Hijack this help!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

kplgmc

Thread Starter
Joined
Mar 31, 2004
Messages
126
I am having problems with this laptop. I cannot bot into Windows normally. I have to use the "last known good configuration" option every time. I have gone through in safe mode and ran ad aware and spybot but the problem persists. Also, once I am booted up it opens the hardware wizard even though I have no new connected. Here is the log. Thanks for the help!



Logfile of HijackThis v1.99.0
Scan saved at 10:18:34 AM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Support Assist\Assist\srvc.exe
C:\Program Files\Support Assist\Assist\cust.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Support Assist\Assist\capp.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\wuptetab.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt1.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KLaFlamme.ZOLLMED\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://business.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: SDWin32 Class - {0A134463-7231-46D4-B683-FFD91ECB32B2} - C:\WINDOWS\System32\mccpk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Support AssistCApp] C:\Program Files\Support Assist\Assist\capp.exe -r
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [do5pRhKtT] wuptetab.exe
O4 - Startup: Iomega Product Registration.lnk = C:\Program Files\Iomega\Registration\Register.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\Swhois3\swiehlp.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\Swhois3\swiehlp.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\Swhois3\swiehlp.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095799745034
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://oracle411i.zoll.com:8001/jinitiator/oajinit.exe
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://bizserver.zoll.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zollmed.com
O17 - HKLM\Software\..\Telephony: DomainName = zollmed.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E725C98-777F-4640-BC15-6EB637A4C4D5}: Domain = ZOLL.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zollmed.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zollmed.com
O23 - Service: Connected Agent Service - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Support Assist Agent - HandsFree Networks, Inc. - C:\Program Files\Support Assist\Assist\srvc.exe
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi,


To get started> scan online at both of these places:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

http://housecall.antivirus.com/housecall/start_corp.asp

If you have never used them, both of those scans will take a while to get the Active X controls loaded and then scan all files.... Not much you can do except go do it.

Set the settings to scan all files, Scan the whole computer, all hard drives...whatever each has. AUTOCLEAN should be checked, too. You don't get to scan unless you let the ActiveX control load, that is what gets tiring, but it should finish> it does seem to stop but you should wait and scan!
Panda will let you save a Report as Activescan.txt when it finishes, which you should post here in your next reply. Housecall only shows you what it found, cleaned, could not fix, or deleted....so, do Panda first and Housecall next to keep the manual filename recording to a minimum, but we should have you post the filenames it found infected, the locations of files, and what the exact trojan name is for each.
___________________________
You will need both of these programs, and these versions...though you might have both, one or the other may be older than what I am posting and will not be as effective as they can be! You need to check the Build of AdAware you have, it's right on the main window, we are using AdAware SE personal edition (the free one) v. 1.05 now, and even though you are just installing it, it will have some detection updates just after you install it, unless you get very lucky!

SpyBot Search and Destroy v. 1.3> is the latest. The older versions are abandoned and will not give you any more updates!

Both of those programs are available here:

http://www.majorgeeks.com/downloads31.html

Here are the directions for installing, updating, and using them:
AdAware:

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

SpyBot 1.3:

Install the program and launch it.

Before scanning press Online and Search for Updates .

Put a check mark at and install all updates.

Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.

Post the new HJT log, made after you run the online antivirus scans, plus AdAware and SpyBot scans, right here in this thread, OK? Good luck.
 

kplgmc

Thread Starter
Joined
Mar 31, 2004
Messages
126
Whenever I go to those web sites my browser crashes. I ran all the updates for Spybot and Adaware and ran the programs. Here is the new log. Maybe I can run those sites after some cleanup..............



Logfile of HijackThis v1.99.0
Scan saved at 9:05:43 AM, on 1/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\jnfqblli5.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Support Assist\Assist\srvc.exe
C:\Program Files\Support Assist\Assist\cust.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Support Assist\Assist\capp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\aqxdhydt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt1.exe
C:\Documents and Settings\KLaFlamme.ZOLLMED\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://business.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {BC9C4FBF-233C-3CCE-C371-CDA4D029FBDD} - C:\WINDOWS\System32\seglwtbf.dll
O2 - BHO: (no name) - {F0AAD507-F1CA-0222-730C-7F8D1D9FA827} - C:\WINDOWS\System32\lplkmlqo.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Support AssistCApp] C:\Program Files\Support Assist\Assist\capp.exe -r
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [aqxdhydt] C:\WINDOWS\System32\aqxdhydt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [do5pRhKtT] wuptetab.exe
O4 - Startup: Iomega Product Registration.lnk = C:\Program Files\Iomega\Registration\Register.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095799745034
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://oracle411i.zoll.com:8001/jinitiator/oajinit.exe
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://bizserver.zoll.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zollmed.com
O17 - HKLM\Software\..\Telephony: DomainName = zollmed.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E725C98-777F-4640-BC15-6EB637A4C4D5}: Domain = ZOLL.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zollmed.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zollmed.com
O23 - Service: Connected Agent Service - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: aikxoiidulgl - Unknown - C:\WINDOWS\System32\jnfqblli5.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Support Assist Agent - HandsFree Networks, Inc. - C:\Program Files\Support Assist\Assist\srvc.exe
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, OK cleanup it is!


