1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HELP! Spyware knocked out device manager

Discussion in 'Virus & Other Malware Removal' started by melonhead, Sep 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Hi -

    OS is XP.

    I went to work on a client's computer and immediately recognized that they had the CWW trojan spyware or whatever the current name. Since they were being knocked off the internet frequently, I installed and ran spybot from a CD that I had brought and also CWW shredder. I was unable to downloads updates because of the internet conflict.

    Anyway after I ran the spybot and CWW shredder I attempted to download upgrades and to get on the internet to install adaware and was unsuccessful. Went thru the normal routine to check problems. When I opened up device manager NOTHING is there. I went to system restore to try to restore and there are no restore points.

    I attempted to add hardware, but when I click on it nothing happens.

    Both McAfee and Norton on installed on their computer. I was going to uninstall them both and download AVG since they haven't updated or run either of them in two years and was going to download AVG. And, of course, I know they should only have one antivirus runnning. Anyway, I hadn't done that yet. However, after running the spybot they both came up with error messages when rebooting that someone unauthorized had changed settings and a virus or attacker could possibly be attempting to disable protection.

    A msdos prompt box also appears titled c: winnt\xhovdkeh.exe with nothing in it.

    Obviously, I cannot get on the internet so I didn't run hijack this since I could not copy and paste it to you. I took their computer to my house (orginally thinking I could network off of mine) that was before I discovered that they cannot detect their ethernet card. I mention this because if worse comes to worse I could retype hijack this into one of my computers. However, I was hoping the symptoms would prompt one of you pros to suggest a few actions that I could at least get back device manager to get internet or network connection.

    I have turned off the computer and it does not recognize that hardward is missing.

    Please help!

    Thanks in advance
     
  2. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
  3. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Thanks for the quick reply!

    Thank goodness for the A Drive. The A drive was still functioning. I couldn't burn a CD but it was able to download hijackthis so I was able to get the log. Here it is:

    Logfile of HijackThis v1.98.2
    Scan saved at 9:45:15 PM, on 9/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\inetm\services.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\ezSP_Px.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Creative\8xxx\bbui.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\America Online 9.0b\aoltray.exe
    C:\Downloads\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://on-search.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F3 - REG:win.ini: run=C:\WINNT\inetm\services.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetm\services.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [euviuov] C:\WINNT\xhovdkeh.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [bbui] C:\Program Files\Creative\8xxx\bbui.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\RunOnce: [RealPlayer_update] C:\Program Files\America Online 9.0b\Jiti\Real9_codec_upd.exe restart
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetm\services.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
    O8 - Extra context menu item: &RSDN Search - res://c:\toolbar_nieuw14.dll/GoRSDN.dll.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc1.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://kohler1.view22.com/apps/view22RTE.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
    O16 - DPF: {D45FD31B-5C6E-11D1-9EC1-00C04FD70900} - http://www.freeweather.com/setup.exe
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://mmdl.vo.llnw.net/mm_cdn/0106...Ahmtra1IxvQ--/graphics/WebPlayer/MMLRadio.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/chedownzip.cab
     
  4. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Remove these entries from HJT for now:
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetm\services.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetm\services.exe
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
    O16 - DPF: {D45FD31B-5C6E-11D1-9EC1-00C04FD70900} - http://www.freeweather.com/setup.exe
    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://kohler1.view22.com/apps/view22RTE.cab
    O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://mmdl.vo.llnw.net/mm_cdn/0106...er/MMLRadio.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/chedownzip.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB


    Next, delete the following files (make sure that viewing of hidden/system files is enabled)
    C:\WINNT\inetm\services.exe

    and the the below folders:
    C:\Program Files\Common Files\WinTools
    C:\WINNT\System32\P2P Networking

    How to enable viewing of hidden/system files - http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Okay, try going to one of these sites and doing a free online virus scan:
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    If any problems occur, post back.
     
  5. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    The list is very long.. try going one or two items at a time.
     
  6. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    I deleted all your suggestions from HJT and the other files while in safe mode, rebooted and ran HJT again. The new log shows the onsearch toolbar still as well as an F3 choice for inetm. When I rebooted a dialogue box indicated that they could not find this file.

    I cannot run the online scanners because I still cannot get online. Device manager is still empty.

    I'll repost the log in a minute. Gotta run to another computer that has an A drive.
     
  7. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Waiting for the log :).
     
  8. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Here it is:

    Logfile of HijackThis v1.98.2
    Scan saved at 11:12:25 PM, on 9/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\ezSP_Px.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Creative\8xxx\bbui.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\America Online 9.0b\aoltray.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Downloads\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://on-search.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F3 - REG:win.ini: run=C:\WINNT\inetm\services.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [euviuov] C:\WINNT\xhovdkeh.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [bbui] C:\Program Files\Creative\8xxx\bbui.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetm\services.exe
    O4 - HKLM\..\RunOnce: [RealPlayer_update] C:\Program Files\America Online 9.0b\Jiti\Real9_codec_upd.exe restart
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetm\services.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
    O8 - Extra context menu item: &RSDN Search - res://c:\toolbar_nieuw14.dll/GoRSDN.dll.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc1.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
    O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  9. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Okay, we are not going to remove these entries from HJT:
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F3 - REG:win.ini: run=C:\WINNT\inetm\services.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://on-search.com/
    O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetm\services.exe
    O8 - Extra context menu item: &RSDN Search - res://c:\toolbar_nieuw14.dll/GoRSDN.dll.htm << Unless you know what this is.
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetm\services.exe


    Did you delete these folders?
    C:\Program Files\Common Files\WinTools\
    C:\WINNT\inetm\

    See if you can get this file onto a floppy disk to your internet-capable computer. Try then uploading it to the following site and paste back the results (if you can that is)

    http://virusscan.jotti.dhs.org/

    Try to delete it again. Probably might have to go to safemode again.

    Try deleting this file before going to safe mode [and in safemode]
    C:\WINNT\xhovdkeh.exe

    If you can't find the file or anything like that, then come back when done with everything else with a new log.
     
  10. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    I don't know if I scanned this correctly or not. I saved the info from my HJT you printed to a Word doc since the site needed you to load a file.

    This is the results:

    rvice load: 0% 100%

    File: hjt.doc
    Status: OK
    Packers detected: None

    AntiVir No viruses found (1.15 seconds taken)
    BitDefender No viruses found (2.48 seconds taken)
    ClamAV No viruses found (6.56 seconds taken)
    Dr.Web No viruses found (5.93 seconds taken)
    F-Prot Antivirus No viruses found (0.34 seconds taken)
    F-Secure Anti-Virus No viruses found (3.62 seconds taken)
    Kaspersky Anti-Virus No viruses found (3.84 seconds taken)
    Norman Virus Control No viruses found (1.02 seconds taken)

    Statistics
    Last piece of malware found was Backdoor.Rbot.gen in risczp.exe, detected by:

    Scanner Malware name Time taken
    AntiVir X 1.47 seconds
    BitDefender Backdoor.SDBot.Gen 6.83 seconds
    ClamAV X 6.24 seconds
    Dr.Web X 9.02 seconds
    F-Prot Antivirus X 5.55 seconds
    F-Secure Anti-Virus Backdoor.Rbot.gen 4.64 seconds
    Kaspersky Anti-Virus Backdoor.Rbot.gen 4.15 seconds
    Norman Virus Control X 12.48 seconds



    Did I do that right? It seems strange it could scan a Word doc.

    Please let me know I should redo that someway.

    Thanks for all your help
     
  11. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Do you think I should reinstall Windows XP at this point. I cannot access Windows installer either. Device manager is still missing. Any suggestions? Should I delete those files that you had listed in your last post?

    Thanks!
     
  12. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Hi! I thought I might try adding a ethernet card from one of my other computers to see if it would recognize a device that has never been in this computer before. No success.

    When I went to device manager to see if there had been changes I went to help and was unable to view because couldn't enable scripts. When I did I could see the help. Don't know if this could also be related to inability to see list of devices.

    Then I reset internet options and tried to go to www.msn.com. The bottom of the internet sceen stated downloading from site: res://c:\winnt\system32\shdoclc.dll/dnserror.htm. The\ / shown are correct.

    Does this prompt anything from anybody?
     
  13. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Hi melonhead, I just read what you posted.

    I'm sorry for the misunderstanding - was wanting you to upload C:\WINNT\xhovdkeh.exe.

    And yes, I do want you to delete these folders:
    C:\Program Files\Common Files\WinTools\
    C:\WINNT\inetm\


    res://c:\winnt\system32\shdoclc.dll/dnserror.htm means there is no internet connection because a DNS server couldn't be contacted.
     
  14. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Yes, I did delete:

    C:\Program Files\Common Files\WinTools\
    C:\WINNT\inetm\

    I had actually deleted the inetm file in safe mode after your first post but it came back.

    I was asking about these files which you commented on below:

    Okay, we are not going to remove these entries from HJT:
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F3 - REG:win.ini: run=C:\WINNT\inetm\services.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://on-search.com/
    O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetm\services.exe
    O8 - Extra context menu item: &RSDN Search - res://c:\toolbar_nieuw14.dll/GoRSDN.dll.htm << Unless you know what this is.
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetm\services.exe

    Any ideas of what to do next?
     
  15. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Oops - forgot to say that I uploaded xhovdkeh.exe and scanned for malware. It did not detect any viruses, etc.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269574

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice