1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT won't open

Discussion in 'Virus & Other Malware Removal' started by weeziegirlca, Dec 21, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. weeziegirlca

    weeziegirlca Thread Starter

    Joined:
    Dec 21, 2005
    Messages:
    15
    I tried following the instructions you gave here, but after deleting the 4 files using Killbox, I still wasn't able to open Hijack This....(it would still only open for about 3 seconds and close) so I came to a standstill and wasn't able to follow the rest of the instructions.

    Please help!

    Thanks

    Weezie
     
  2. Sponsor

  3. weeziegirlca

    weeziegirlca Thread Starter

    Joined:
    Dec 21, 2005
    Messages:
    15
    This is what I have done so far (from following the other thread) and then quickly came to a halt when I still couldn't open Hijack This...

    "Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    now Start killbox paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill and deltree, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

    [Note: Killbox makes backups of all deleted files in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry
    C:\WINDOWS\system32\jwvyifgom\csrss.exe
    C:\WINDOWS\system32\vrdhqol.exe
    C:\WINDOWS\system32\wupfyny.exe
    C:\WINDOWS\system32\jwvyifgom\smss.exe

    Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

    then as some of the folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then reboot"

    "Do the delete with killbox first then HJT should run to clear up the registry entries"

    This is where I had to stop because I wasn't able to open Hijack This to get rid of the entries. Well...I managed to get rid of the first 2 or 3 after several attempts because they were near the top of the page, but the others are too far down the page to have enough time to scroll plus delete them.

    Thanks!

    Weezie
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,083
    I don't even know if you have the same files so do this if you can't get HJT to run

    download and unzip http://www.diamondcs.com.au/index.php?page=asviewer and double click the asviewer.exe file
    press main and make sure the top 3 items are ticked, press refresh & then save and copy that log back here
     
  5. weeziegirlca

    weeziegirlca Thread Starter

    Joined:
    Dec 21, 2005
    Messages:
    15
    I think I already did this as well. Do you know what the files are called that should be deleted? The first 3 listed are called:

    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\himem.sys

    Should I delete these?

    Thanks for your help!

    Weezie
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,083
    NO don't delete anything I need to see the log to see what is wrong

    what happens when you run asviewer?

    I have never seen anything disable that before
     
  7. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    76,363
    Weezie:

    Go here and install Visual Basic Runtime 6.0 SP5, then see if you can get HIJACKTHIS to run.

    HIJACKTHIS and CWSHREDDER are 2 programs that I'm aware of that need this installed before they can run.

    -------------------------------------------------------------------------------------------------------
     
  8. weeziegirlca

    weeziegirlca Thread Starter

    Joined:
    Dec 21, 2005
    Messages:
    15
    Thanks,

    Asviewer still works on my computer. I was just saying that I had already downloaded it and deleted the first 3 files (from those previous instructions I followed) so I wasn't sure if the first 3 files I showed would still be the right ones to download.
    Here is my log from Asviewer....

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for [email protected], 12-22-2005
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\system32\ssmypics.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\system32\ssmypics.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /install
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
    RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTHelper
    C:\WINDOWS\system32\CTHELPER.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroFilterCheck
    C:\WINDOWS\system32\NeroCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RemoteControl
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTRegRun
    C:\WINDOWS\CTRegRun.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Disc Detector
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdReg
    C:\WINDOWS\Updreg.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTStartup
    C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Jet Detection
    C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
    C:\Program Files\QuickTime\qttask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\csrss
    C:\Program Files\QuickTime\qttask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TPP Auto Loader
    C:\WINDOWS\TPPALDR.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\iTunesHelper
    C:\Program Files\iTunes\iTunesHelper.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
    C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winupdates
    C:\Program Files\winupdates\winupdates.exe /auto
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
    C:\Program Files\Messenger\msmsgs.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TaskTray
    C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Taskbar
    C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\csrss
    C:\WINDOWS\system32\ctfmon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\webcheck.dll
    C:\WINDOWS\system32\stobject.dll
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Garrett.job
    C:\PROGRA~1\NORTON~1\Navw32.exe
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\Garrett\Start Menu\Programs\Startup\Adobe Gamma.lnk
    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office10\OSA.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MonacoGamma.lnk
    C:\Program Files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MonacoReminder.lnk
    C:\Program Files\Monaco Systems\MonacoOPTIX 2.0\Monaco Reminder.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\CTStartup\CTStartup
    C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    SsiEfr.e
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}\
    C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\BITS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Creative Service for CDROM Access\
    C:\WINDOWS\system32\CTSVCCDA.EXE
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\DcomLaunch\
    C:\WINDOWS\system32\svchost -k DcomLaunch
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\EpsonBidirectionalService\
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    HKLM\System\CurrentControlSet\Services\EPSONStatusAgent2\
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\system32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\MDM\
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    HKLM\System\CurrentControlSet\Services\NPFMntor\
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\system32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PfModNT\
    \??\C:\WINDOWS\system32\drivers\PfModNT.sys
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\svcWRSSSDK\
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    HKLM\System\CurrentControlSet\Services\symlcbrd\
    \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\UMWdf\
    C:\WINDOWS\system32\wdfmgr.exe
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\system32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WMDM PMSP Service\
    C:\WINDOWS\system32\MsPMSPSv.exe
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs


