Tech Support Guy banner
Status
Not open for further replies.

ie problems

11K views 26 replies 3 participants last post by  dvk01 
#1 ·
My explorer will not start up without displaying these 2 error messages first. It takes about half an hour for it to show then shortly after it ie opens google. I try to search and then goes to not responding.

Error 1:

iexplore.exe - application error

The application failed to initialize properly (0xc0000142). Click OK to terminate the application..

Error 2:

Runtime Error

Program: C\programefiles\internet explorer\iexplore.exe

This application has requested to terminate it in an unusual way. Please contact the application support team for information.

Im currently using firefox to post this thead so i connection is fine any idea on how to fix this please thanks.....
 
#2 ·
That could mean absolutely anything

first step is see what is obvious in a HJT log

go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 
#4 ·
Hi Derek,

Error 1:

iexplore.exe - application error

The application failed to initialize properly (0xc0000142). Click OK to terminate the application..

--------------------

I am getting exactly the same error. I have run the "HijackThis" and this is what I got... please help me as soon as you can. I will really appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 10:00:20 PM, on 1/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CI_SERV.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Sim9Sync.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ifccsc21.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\bak\htpatch.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169525412265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: CI_SERV - Siemens AG - C:\WINNT\System32\CI_SERV.exe
O23 - Service: SIMATIC NET FMS database loader (Dbfms) - Siemens AG - c:\SIEMENS\SIMATIC.NET\fs5412a2.nt\dbfmsser.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ifccsc18 - Unknown owner - C:\WINNT\system32\ifccsc18.exe
O23 - Service: ifccsc21 - Unknown owner - C:\WINNT\system32\ifccsc21.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SIMATIC NET Synchronization Service (Sim9Sync) - Siemens AG - C:\WINNT\system32\Sim9Sync.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
#5 ·
by the looks of it, you might have some virus/worm/trojan activity

You have no antivirus & that is extremely dangerous

first step would be install a good working antivirus, do a full deep system scan & see what it finds & fixes

try the trial version of Kaspersky 6

select Free trial, Fill in the required email address & click submit

folow download instructions then install it & run a full system scan and see what it finds
 
#8 ·
Here are the results. Thanks for your help.

Mirtha
--------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:44:21 PM, on 1/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\System32\CI_SERV.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Sim9Sync.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ifccsc21.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169525412265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: CI_SERV - Siemens AG - C:\WINNT\System32\CI_SERV.exe
O23 - Service: SIMATIC NET FMS database loader (Dbfms) - Siemens AG - c:\SIEMENS\SIMATIC.NET\fs5412a2.nt\dbfmsser.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ifccsc18 - Unknown owner - C:\WINNT\system32\ifccsc18.exe
O23 - Service: ifccsc21 - Unknown owner - C:\WINNT\system32\ifccsc21.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SIMATIC NET Synchronization Service (Sim9Sync) - Siemens AG - C:\WINNT\system32\Sim9Sync.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
 
#9 ·
1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
ifccsc18
ifccsc21

Files to delete:
C:\WINNT\system32\regscan.exe
C:\WINNT\system32\ifccsc18.exe
C:\WINNT\system32\ifccsc21.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

when it reboots for the second time

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
O23 - Service: ifccsc18 - Unknown owner - C:\WINNT\system32\ifccsc18.exe
O23 - Service: ifccsc21 - Unknown owner - C:\WINNT\system32\ifccsc21.exe

now Start killbox,

Then on killbox top bar press tools/delete temp files, in the pop up box towards the middle is a drop down box containing a list of all user accounts on this drop down user account box, select your account, select ALL options it will allow you to, then then press delete selected temp files , then repeat for every user account listed in that drop down box

then

I need to see the log this makes

http://noahdfear.geekstogo.com/FindAWF.exe
 
#10 ·
Derek,

This is what the Avenger shows after step 5

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\djswafpn

*******************

Script file located at: \??\C:\Documents and Settings\cxamwlib.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver ifccsc18 unloaded successfully.
Driver ifccsc21 unloaded successfully.
File C:\WINNT\system32\regscan.exe deleted successfully.
File C:\WINNT\system32\ifccsc18.exe deleted successfully.
File C:\WINNT\system32\ifccsc21.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Do I need to download and run the last executable?

------------------------------------------
then

I need to see the log this makes

http://noahdfear.geekstogo.com/FindAWF.exe

------------------------------------------

Thanks,

Mirtha
 
#11 ·
Yes you need to download & run findawf please

also please do this

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

C:\avenger\backup.zip
 
#12 ·
Derek

1. I uploaded the file c:\avenger\backup.zip
2. This is the result of the FindAWF.exe

-----------------------------------------------------


Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\WINNT\BAK

10/30/2002 03:40a 28,672 htpatch.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/16/2005 07:43a 274,432 iTunesHelper.exe
1 File(s) 274,432 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/26/2005 07:29p 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\WINNT\SYSTEM32\BAK

09/09/2002 12:05a 114,688 hkcmd.exe
09/09/2002 12:18a 155,648 igfxtray.exe
06/20/2003 06:00a 320,000 regscan.exe
05/09/2002 03:19a 303,104 sistray.EXE
4 File(s) 893,440 bytes

Directory of C:\PROGRA~1\ALPHAN~1\ANIWZC~1\BAK

08/21/2003 03:12p 32,768 WZCSLDR.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\ANALOG~2\SOUNDMAX\BAK

06/26/2002 05:36p 90,112 Smtray.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\D-LINK\AIRPLU~1\BAK

11/04/2003 04:00p 2,502,656 AirPlusCFG.exe
1 File(s) 2,502,656 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\12908~1.500\BAK

10/21/2006 04:27p 163,576 GoogleToolbarNotifier.exe
1 File(s) 163,576 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 12:03p 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24588 Jan 22 2007 "C:\WINNT\htpatch.exe"
28672 Oct 30 2002 "C:\WINNT\bak\htpatch.exe"
24588 Jan 22 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
274432 Sep 16 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
24588 Jan 22 2007 "C:\Program Files\QuickTime\qttask.exe"
155648 Sep 26 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
24588 Jan 22 2007 "C:\WINNT\system32\hkcmd.exe"
114688 Sep 9 2002 "C:\WINNT\system32\bak\hkcmd.exe"
24588 Jan 22 2007 "C:\WINNT\system32\igfxtray.exe"
155648 Sep 9 2002 "C:\WINNT\system32\bak\igfxtray.exe"
320000 Jun 20 2003 "C:\WINNT\system32\bak\regscan.exe"
24588 Jan 22 2007 "C:\WINNT\system32\sistray.EXE"
303104 May 9 2002 "C:\WINNT\system32\bak\sistray.EXE"
24588 Jan 22 2007 "C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe"
32768 Aug 21 2003 "C:\Program Files\Alpha Networks\ANIWZCS Service\bak\WZCSLDR.exe"
24588 Jan 22 2007 "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe"
90112 Jun 26 2002 "C:\Program Files\Analog Devices\SoundMAX\bak\Smtray.exe"
24588 Jan 22 2007 "C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe"
2502656 Nov 4 2003 "C:\Program Files\D-Link\AirPlus Xtreme G\bak\AirPlusCFG.exe"
24588 Jan 22 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
163576 Oct 21 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe"
24588 Jan 22 2007 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report
 
#14 ·
first uninstall all old versions of sun java, download the new one BUT do not install the new one until we have fixed the problem

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Then downloadd the attached bakfix.zip & save it to desktop unzip it &

double click the backfix.bat & it will delete the dodgy files & replace them with the backups

once that has been done install the new Sun Java then

Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.
 

Attachments

#17 ·
you need to do this next please

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINNT\system32\bak\regscan.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

then upload the new avenger\backup.zip to spykiller please

That one is new pest we need copies of and the AWF pest has deleted the original & moved it to teh bak folder
 
#19 ·
Thanks a lot Derek. The problem seems to be solved now.

Here are the files that you requested

Avenger.txt
--------------------------------------------------------------------------------------------------
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\exjqotjo

*******************

Script file located at: \??\C:\Program Files\qxmxxjmj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\bak\regscan.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------

hijackthis020107.log
--------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:11:34 PM, on 2/1/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\System32\CI_SERV.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Sim9Sync.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169525412265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD Map 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD Map 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD Map 2000i\AcPreview.ocx
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: CI_SERV - Siemens AG - C:\WINNT\System32\CI_SERV.exe
O23 - Service: SIMATIC NET FMS database loader (Dbfms) - Siemens AG - c:\SIEMENS\SIMATIC.NET\fs5412a2.nt\dbfmsser.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SIMATIC NET Synchronization Service (Sim9Sync) - Siemens AG - C:\WINNT\system32\Sim9Sync.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------

DrWeb.csv

--------------------------------------------------------------------------------------------------

auto.exe;C:\;Trojan.Xifraud;Deleted.;

popcaploader.dll;C:\WINNT\Downloaded Program Files;Program.PopcapLoader;Incurable.Moved.;
 

Attachments

#21 ·
That file was the culprit for a lot of the problems

if it all seems clear now then

Turn off system restore by following instructions here
http://www.thespykiller.co.uk/forum/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.
and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place
 
#25 ·
Derek,

I got into a big problem after I activated Kaspersky. The computer changed. Now it takes a loooong time to start up, that also happens when trying to run any application. The system is extremely slowly.

I checked in the Kaspersky web site and someone experienced a similar problem. So the recommendation was to uninstall the Kaspersky in safe mode. The problem is that I can't uninstall Kaspersky (even in safe mode).

Please help me with this last one. I will appreciate it. How do I uninstall Kaspersky?
Thanks,

Mirtha
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top