1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

fool needs help

Discussion in 'Virus & Other Malware Removal' started by jules.j, Apr 8, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jules.j

    jules.j Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    29
    like a fool i have tried to install some software from dubious origin and it hs gone wrong. My internet explorer home page has changed and so has my media palyer icon. When i click on media player i get a message :

    16 bit ms-dos subsystem

    C:\documents and settings\julian\desktop\windows media player.lnk
    The NTVDM CPU has encountered an illegal instruction

    some numbers and letters and then: choose 'close' to terminate the application.

    I know its my fault but am new to this and would appreciate some help so i can get rid of this problem
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi jules.j

    Welcome to TSG! :)

    Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

    *Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
     
  3. jules.j

    jules.j Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    29
    Logfile of HijackThis v1.97.7
    Scan saved at 15:42:19, on 08/04/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\loadqm.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\eMule\emule.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\My Documents\julians\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://awebfind.biz/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://awebfind.biz/sp.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://awebfind.biz/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://awebfind.biz/sp.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://awebfind.biz/sp.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://awebfind.biz/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [AON] C:\Program Files\Apserver\AON.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .mps: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.

    IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

    The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  5. jules.j

    jules.j Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    29
    Thanks for the advice so far

    I have download the windows update files, here is the copy of the hijack this log

    Logfile of HijackThis v1.97.7
    Scan saved at 17:40:59, on 08/04/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\loadqm.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\My Documents\julians\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [AON] C:\Program Files\Apserver\AON.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .mps: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38085.3526157407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Do you know what this is?:

    O4 - HKCU\..\Run: [AON] C:\Program Files\Apserver\AON.EXE

    Also did you place these restrictions on IE and regedit?:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm


    Restart your computer.
     
  7. jules.j

    jules.j Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    29
    No idea what 04 is

    As for 06 and 07, I dont think so allthough maybe i could have done so when trying to install the software?
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Yes fix these:

    O4 - HKCU\..\Run: [AON] C:\Program Files\Apserver\AON.EXE

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


    Restart your computer.
     
  9. jules.j

    jules.j Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    29
    Hi there,

    Have fixed these but am still getting different home pages coming up.

    Any ideas?

    Here is a copy of the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 15:46:06, on 14/04/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\loadqm.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\My Documents\julians\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .mps: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38085.3526157407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Ok I'm going to have you do this fix in safe mode so you may want to copy these instructions to notepad.

    Boot to safe mode.

    How to start your computer in safe mode

    In safe mode run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html


    Now while still in safe mode click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

    Next manually navigate to the C:\WINDOWS folder and locate and delete the start.chm file and the start.html file.

    Now boot back to normal and see if everything is back to normal.
     
  11. jules.j

    jules.j Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    29
    Great, things seem to be back to normal, anything else I need to do?
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

    Also I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs". This will patch numerous security holes in IE and Windows.
     
  13. jules.j

    jules.j Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    29
    Thanks a lot for all your help; my first introduction to forums has been an enlightening one!. I will recommend this site to anyone I know with any sort of computing problems and will be sure to visit again myself.
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    My pleasure! :)

    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I got your PM and have reopened this thread.

    Please post another Hojack This log here.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218357

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice