a lot but please help me.

    Thanks

    P.S. this is my company's computer but I hate our tech support.
     
  2. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
    Here is a few to be getting rid of,put a tick by them and after closing all open windows have hijack FIX them

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.windowenhancer.com/np...stmpl1&sstring=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.windowenhancer.com/np...stmpl1&sstring=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.windowenhancer.com/np...stmpl1&sstring=
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

    I have to look up some of the items remaining post back a modified log .......
     
  3. ERDuke

    ERDuke Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    14
    Logfile of HijackThis v1.98.2
    Scan saved at 12:01:58 AM, on 9/5/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\basfipm.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WLTRYSVC.EXE
    C:\WINNT\System32\bcmwltry.exe
    C:\WINNT\system32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\System32\DSentry.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\security\Database\binabr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Program Files\AT&T Wireless\Communication Manager\Communication Manager.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    C:\Program Files\New Moon Client\iqclntmgr.exe
    c:\Program Files\PestPatrol\CookiePatrol.exe
    c:\Program Files\PestPatrol\PPMemCheck.exe
    c:\Program Files\PestPatrol\PPControl.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\nuchimse\My Documents\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\tnofnib.dat
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\ipatcvsm.dat
    O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\ipatcvsm.dat
    O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\tnofnib.dat
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\rbanib.dat
    O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [bascstray] BascsTray.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\ p:\ /hard /nosound /onceaday /nologafter /delete /nopause /RunAfterFile=C:\Progra~1\PestPatrol\PPUpdater.exe /RunAfterParams=/autoexit /RunAfterShow=Minimized
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe /nosound /delete
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [*binabr] C:\WINNT\security\Database\binabr.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunOnce: [*binabr] C:\WINNT\security\Database\binabr.exe rerun
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINNT\Tasks\antiole.exe ren
    O4 - Startup: No Outlook Express Icons.vbs
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: AT&T Wireless Communication Manager.lnk = C:\Program Files\AT&T Wireless\Communication Manager\Communication Manager.exe
    O4 - Global Startup: CorelCENTRAL 10.lnk = C:\Program Files\Corel\WordPerfect Office 2002\Programs\CCWin10.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    O4 - Global Startup: Refresh Canaveral Shortcuts.lnk = C:\Program Files\New Moon Client\iqclntmgr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.corp.ene.com
    O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2266ab6136c58b154418/netzip/RdxIE601.cab
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.epaosc.net/viewer/activeXViewer/activexviewer.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ene.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ene.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.ene.com
    O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\msdhmd.dll

    Ok I did what you told me, the pop ups seem to be popping up more often. I also ran into a situation where I clicked onto a link on aim today and it opended a gross of ie windows to no link at all. So I'm not sure whats going on with this POS. Thanks for your assisstance.
     
  4. ERDuke

    ERDuke Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    14
    My computer is super slow in the areas where text is involved in internet explorer. It seems that internet explorer is the thing that is really slow on my computer. Any ideas, I tried downloading ie6 sp1 and that doesnt seem to have done anything. Thanks again.

    P.S. I have an internet connection is at 100MBS

    One more thing. I just downloaded Netscape and I am using it as my browser now, I am back up to speed on that now. So here is what I propose doing, please tell me if this would work, Uninstall Internet Explorer and reload it through Netscape? I am sure there is more to it though.
     
  5. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
    I have asked a moderator to have a look at this for you .....
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    [​IMG] Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

    Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.computercops.biz/downloads-cat-14.html

    Then:

    1 >> Restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    2 >> In Safe Mode run the CoolWebShredder and have it "fix" detected problems. Then run HijackThis and check and "fix" the following entries:

    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\tnofnib.dat
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\ipatcvsm.dat
    O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\ipatcvsm.dat
    O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\tnofnib.dat

    O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\rbanib.da


    O4 - HKLM\..\Run: [*binabr] C:\WINNT\security\Database\binabr.exe
    O4 - HKLM\..\RunOnce: [*binabr] C:\WINNT\security\Database\binabr.exe rerun

    [​IMG] ^^^ I do not know what these two registry entries do. Take no action if you can vouch for them. If not, use HijackThis to "fix" the entries. See what is in the c:\winnnt\security folder. We may want to delete that if it is malware.

    O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINNT\Tasks\antiole.exe ren

    ^^^ similar instructions for antiole.exe. What is in the c:\winnt\tasks folder. No web hits exist for this exe or the binabr.exe one.

    O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\msdhmd.dll

    Additional cleanup instructions: Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

    Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them


    >> reboot and post a fresh Hijackthis scanlog. Tell me what you know about those questionable files and folders and whether you are still having problems.

    One more question, since vbs scripts can be malware, I can't take this for granted either, did you install it?

    O4 - Startup: No Outlook Express Icons.vbs

    Also, since you have Nav, do a full, updated, Nav scan while in Safe Mode. You definitely have this:

    http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html
     
  7. ERDuke

    ERDuke Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    14
    I can't restart in safe mode, when I type in my password it says its wrong. I can only type my password on regular boot. I have windows 2000 based on NT. Any help to bypass this error to start in safe mode.
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Did you actually set an administrative password? Most people don't. If you didn't, just hit enter -- or try that anyway.

    Do you have Administrative rights in "normal" mode? If so, you can remove or reset the password on the administrative account.

    If not, try running the CoolWebshredder and HijackThis in normal mode, then reboot and follow the rest of the instructions.
     
  9. ERDuke

    ERDuke Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    14
    Ok here is the results, that %temp% run thing, yeah it has two files that say I can't delete because they are in use but when I cad and see the process they aren't there but that binabr is, those files keep changing their names. How do I subvert this??? I think I'm almost there but I need to stop these programs, I assume this is some sort of virus right or maybe some kind of spyware. This really bites. Here is my new log as you can see some of the new files changed names.

    Logfile of HijackThis v1.98.2
    Scan saved at 11:49:09 PM, on 9/6/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\basfipm.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WLTRYSVC.EXE
    C:\WINNT\System32\bcmwltry.exe
    C:\WINNT\system32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINNT\System32\DSentry.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\security\Database\binabr.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Program Files\AT&T Wireless\Communication Manager\Communication Manager.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    C:\Program Files\New Moon Client\iqclntmgr.exe
    c:\Program Files\PestPatrol\CookiePatrol.exe
    c:\Program Files\PestPatrol\PPMemCheck.exe
    c:\Program Files\PestPatrol\PPControl.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Documents and Settings\nuchimse\My Documents\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\NuchimsE\Application Data\Mozilla\Profiles\default\xkb4ujbj.slt\prefs.js)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\rbanib.dat
    O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [bascstray] BascsTray.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\ p:\ /hard /nosound /onceaday /nologafter /delete /nopause /RunAfterFile=C:\Progra~1\PestPatrol\PPUpdater.exe /RunAfterParams=/autoexit /RunAfterShow=Minimized
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe /nosound /delete
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [*binabr] C:\WINNT\security\Database\binabr.exe
    O4 - HKLM\..\RunOnce: [*binabr] C:\WINNT\security\Database\binabr.exe rerun
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: No Outlook Express Icons.vbs
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: AT&T Wireless Communication Manager.lnk = C:\Program Files\AT&T Wireless\Communication Manager\Communication Manager.exe
    O4 - Global Startup: CorelCENTRAL 10.lnk = C:\Program Files\Corel\WordPerfect Office 2002\Programs\CCWin10.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    O4 - Global Startup: Refresh Canaveral Shortcuts.lnk = C:\Program Files\New Moon Client\iqclntmgr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O15 - Trusted Zone: http://www.corp.ene.com
    O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2266ab6136c58b154418/netzip/RdxIE601.cab
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.epaosc.net/viewer/activeXViewer/activexviewer.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ene.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ene.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.ene.com
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    No luck getting into Safe Mode I take it?

    Reboot and do not open Internet Explorer until completing the procedures.

    [​IMG] >>> Keep in mind you have not told me what is in that "security" folder. I don't know whether it is legit or not. And if the system is on a business network of some kind and you do not have Administrative rights, we could be going down the wrong path here...

    If you see binabr.exe in the CAD window, terminate the process before proceeding. Then run HijackThis and check and fix these entries:


    O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\rbanib.dat
    O4 - HKLM\..\Run: [*binabr] C:\WINNT\security\Database\binabr.exe
    O4 - HKLM\..\RunOnce: [*binabr] C:\WINNT\security\Database\binabr.exe rerun


    >> Go to Start > Run, enter cmd and at the command prompt carefully type and enter each line:

    cd C:\WINNT\security\Database
    attrib -h -r -s binabr.exe
    ren binabr.exe binabr.bad


    Let me know if you get an error with any of these command lines.

    Reboot and again try to clear the %temp% folder.

    Run HijackThis again, you may need to fix things once more, but if binadr.exe is no longer loading, the fix should be permanent.
     