You will be doing the fixing in Safe Mode- so copy the steps to a Notepad text file to save to the desktop so you have them in Safe Mode, print out if you like.

Boot to Safe Mode by tapping the F8 key when you restart or start up the computer...tap quickly several times when you first see text on screen, when you see the startup menu, with arrow key select Safe Mode, and then hit Enter key once. Give it plenty of time to get to the desktop.


In Safe Mode> we still may have some of these items running as processes, best you check for them:
CTRL+ALT+DEL to bring up the list, then use the Processes tab to see if any below are active and End them:

jnfqblli5.exe

wuptetab.exe

aqxdhydt.exe if any just pop back, continue:

Run Hijackthis, put checks by all of these items and then press "fix checked:"



O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {BC9C4FBF-233C-3CCE-C371-CDA4D029FBDD} - C:\WINDOWS\System32\seglwtbf.dll
O2 - BHO: (no name) - {F0AAD507-F1CA-0222-730C-7F8D1D9FA827} - C:\WINDOWS\System32\lplkmlqo.dll

O4 - HKLM\..\Run: [aqxdhydt] C:\WINDOWS\System32\aqxdhydt.exe
O4 - HKCU\..\Run: [do5pRhKtT] wuptetab.exe
O23 - Service: aikxoiidulgl - Unknown - C:\WINDOWS\System32\jnfqblli5.exe

Now, we need to set things so you can find and delete hidden files, do this:

flrman1 said:
Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"



Next, we need to find these files, do that by navigating to the folders that contain them, delete the file at end of line.

C:\WINDOWS\System32\jnfqblli5.exe
C:\WINDOWS\System32\aqxdhydt.exe
C:\WINDOWS\System32\wuauclt1.exe <watch out, the normal one is without the 1, be sure you have this one!!!
C:\WINDOWS\System32\seglwtbf.dll
C:\WINDOWS\System32\lplkmlqo.dll
wuptetab.exe <use Search or look in System32, Windows, etc but you may not find it.

Next do this:


flrman1 said:
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box, and OK. The Temp folder will open. Click Edit > Select All then File > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.
Make a note as you go along, if any .exe files do return as processes and resist deleting> "files are in use" messages etc, for any file> Hijack has both a process killer and a "Delete file upon reboot" feature which you may have to use. The Config button will show you this feature...

You can delete more than one file by adding the first, and not rebooting right then, add more, until you have all that you need to delete at reboot...and then select Reboot.

After you are restarted> Run your AdAware and SpyBot scans, and then try the Panda and Housecall sites.

I hope this works!
 

kplgmc

Thread Starter
Joined
Mar 31, 2004
Messages
126
Thanks for the help. I did all that you suggested and ran ad aware and spybot. Ad aware eliminated 3 items and spybot came up clean. Panda and Trend both still crash my browser and it is still asking me about installing the new hardware. The wizard come up and says Hardware:Unknown. There is definitely nothing being added. Here is the new log:

Logfile of HijackThis v1.99.0
Scan saved at 11:41:47 AM, on 1/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Support Assist\Assist\srvc.exe
C:\Program Files\Support Assist\Assist\cust.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Support Assist\Assist\capp.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KLaFlamme.ZOLLMED\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://business.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BC9C4FBF-233C-3CCE-C371-CDA4D029FBDD} - (no file)
O2 - BHO: (no name) - {F0AAD507-F1CA-0222-730C-7F8D1D9FA827} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Support AssistCApp] C:\Program Files\Support Assist\Assist\capp.exe -r
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [do5pRhKtT] wuptetab.exe
O4 - Startup: Iomega Product Registration.lnk = C:\Program Files\Iomega\Registration\Register.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095799745034
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://oracle411i.zoll.com:8001/jinitiator/oajinit.exe
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://bizserver.zoll.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zollmed.com
O17 - HKLM\Software\..\Telephony: DomainName = zollmed.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E725C98-777F-4640-BC15-6EB637A4C4D5}: Domain = ZOLL.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zollmed.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zollmed.com
O23 - Service: Connected Agent Service - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Support Assist Agent - HandsFree Networks, Inc. - C:\Program Files\Support Assist\Assist\srvc.exe
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, No help with that Hardware detection, perhaps it will stop...malware does some awful strange things.


wuptetab.exe may be running, End Process again and


Fix these with HJT

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BC9C4FBF-233C-3CCE-C371-CDA4D029FBDD} - (no file)
O2 - BHO: (no name) - {F0AAD507-F1CA-0222-730C-7F8D1D9FA827} - (no file)
O4 - HKCU\..\Run: [do5pRhKtT] wuptetab.exe

Now, try and find wuptetab.exe and delete it. You can also Kill Process with Hijackthis, from the Config tab lower right, click on wuptetab.exe in process list, Kill, and then try finding and deleting it.

Post a new log when you are done.

Try this too: Stinger by McAfee, free:

http://vil.nai.com/vil/stinger/

If it will not run in Normal mode, try it from Safe Mode!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top