1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help Me!!!

Discussion in 'Windows XP' started by rbrice, Sep 24, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. rbrice

    rbrice Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    12
    I run my adware blocker and spyware blocker CONSTANTLY. However, it's not picking something up. Programs AUTOMATICALLY DOWNLOAD each time I start up. It fills my desktop up with Icons and puts bars on my Internet Explorer and really makes my computer slow down and have pop-ups galore. I think I'm reaping what I've sewn for downloading music in the past from KaZaA (which I no longer do!!!)

    Can someone please look over this and let me know what I need to delete? I've got to get rid of this, I'm loosing my mind (what Little I have left!)

    ------------------------------------------------------------------------------------------------------------------------------------

    Logfile of HijackThis v1.96.1
    Scan saved at 8:53:59 PM, on 9/24/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Browser mouse\1.2\mouse32a.exe
    C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\SpamButcher\spambutcher.exe
    C:\Program Files\Office keyboard utility\1.2\MMKEYB.EXE
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Office keyboard utility\1.2\osd.exe
    C:\DOCUME~1\ROBRIC~1\LOCALS~1\Temp\Rem35C.exe
    C:\DOCUME~1\ROBRIC~1\LOCALS~1\Temp\Ibn35D.exe
    C:\DOCUME~1\ROBRIC~1\APPLIC~1\msbb.exe
    C:\Program Files\Trek Blue\Spyware Nuker\SPYNUKER.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\unzipped\hijackthis[1]\HijackThis.exe

    O2 - BHO: (no name) - {19B96513-22E6-492B-9051-448F9CDC48E7} - C:\WINDOWS\System32\ocrypt32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {c6d7255e-bc75-4faf-ab35-6240f90663cc} - C:\DOCUME~1\ROBRIC~1\APPLIC~1\ncrgrgcxs.dll
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [FLMBROWSERMOUSE] C:\Program Files\Browser mouse\1.2\mouse32a.exe
    O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [ADHK] C:\WINDOWS\ADHK.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Startup: SpamButcher.lnk = C:\Program Files\SpamButcher\spambutcher.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/SpywareNuker_com/SpywareNukerInstaller.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4AD7DA15-AB2F-4C91-BEF5-3876DA4A2CCC} - http://www.cambridgesoft.com/plugins/activex/install/NetInstall.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.8082060185
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RRICE
    O17 - HKLM\Software\..\Telephony: DomainName = RRICE
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RRICE
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RRICE

    ------------------------------------------------------------------------------------------------------------------------------------
     
  2. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,261
    First Name:
    James
    C:\DOCUME~1\ROBRIC~1 - do you know what program is associated with this folder?

    Also those O17s look omnious... do you have anything associated with that too?

    Last thing what are the names on the icons that appear?
     
  3. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,261
    First Name:
    James
    also this one

    O4 - HKLM\..\Run: [ADHK] C:\WINDOWS\ADHK.exe

    If you are positive that you don't know them, then delete them
     
  4. rbrice

    rbrice Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    12
    Thank you for your help -- When I run Hijak, I delete the things I DEFINATELY KNOW I don't need - but usually if I'm unsure, I leave it alone. I know that the problem is one of those, "UNSURE" items. I don't remember what Icons all pop up. One says, "Play cards", "Sex", "Coupons", etc. It's just a mess of 10-15 icons that I delete promptly. I also am constantly unchecking things from MSCONFIG. I think that the value is automatically changing, because the values in startup tab of MSCONFIG are things like, "DXBFFRBOLM" or "NXVBC" etc. and I've never seen anything about them on this TSG Forums list.

    Thank you for your help.

    -Rob
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    You can safely remove all 017's as well..
     
  6. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,261
    First Name:
    James
    If you see them again, try looking at the program properties, by right clicking the icon and click properties and see where the file is located (target or target location). Then you will know where some of the files are.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    rbrice

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    O2 - BHO: (no name) - {19B96513-22E6-492B-9051-448F9CDC48E7} - C:\WINDOWS\System32\ocrypt32.dll

    O2 - BHO: (no name) - {c6d7255e-bc75-4faf-ab35-6240f90663cc} - C:\DOCUME~1\ROBRIC~1\APPLIC~1\ncrgrgcxs.dll

    O4 - HKLM\..\Run: [ADHK] C:\WINDOWS\ADHK.exe

    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab

    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product...erInstaller.exe

    Here is some info on Spyware Nuker. It is a slap in the face to anyone who is truly fighting the good fight against adware/spyware etc.. I suggest you uninstall it and get the true Spyware fighting programs I am about to recommend.

    http://www.spywareguide.com/product_search.php

    These:

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RRICE
    O17 - HKLM\Software\..\Telephony: DomainName = RRICE
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RRICE
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RRICE

    I have never seen this before "RRICE" if you don't recognize it as being provided by your ISP fix those.

    Edit: AHH! nevermind the above I see now that RRICE is your name so I assume that is legit.

    After having HJT fix the above entries:

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode delete:

    The entire contents of the
    C:\Documents and Settings\ROBRICE\Local Settings\Temp folder

    The C:\Documents and Settings\ROBRICE\Application Data\msbb.exe file.

    The C:\WINDOWS\ADHK.exe file

    Restart back to normal.

    Go here http://housecall.trendmicro.com/ and do an online virus scan.

    Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished let it fix everything it finds.

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.

    Be sure and take advantage of the "Immunize" feature in Spybot.

    Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent future attacks.
    On this page you will find a link to Javacool's SpywareBlaster and Spyware Guard. Get them both and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster and SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping you spyware free.

    Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167238

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice