1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

.EXE Errors

Discussion in 'Windows XP' started by jimmy76, Sep 10, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. jimmy76

    jimmy76 Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    15
    Hey PC gods,
    I've searched through the forums and
    I can't seem to get the answers I need to fix
    these probs: sudden complete shut down w/o warning,
    error messages , mainly .EXEs. It could be anything
    from MS paint.exe to my IE
    ( suchnsuch has generated errors and will now close)
    sounds like a worm , 'think it's fixable? or should I recycle my PC? here's my HiJackThis....

    Logfile of HijackThis v1.96.4
    Scan saved at 4:05:07 PM, on 9/7/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\Program Files\DownloadWare\dw.exe
    C:\Program Files\DelFin\PromulGate\PgMonitr.exe
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
    C:\WINNT\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Altnet\Points Manager\Points Manager.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\FolderShare\FolderShare.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\WINNT\system32\rmtcfg\files\mdll.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\net.exe
    C:\WINNT\system32\net1.exe
    C:\Program Files\Creative\SBAudigy\PlayCenter2\Ctplay2.Exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\unzipped\hijackthis\HijackThis.exe
    C:\WINNT\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\system32\search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\system32\search.html
    O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINNT\IPINSIGT.DLL
    O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINNT\MSView.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
    O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Sentry] C:\WINNT\Sentry.exe
    O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
    O4 - HKLM\..\Run: [runmdll] C:\WINNT\SYSTEM32\RMTCFG\FILES\mdllstart.bat
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    :confused:
     
  2. BlueSpruce

    BlueSpruce

    Joined:
    Jul 24, 2003
    Messages:
    420
    Hi jimmy76 ,

    Please do the following ,

    Have an online virus scan at www.trendmicro.com/en/us/enterprise.htm

    Remove NewNet in Add/Remove Programs in the control panel

    Download and install Spybot search & destroy www.security.kolla.de Open Spybot search & destroy , Click Online , Search for updates , Download all available updates , log offline , Close all browser windows , check your taskbar for minimized windows as well , Run Spybot search & destroy , put a check in every entry Spybot search & destroy returns , Click fix problems.

    Shutdown & Reboot your computer

    Open Hijack This , click config..., misc tools , check for online update , and download version 1.97. Rescan Hijack This and post a new log for follow-up review

    Good luck
     
  3. jimmy76

    jimmy76 Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    15
    BlueSpruce
    Thanks for your time and your help,
    Jimmy76
     
  4. jimmy76

    jimmy76 Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    15
    I can't paste my new log from notepad , uh
    please help, jimmy76:confused:
     
  5. jimmy76

    jimmy76 Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    15
    here's my new log I've had to start over twice 'cause this .exe problem keeps bootin' me off.

    Proud to be an AMERICAN!!!
    jimmy76


    Logfile of HijackThis v1.97.1
    Scan saved at 10:41:57 AM, on 9/11/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\WINNT\System32\CTsvcCDA.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\system32\pctspk.exe
    C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\rmtcfg\files\mdll.exe
    C:\WINNT\system32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\system32\search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\system32\search.html
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [runmdll] C:\WINNT\SYSTEM32\RMTCFG\FILES\mdllstart.bat
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Try this: ctrl-alt-del and terminate this process:

    C:\WINNT\system32\rmtcfg\files\mdll.exe

    Now run HijackThis and check and "fix" this entry:

    C:\WINNT\system32\rmtcfg\files\mdll.exe

    Navigate to the rmtcfg folder and send it to the recycle bin


    This appears to be an undetected IRC Flood trojan

    http://vil.mcafee.com/dispVirus.asp?virus_k=100427

    http://216.239.57.104/search?q=cach.../backdoor.sumtax.html+mdll.exe&hl=en&ie=UTF-8

    I include these references only to show that the reason it probably is not being detected is because it seems to be a combination of different exploits using the mdll.exe file and the rmtcfg folder -- neither of which is a default windows folder or file.

    Have you installed IRC ?

    Check in Add/Remove programs...
     
  7. jimmy76

    jimmy76 Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    15
    PC Gods,
    my running processes aren't comming up after I scan

    C:\WINNT\system32\rmtcfg\files\mdll.exe

    It's on my log but, not on my HiJackThis. please excuse my ignorance.

    jimmy76
     
  8. jimmy76

    jimmy76 Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    15
    what a 'bout this,
    jimmy76

    O4 - HKLM\..\Run: [runmdll] C:\WINNT\SYSTEM32\RMTCFG\FILES\mdllstart.bat
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yes, that's what I meant to copy/paste for deleting with HijackThis. Make sure the Running Process (mdll.exe) has not come back; terminate it if it has. You must do a ctrl-alt-del and end task it in the Task Manager window

    You must save the HijackThis Scanlog to the desktop to see the Running processes, they do not show in the console scan itself.
     
  10. jimmy76

    jimmy76 Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    15
    thanks for your help, I'll give it another go..
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Also, have you tried running a full system scan with updated definitions from Symantec?


    Even removing this may not be enought as there are some viruses that simply corrupt every exe file on the system they can get to. Sometimes, if you are lucky, a good antivirus scan can repair the files, but sometimes not.

    And I should have had you check and "fix" these as well. Do so with all browser windows closed. I'm surprised Spybot left them. Did you update it before running and reboot afterwards?

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\system32\search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\system32\search.html
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/163814

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice