Im Screwed, Please Help!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

peril0us

Thread Starter
Banned
Joined
Oct 13, 2003
Messages
906
Hi i have XP. Yesterday i noticed the process loader.exe running, and i thought i would just delete it later because i was lazy. I have 4 XP accounts. Anyways, today, when i went on... i had about 10 processes running that would all run each other every time i shut them out. I tried S&D and it said it got rid of them all. Then 5 seconds later they would all be reinstalled. When i booted my PC there was something called "we own" running too.

I tried to delete them all and then Norton AV said i got a virus called Bloodhound.packaged. At this point my internet stopped working (when i typed or use the mouse nothing happened) and so i rebooted. Now my PC couldnt even fully boot up, so i asked a friend to see what sympatico or w/e said to delete the virus. I went into safe mode and ran AV like they suggested, ran S&D and Ad-Aware, but i forgot to update these two. To make a long story short, S&D and Ad deleted a bunch of stuff, AV found 42 infections but 20 of them came out as "delete failed." I didnt know what to do so i thought i would try HiJackThis out in a desperate attempt. I happened to have instuctions and i deleted all the crap that i could see. However here is the problem?

When i was fixing the things i got some BHO prompt and said yes. Then it said "Are you sure you want to uninstal windows toolbar?!" I think that was it? But it was too late. When i start up on my account now, i get a blue screen and it says "restart blah blah... memory dump: ##" and its counting memory. I dont know much about hardware but i think this is bad for my system...

Here is my HiJack log from before i fixed, and i will star the ones that i think i deleted... Im not SURE but this is what i think i cut. Now that i see that BHO i dont think i should have killed it, was that bad? The bold ones are ones that i dont know if i should have deleted so i played it safe.

Logfile of HijackThis v1.97.3
Scan saved at 10:56:20 PM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\NORTON~2\navw32.exe
C:\Documents and Settings\Neil's\My Documents\Programs\hijackthis\HijackThis.exe

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
*R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
*R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
*R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50168
*R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
*R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
*R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
*R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
*O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 48.dll
*O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 48.dll
*O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAM_2K.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
*O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
*O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
*O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
*O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
*O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
*O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
*O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
*O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
*O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
*O4 - HKLM\..\Run: [sain] c:\windows\system32\sain.exe
*O4 - HKLM\..\Run: [oxwp] C:\WINDOWS\oxwp.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winine32.exe
O4 - HKLM\..\Run: [adqkpy] C:\WINDOWS\System32\osmjahe.exe
O4 - HKLM\..\Run: [tshruin] C:\WINDOWS\System32\tshruin.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
*O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
*O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
*O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
*O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
*O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab

Anyways. Can someone please tell me what this memory dump thing is? I dont know much about this stuff and first time using HiJackThis. Is there any way to repair that damage? Also... why do i get memory dump on my account but not this one? They are all admin priv but i went into safe mode through my account. Il post a HiJackLog of what it is now, i still have 1 or 2 adware popping up. What do i do with the things Norton AV said "delete failed?"

Any help would be appreciated i think im screwed. Can i fix this if i get it reformatted?

This is from a different account in XP, not sure if it matters...

Logfile of HijackThis v1.97.3
Scan saved at 11:25:37 PM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Norton AntiVirus2004\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus2004\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Neil's\My Documents\Programs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 48.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 48.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winine32.exe
O4 - HKLM\..\Run: [adqkpy] C:\WINDOWS\System32\osmjahe.exe
O4 - HKLM\..\Run: [tshruin] C:\WINDOWS\System32\tshruin.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
 
Joined
Dec 9, 2000
Messages
45,855
It's an even bigger mess than you think. You must first uninstall any File Sharing utility that you have installed on the system. Then install and run a full drive scan using Ad-Aware SE (the most recent version) and the VX2 plugin.

Considering everything there, it would be best to run it in Safe Mode.

Have Ad-aware remove all it targets, reboot and run it a second time.

Run one or more Online antivirus scans:

HouseCall
Panda


After that post a new HijackThis Scanlog using the latest version of HijackThis (1.98.2)

Ad-aware SE:

Ad-Aware Home Page


http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe

The VX2 plugin will be available in the "add-ons" window once installed and is run from there.

How Did I Get Infected?

>> how to start in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

>> latest versiion of HijackThis: http://www.net-integration.net/tools/hijackthis.html
 

peril0us

Thread Starter
Banned
Joined
Oct 13, 2003
Messages
906
THANKS!

2 Questions:

Do you mean uninstall AIM, MSN, ect?

Is this blue screen bad??? Its not happening over and over? Did something i get rid of with HiJackThis cause this?
 

peril0us

Thread Starter
Banned
Joined
Oct 13, 2003
Messages
906
Also, can i limit the accounts on XP? I think my sister got these virus'. I never get them and frequently make sure that i have no no programs running. As far as i can tell there is no way to change the specific settings for accounts and my sister has to be "admin" or she cries because the other account cant install anything. (her games etc)
 
Joined
Dec 9, 2000
Messages
45,855
You don't have to uninstall those programs, just make sure no "file sharing" programs like Kazaa are being used -- they will reinfect the system.

For the time being, until the system is cleaned, make sure all accounts have full Administrative rights.

There is no way to limit an "administrative" account. They will have all the priveleges you have. However if this is going to be the result of her priveleges I would limit her account type whether she crys or not.
 

peril0us

Thread Starter
Banned
Joined
Oct 13, 2003
Messages
906
Okay, i tried to do the online scans like you said, but i couldnt. I also got the new HJT and Ad-aware. I ran Ad-aware and deleted like 300 new things that the old Ad-aware didnt see. I tired to run the online scan and Norton AV at the same time and left my PC on all night. However, in the morning i realized that i still have this device error that periodically crashes my computer and i tried 3 times but could not finish the 5 hour scan without it crashing. Also, norton 2004 found 6 files when the online found only 1 at the last point i checked, which makes me wonder if its any good. I still have 1 add prgm running that i know of and 4 unknown processes so il post my new HJT log for you guys! THANKS!

Logfile of HijackThis v1.98.2
Scan saved at 2:53:34 PM, on 9/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus2004\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus2004\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 50.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 50.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winine32.exe
O4 - HKLM\..\Run: [adqkpy] C:\WINDOWS\System32\osmjahe.exe
O4 - HKLM\..\Run: [tshruin] C:\WINDOWS\System32\tshruin.exe
O4 - HKLM\..\RunServicesOnce: [] C:\WINDOWS\GIGATEMP\Patch.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

When i look at this i think 1/2 of them came back from the last delete. Is there possibly some program installing them all every time i start up that i missed?
 

peril0us

Thread Starter
Banned
Joined
Oct 13, 2003
Messages
906
OH YEA. I get a device error

szAppName: drivers.display
szModName: ati2dvag
szAppVer: 1002496601201148

I think its for my RADEON 9000 series but i cant figure out if theres any update or anything for it. I tried the www.ati.com but couldnt figure out what i was looking for. Here is what my system info says, i dont have a clue LOL.

<<< System Summary >>>
------------------------------------------------------------------------------------------------

< Computer System >
Name: WHAT
User Name: user
Logon Domain: WHAT

< Processor(s) >
Model: AMD Athlon(tm) Processor
Speed: 1.20GHz
Model Number: 1200 (estimated)
Performance Rating: PR1596 (estimated)
L2 On-board Cache: 256kB ECC synchronous write-back

< Mainboard and BIOS >
Bus(es): AGP PCI USB SMBus/i2c
MP Support: No
System BIOS: Award Software, Inc. ASUS A7V133-C ACPI BIOS Revision
1009
Mainboard: ASUSTeK Computer INC. A7V133-C
System Chipset: ASUSTeK Computer Inc VIA KT133 based Mainboard System
Controller
Front Side Bus Speed: 2x 133MHz (266MHz data rate)
Installed Memory: 512MB SDRAM
Memory Bus Speed: 1x 133MHz (133MHz data rate)

< Video System >
Monitor/Panel: Plug and Play Monitor
Adapter: RADEON 9000 Series
Adapter: RADEON 9000 Series
Adapter: RADEON 9000 SERIES
Adapter: RADEON 9000 Series
Adapter: RADEON 7000 Series
Adapter: RADEON 7000 Series

< Physical Storage Devices >
Removable Drive: Floppy disk drive
Disk Drive: Disk drive
CD-ROM/DVD: CD-ROM Drive
CD-ROM/DVD: CD-ROM Drive

< Logical Storage Devices >
1.44MB 3.5" (A:): N/A
Hard Disk (C:): 76.3GB (31.7GB, 41% Free) (NTFS)
CD-ROM/DVD (D:): N/A
CD-ROM/DVD (E:): N/A

< Peripherals >
Serial/Parallel Port(s): 1 COM / 1 LPT
USB Controller/Hub: VIA Rev 5 or later USB Universal Host Controller
USB Controller/Hub: VIA Rev 5 or later USB Universal Host Controller
USB Controller/Hub: USB Root Hub
USB Controller/Hub: USB Root Hub
Keyboard: Standard 101/102-Key or Microsoft Natural PS/2
Keyboard
Mouse: PS/2 Compatible Mouse

< MultiMedia Device(s) >
Device: Creative SB Live! Value
Device: Creative Game Port

< Printers and Faxes >
Model: EPSON Stylus COLOR 880

< Operating System(s) >
Windows System: Microsoft Windows XP Professional Ver 5.01.2600
Service Pack 1

< Network Adapter(s) >
Networking Installed: Yes
Adapter: Realtek RTL8139 Family PCI Fast Ethernet NIC #3

< Performance Tips >
Tip T102: Consider using the Unicode version of Sandra.
Tip T2: For more information about tips, press F1 and scroll
to the Tips section.

Dont know if this is allowed in this section of the forum? thx
 
Joined
Jul 26, 2002
Messages
46,349
I have merged your new thread with the original thread. We cannot keep up with you if you start a new thread each time you reply. Please make all posts regarding this matter in this thread.
 

peril0us

Thread Starter
Banned
Joined
Oct 13, 2003
Messages
906
Rollin' Rog said:
You don't have to uninstall those programs, just make sure no "file sharing" programs like Kazaa are being used -- they will reinfect the system.

For the time being, until the system is cleaned, make sure all accounts have full Administrative rights.

There is no way to limit an "administrative" account. They will have all the priveleges you have. However if this is going to be the result of her priveleges I would limit her account type whether she crys or not.
Thx for replying to this dude. I started a new thread with my new HJT log but you just raised a question. In the past when i tried to change the rights settings it didnt change anything and i had to make the account again so that it would change the rights. Does anyone know if this is a unique problem to me or if there is any fix for it?
 
Joined
Jul 26, 2002
Messages
46,349
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 50.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 50.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winine32.exe

O4 - HKLM\..\Run: [adqkpy] C:\WINDOWS\System32\osmjahe.exe

O4 - HKLM\..\Run: [tshruin] C:\WINDOWS\System32\tshruin.exe


Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\windows\system32\winine32.exe
C:\WINDOWS\System32\osmjahe.exe
C:\WINDOWS\System32\tshruin.exe
 

peril0us

Thread Starter
Banned
Joined
Oct 13, 2003
Messages
906
Thx for replying fast, couple more questions.

Do you know what the O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k is because i think i had it before i had problems?

Say i wanted to clear out some stuff so that my startup doesnt take 5 minutes like it just did, can i get rid of these?

O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
If i fix these is it safe? I never use most of these programs.

And, do you know what this is? I dont ever remember seeing it before.
O4 - HKLM\..\RunServicesOnce: [] C:\WINDOWS\GIGATEMP\Patch.exe
 
Joined
Jul 26, 2002
Messages
46,349
Sorry I missed that one! :eek:

Fix this one too:

O4 - HKLM\..\RunServicesOnce: [] C:\WINDOWS\GIGATEMP\Patch.exe

Boot to safe mode and delete the C:\WINDOWS\GIGATEMP folder.


As far as the others go, Hijack This is not a tool to be used to control or remove unnecessary startups. The purpose of HJT is to help identify and remove malware (spyware/adware/trojans/viruses). If you want to remove unnecessary startups, this should be done through the System Configuration Utility. Go to Start > Run and type in msconfig.
Click OK or hit the Enter key.

Click on the "Startup" tab and remove the check by the items that you have determined are unnecessary. Click "Apply" then "Close"

You will be prompted to restart. Go ahead and restart.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.

Go here for info on msconfig:

http://www.pacs-portal.co.uk/startup_index.htm

You can look up the startups here to help determine what is needed and what is not:

http://computercops.biz/StartupList.html

here:

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

And here:

http://www.windowsstartup.com/wso/browse.php?l=8&start=50&end=75


You might also consider checking out Black Viper's guide to disabling some of the unnecessary services in XP here:

http://www.blackviper.com/WinXP/servicecfg.htm
 

peril0us

Thread Starter
Banned
Joined
Oct 13, 2003
Messages
906
Okay. I did the thing with HJT, saved your reply to notepad, and restarted comp. Then, when i tried to start up in safe mode, i couldnt!!! It froze on the screen where it lists all the stuff its loading. So, after a few min i restarted it and tried again, froze again. I think this might be somehow related to the blue screen of death that i got after i left Safe Mode last time. Any ideas? Also, i am still getting 2 adds that pop up when i boot, but then nothing happens. thx.
 
Joined
Dec 9, 2000
Messages
45,855
The safe mode startup problem may also be indicative of a display driver issue. ATI comes out with a new driver update about once a month. You don't need the absolute latest.

I believe your Radeon 9000 is supported up to Catalyst 4.8, but be sure to read the release notes. I'm currently running 4.6 on a Radeon 9700.

You must follow the directions to uninstall the old drivers from the Control Panel Add/Remove programs prior to installing. You may need to cancel out of any "automatic" attempt to reinstall drivers on startup and go to where you downloaded the setup file to run that.

You can't install them in Safe Mode, but you could try VGA mode if you can get there. I suspect you can't though with the safe mode error.

http://www.ati.com/support/products/radeonwinxppreviousdrivers.html

I'm not sure if you need to do separate installs for the main driver and the so-called "control panel" driver. The last time I did this I simply removed both from Add/Remove, rebooted to VGA mode and ran the setup for the "single bundle" install. Prior to that I had to do separate downloads. The single bundle is about 26mb as I recall.

PS: I would advise creating a system checkpoint before proceeding with anything like this. Although you can "rollback" drivers, I like System Restore's. You don't want to restore to a point prior to your new installs and cleanups though.
 

peril0us

Thread Starter
Banned
Joined
Oct 13, 2003
Messages
906
Thx dude. I have had this driver error for about a year now, it seems to crash the pc when i have java applets running. I will email ati to get info on this because their site is way to confusing lol. :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top