    Weezie
     
  9. weeziegirlca

    weeziegirlca Thread Starter

    Joined:
    Dec 21, 2005
    Messages:
    15
    Thanks, but I can get it to run briefly (for about 3 seconds) but the virus itself is disabling it (and most other antivirus or spyware blocker programs) and won't even let me go to any of their websites.

    Weezie
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,083
    start ASviewer & scroll down and look for these entries in the right hand column

    whan they appear right click them and select delete registry value. Do it opfror each example of those entries and you should find several of each

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\csrss
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winupdates

    once that is done reboot & Download the Hoster from here . UnZip the file and run hoster then press "Restore Original Hosts" and press "OK". Exit Program.

    once taht is done you should be able to run HJT so post a hjt log
     
  11. weeziegirlca

    weeziegirlca Thread Starter

    Joined:
    Dec 21, 2005
    Messages:
    15
    Thanks, so far, so good. I was able to get rid of those files in Asviewer (I hope) and ran Hoster and then was able to run HJT. Here is my hjt log...

    Logfile of HijackThis v1.99.1
    Scan saved at 5:58:38 PM, on 22/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\TPPALDR.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\winupdates\winupdates.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\WINDOWS\system32\CTSVCCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\All Users\Desktop\Maintenance\abc\getrid.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messengersite.net/forum/portal.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
    O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: csrss.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
    O4 - Global Startup: MonacoReminder.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.craigcopy.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133974223421
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{190C7383-D704-4264-A960-7D67D79CA572}: NameServer = 207.61.64.103 209.167.105.10
    O17 - HKLM\System\CS1\Services\Tcpip\..\{190C7383-D704-4264-A960-7D67D79CA572}: NameServer = 207.61.64.103 209.167.105.10
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,083
    Ok

    now update spysweeper and run it as it should dealk with windupdates

    • open spysweeper
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Options on the left side.
    • Click the Sweep Options tab.
    • Under What to Sweep please put a check next to the following:

      • [*]Sweep Memory
        [*]Sweep Registry
        [*]Sweep Cookies
        [*]Sweep All User Accounts
        [*]Enable Direct Disk Sweeping
        [*]Sweep Contents of Compressed Files
        [*]Sweep for Rootkits
      • Please UNCHECK Do not Sweep System Restore Folder.
    • Click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.

    and after running spysweeper also do this please
    • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!

    Reboot into Safe Mode
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Doubleclick WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient!
    • Once the Scan is Complete
      • Reboot back to Normal Mode!
      • Go to the WinPFind folder
      • Locate WinPFind.txt
      • Place those results in the next post!
     
  13. weeziegirlca

    weeziegirlca Thread Starter

    Joined:
    Dec 21, 2005
    Messages:
    15
    I don't have Spysweeper anymore (didn't upgrade it). Is there anything else I can use instead (that is also free)?

    Weezie
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,083
    uninstall spysweeper then as it's a waste of time having it on the computer

    and use adaware and M$ antispyware

    Download AdAware SE 1.06 from http://www.lavasoft.com and install it if you haven't already got it. If you have it, then make sure it is updated and configured as described later in this post

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".


    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


    Reboot &

    Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds

    First press file and check for updates and then run it
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    52,083
    Also I can't see any antivirus running

    I can only see Norton firewall but not teh AV part. that might have been damaged by the pest as well as HJT etc so you will probably ahve to reinstall Norton unless taht ws also out of date and you are looking for a new free antivirus in which case make sure Norton is fully uninstalled and try one free one that many users of this forum use successfully is
    AVG from http://free.grisoft.com/freeweb.php/doc/1/

    BUT you CANNOT have 2 Antiviruses installed at the same time
     
  16. weeziegirlca

    weeziegirlca Thread Starter

    Joined:
    Dec 21, 2005
    Messages:
    15
    Thanks so much for your help! Everything appears to be back to normal now.

    Thanks!

    Weezie
     
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/426932