  11. ERDuke

    ERDuke Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    14
    Ok guy, here it is, I rebooted and did everything you said. I don't see binabr in the cad anymore. Here is what is in the security folder: (folder)database, (fol)LOGS, (fol)templates, EDB.CHK, edb.log, edb00026.log, RES1.LOG, RES2.LOG. Here is what happened when I ran the cmd prompt after it went to WINNT\securitDatabase
    attrib -h -r -s binabr.exe = File not found
    ren binabr.exe binabr.bad = The system cannot find the file specified


    I am a little wary of opening up IE so I am doing all my searching on Netscape. And until I get a conformiatory response from you then I will continue. I made a donation too. Thanks for your help let me know what I should do next.
     
  12. ERDuke

    ERDuke Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    14
    Ok I haven't heard back from you guys from my last post and I am still having issues with some sort of bug that keeps changing its name an appearing in my processes. I gave a donation and need some more help. PLEASE

    Here is my hijackthis log
    Logfile of HijackThis v1.98.2
    Scan saved at 3:52:03 PM, on 9/15/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\basfipm.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WLTRYSVC.EXE
    C:\WINNT\System32\bcmwltry.exe
    C:\WINNT\system32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\System32\DSentry.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Program Files\AT&T Wireless\Communication Manager\Communication Manager.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    C:\Program Files\New Moon Client\iqclntmgr.exe
    c:\Program Files\PestPatrol\CookiePatrol.exe
    c:\Program Files\PestPatrol\PPMemCheck.exe
    c:\Program Files\PestPatrol\PPControl.exe
    C:\WINNT\Speech\kb.exe
    C:\Documents and Settings\nuchimse\My Documents\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\nuchimse\Application Data\Mozilla\Profiles\default\xkb4ujbj.slt\prefs.js)
    O2 - BHO: CATLEvents Object - {77849D67-5672-4B68-93E2-CCEFF1E3949E} - C:\DOCUME~1\nuchimse\LOCALS~1\Temp\bk.dat
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [bascstray] BascsTray.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\ p:\ /hard /nosound /onceaday /nologafter /delete /nopause /RunAfterFile=C:\Progra~1\PestPatrol\PPUpdater.exe /RunAfterParams=/autoexit /RunAfterShow=Minimized
    O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe /nosound /delete
    O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [*psmfc] C:\WINNT\Cursors\psmfc.exe
    O4 - HKLM\..\Run: [*kb] C:\WINNT\Speech\kb.exe
    O4 - HKLM\..\RunOnce: [*kb] C:\WINNT\Speech\kb.exe rerun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: No Outlook Express Icons.vbs
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: AT&T Wireless Communication Manager.lnk = C:\Program Files\AT&T Wireless\Communication Manager\Communication Manager.exe
    O4 - Global Startup: CorelCENTRAL 10.lnk = C:\Program Files\Corel\WordPerfect Office 2002\Programs\CCWin10.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    O4 - Global Startup: Refresh Canaveral Shortcuts.lnk = C:\Program Files\New Moon Client\iqclntmgr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O15 - Trusted Zone: http://www.corp.ene.com
    O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2266ab6...ip/RdxIE601.cab
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.epaosc.net/viewer/active...tivexviewer.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ene.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ene.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.ene.com



    Thanks fellas
     
  13. ERDuke

    ERDuke Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    14
    There is obviously something that keeps coming back, the stop guard pop-up was never gone and this kb.exe won't delete and I have to end the process in the CAD window to use the START menu at times. I need a good colon cleanse for my computer. I can't seem to get rid of these problems.
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I'm sorry I missed your follow up.

    If you can't vouch for these, reboot in Safe Mode, run HijackThis and check and "fix" the entries.

    >> OOps, I forgot about your safe mode problem; that really needs to be resolved.

    If you have trouble with Kb.exe you must first open the Task Manager and terminate the process before trying to delete it or the folder it is in. If you can't delete it, try renaming it instead and then rebooting.

    O4 - HKLM\..\Run: [*psmfc] C:\WINNT\Cursors\psmfc.exe
    O4 - HKLM\..\Run: [*kb] C:\WINNT\Speech\kb.exe
    O4 - HKLM\..\RunOnce: [*kb] C:\WINNT\Speech\kb.exe rerun

    If these are malware, then you will want to delete both the Cursors and the Speech folders which contain them. You should be able to do it in Safe Mode.

    If you get an "access denied" or "in use" try renaming them instead.

    And if no luck with that, try something like this to do it:

    http://www.webattack.com/get/moveonboot.html

    And you can delete that "security" folder as well.

    Post another Scanlog and be detailed about any remaining problems.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270283

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice