1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Im Screwed, Please Help!

Discussion in 'Virus & Other Malware Removal' started by peril0us, Sep 12, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. peril0us

    peril0us Banned Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    906
    Hi i have XP. Yesterday i noticed the process loader.exe running, and i thought i would just delete it later because i was lazy. I have 4 XP accounts. Anyways, today, when i went on... i had about 10 processes running that would all run each other every time i shut them out. I tried S&D and it said it got rid of them all. Then 5 seconds later they would all be reinstalled. When i booted my PC there was something called "we own" running too.

    I tried to delete them all and then Norton AV said i got a virus called Bloodhound.packaged. At this point my internet stopped working (when i typed or use the mouse nothing happened) and so i rebooted. Now my PC couldnt even fully boot up, so i asked a friend to see what sympatico or w/e said to delete the virus. I went into safe mode and ran AV like they suggested, ran S&D and Ad-Aware, but i forgot to update these two. To make a long story short, S&D and Ad deleted a bunch of stuff, AV found 42 infections but 20 of them came out as "delete failed." I didnt know what to do so i thought i would try HiJackThis out in a desperate attempt. I happened to have instuctions and i deleted all the crap that i could see. However here is the problem?

    When i was fixing the things i got some BHO prompt and said yes. Then it said "Are you sure you want to uninstal windows toolbar?!" I think that was it? But it was too late. When i start up on my account now, i get a blue screen and it says "restart blah blah... memory dump: ##" and its counting memory. I dont know much about hardware but i think this is bad for my system...

    Here is my HiJack log from before i fixed, and i will star the ones that i think i deleted... Im not SURE but this is what i think i cut. Now that i see that BHO i dont think i should have killed it, was that bad? The bold ones are ones that i dont know if i should have deleted so i played it safe.

    Logfile of HijackThis v1.97.3
    Scan saved at 10:56:20 PM, on 9/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\NORTON~2\navw32.exe
    C:\Documents and Settings\Neil's\My Documents\Programs\hijackthis\HijackThis.exe

    *R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    *R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
    *R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    *R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    *R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    *R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    *R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50168
    *R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    *R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    *R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    *R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
    *O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 48.dll
    *O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 48.dll
    *O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAM_2K.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    *O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    *O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    *O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    *O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    *O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    *O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    *O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    *O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    *O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    *O4 - HKLM\..\Run: [sain] c:\windows\system32\sain.exe
    *O4 - HKLM\..\Run: [oxwp] C:\WINDOWS\oxwp.exe
    O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winine32.exe
    O4 - HKLM\..\Run: [adqkpy] C:\WINDOWS\System32\osmjahe.exe
    O4 - HKLM\..\Run: [tshruin] C:\WINDOWS\System32\tshruin.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
    *O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    *O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
    *O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
    *O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    *O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab

    Anyways. Can someone please tell me what this memory dump thing is? I dont know much about this stuff and first time using HiJackThis. Is there any way to repair that damage? Also... why do i get memory dump on my account but not this one? They are all admin priv but i went into safe mode through my account. Il post a HiJackLog of what it is now, i still have 1 or 2 adware popping up. What do i do with the things Norton AV said "delete failed?"

    Any help would be appreciated i think im screwed. Can i fix this if i get it reformatted?

    This is from a different account in XP, not sure if it matters...

    Logfile of HijackThis v1.97.3
    Scan saved at 11:25:37 PM, on 9/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Norton AntiVirus2004\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Tweak-XP Pro\AdBlocker.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Norton AntiVirus2004\SAVScan.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Neil's\My Documents\Programs\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 48.dll
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 48.dll
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winine32.exe
    O4 - HKLM\..\Run: [adqkpy] C:\WINDOWS\System32\osmjahe.exe
    O4 - HKLM\..\Run: [tshruin] C:\WINDOWS\System32\tshruin.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It's an even bigger mess than you think. You must first uninstall any File Sharing utility that you have installed on the system. Then install and run a full drive scan using Ad-Aware SE (the most recent version) and the VX2 plugin.

    Considering everything there, it would be best to run it in Safe Mode.

    Have Ad-aware remove all it targets, reboot and run it a second time.

    Run one or more Online antivirus scans:

    HouseCall
    Panda


    After that post a new HijackThis Scanlog using the latest version of HijackThis (1.98.2)

    Ad-aware SE:

    Ad-Aware Home Page


    http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe

    The VX2 plugin will be available in the "add-ons" window once installed and is run from there.

    How Did I Get Infected?

    >> how to start in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

    >> latest versiion of HijackThis: http://www.net-integration.net/tools/hijackthis.html
     
  3. peril0us

    peril0us Banned Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    906
    THANKS!

    2 Questions:

    Do you mean uninstall AIM, MSN, ect?

    Is this blue screen bad??? Its not happening over and over? Did something i get rid of with HiJackThis cause this?
     
  4. peril0us

    peril0us Banned Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    906
    Also, can i limit the accounts on XP? I think my sister got these virus'. I never get them and frequently make sure that i have no no programs running. As far as i can tell there is no way to change the specific settings for accounts and my sister has to be "admin" or she cries because the other account cant install anything. (her games etc)
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You don't have to uninstall those programs, just make sure no "file sharing" programs like Kazaa are being used -- they will reinfect the system.

    For the time being, until the system is cleaned, make sure all accounts have full Administrative rights.

    There is no way to limit an "administrative" account. They will have all the priveleges you have. However if this is going to be the result of her priveleges I would limit her account type whether she crys or not.
     
  6. peril0us

    peril0us Banned Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    906
    Okay, i tried to do the online scans like you said, but i couldnt. I also got the new HJT and Ad-aware. I ran Ad-aware and deleted like 300 new things that the old Ad-aware didnt see. I tired to run the online scan and Norton AV at the same time and left my PC on all night. However, in the morning i realized that i still have this device error that periodically crashes my computer and i tried 3 times but could not finish the 5 hour scan without it crashing. Also, norton 2004 found 6 files when the online found only 1 at the last point i checked, which makes me wonder if its any good. I still have 1 add prgm running that i know of and 4 unknown processes so il post my new HJT log for you guys! THANKS!

    Logfile of HijackThis v1.98.2
    Scan saved at 2:53:34 PM, on 9/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus2004\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton AntiVirus2004\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\user\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 50.dll
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 50.dll
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winine32.exe
    O4 - HKLM\..\Run: [adqkpy] C:\WINDOWS\System32\osmjahe.exe
    O4 - HKLM\..\Run: [tshruin] C:\WINDOWS\System32\tshruin.exe
    O4 - HKLM\..\RunServicesOnce: [] C:\WINDOWS\GIGATEMP\Patch.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
    O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
    O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

    When i look at this i think 1/2 of them came back from the last delete. Is there possibly some program installing them all every time i start up that i missed?
     
  7. peril0us

    peril0us Banned Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    906
    OH YEA. I get a device error

    szAppName: drivers.display
    szModName: ati2dvag
    szAppVer: 1002496601201148

    I think its for my RADEON 9000 series but i cant figure out if theres any update or anything for it. I tried the www.ati.com but couldnt figure out what i was looking for. Here is what my system info says, i dont have a clue LOL.

    <<< System Summary >>>
    ------------------------------------------------------------------------------------------------

    < Computer System >
    Name: WHAT
    User Name: user
    Logon Domain: WHAT

    < Processor(s) >
    Model: AMD Athlon(tm) Processor
    Speed: 1.20GHz
    Model Number: 1200 (estimated)
    Performance Rating: PR1596 (estimated)
    L2 On-board Cache: 256kB ECC synchronous write-back

    < Mainboard and BIOS >
    Bus(es): AGP PCI USB SMBus/i2c
    MP Support: No
    System BIOS: Award Software, Inc. ASUS A7V133-C ACPI BIOS Revision
    1009
    Mainboard: ASUSTeK Computer INC. A7V133-C
    System Chipset: ASUSTeK Computer Inc VIA KT133 based Mainboard System
    Controller
    Front Side Bus Speed: 2x 133MHz (266MHz data rate)
    Installed Memory: 512MB SDRAM
    Memory Bus Speed: 1x 133MHz (133MHz data rate)

    < Video System >
    Monitor/Panel: Plug and Play Monitor
    Adapter: RADEON 9000 Series
    Adapter: RADEON 9000 Series
    Adapter: RADEON 9000 SERIES
    Adapter: RADEON 9000 Series
    Adapter: RADEON 7000 Series
    Adapter: RADEON 7000 Series

    < Physical Storage Devices >
    Removable Drive: Floppy disk drive
    Disk Drive: Disk drive
    CD-ROM/DVD: CD-ROM Drive
    CD-ROM/DVD: CD-ROM Drive

    < Logical Storage Devices >
    1.44MB 3.5" (A:): N/A
    Hard Disk (C:): 76.3GB (31.7GB, 41% Free) (NTFS)
    CD-ROM/DVD (D:): N/A
    CD-ROM/DVD (E:): N/A

    < Peripherals >
    Serial/Parallel Port(s): 1 COM / 1 LPT
    USB Controller/Hub: VIA Rev 5 or later USB Universal Host Controller
    USB Controller/Hub: VIA Rev 5 or later USB Universal Host Controller
    USB Controller/Hub: USB Root Hub
    USB Controller/Hub: USB Root Hub
    Keyboard: Standard 101/102-Key or Microsoft Natural PS/2
    Keyboard
    Mouse: PS/2 Compatible Mouse

    < MultiMedia Device(s) >
    Device: Creative SB Live! Value
    Device: Creative Game Port

    < Printers and Faxes >
    Model: EPSON Stylus COLOR 880

    < Operating System(s) >
    Windows System: Microsoft Windows XP Professional Ver 5.01.2600
    Service Pack 1

    < Network Adapter(s) >
    Networking Installed: Yes
    Adapter: Realtek RTL8139 Family PCI Fast Ethernet NIC #3

    < Performance Tips >
    Tip T102: Consider using the Unicode version of Sandra.
    Tip T2: For more information about tips, press F1 and scroll
    to the Tips section.

    Dont know if this is allowed in this section of the forum? thx
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I have merged your new thread with the original thread. We cannot keep up with you if you start a new thread each time you reply. Please make all posts regarding this matter in this thread.
     
  9. peril0us

    peril0us Banned Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    906
    Thx for replying to this dude. I started a new thread with my new HJT log but you just raised a question. In the past when i tried to change the rights settings it didnt change anything and i had to make the account again so that it would change the rights. Does anyone know if this is a unique problem to me or if there is any fix for it?
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 50.dll

    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 50.dll

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winine32.exe

    O4 - HKLM\..\Run: [adqkpy] C:\WINDOWS\System32\osmjahe.exe

    O4 - HKLM\..\Run: [tshruin] C:\WINDOWS\System32\tshruin.exe


    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete these files:

    C:\windows\system32\winine32.exe
    C:\WINDOWS\System32\osmjahe.exe
    C:\WINDOWS\System32\tshruin.exe
     
  11. peril0us

    peril0us Banned Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    906
    Thx for replying fast, couple more questions.

    Do you know what the O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k is because i think i had it before i had problems?

    Say i wanted to clear out some stuff so that my startup doesnt take 5 minutes like it just did, can i get rid of these?

    O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    If i fix these is it safe? I never use most of these programs.

    And, do you know what this is? I dont ever remember seeing it before.
    O4 - HKLM\..\RunServicesOnce: [] C:\WINDOWS\GIGATEMP\Patch.exe
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Sorry I missed that one! :eek:

    Fix this one too:

    O4 - HKLM\..\RunServicesOnce: [] C:\WINDOWS\GIGATEMP\Patch.exe

    Boot to safe mode and delete the C:\WINDOWS\GIGATEMP folder.


    As far as the others go, Hijack This is not a tool to be used to control or remove unnecessary startups. The purpose of HJT is to help identify and remove malware (spyware/adware/trojans/viruses). If you want to remove unnecessary startups, this should be done through the System Configuration Utility. Go to Start > Run and type in msconfig.
    Click OK or hit the Enter key.

    Click on the "Startup" tab and remove the check by the items that you have determined are unnecessary. Click "Apply" then "Close"

    You will be prompted to restart. Go ahead and restart.

    Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

    Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.

    Go here for info on msconfig:

    http://www.pacs-portal.co.uk/startup_index.htm

    You can look up the startups here to help determine what is needed and what is not:

    http://computercops.biz/StartupList.html

    here:

    http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

    And here:

    http://www.windowsstartup.com/wso/browse.php?l=8&start=50&end=75


    You might also consider checking out Black Viper's guide to disabling some of the unnecessary services in XP here:

    http://www.blackviper.com/WinXP/servicecfg.htm
     
  13. peril0us

    peril0us Banned Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    906
    Okay. I did the thing with HJT, saved your reply to notepad, and restarted comp. Then, when i tried to start up in safe mode, i couldnt!!! It froze on the screen where it lists all the stuff its loading. So, after a few min i restarted it and tried again, froze again. I think this might be somehow related to the blue screen of death that i got after i left Safe Mode last time. Any ideas? Also, i am still getting 2 adds that pop up when i boot, but then nothing happens. thx.
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The safe mode startup problem may also be indicative of a display driver issue. ATI comes out with a new driver update about once a month. You don't need the absolute latest.

    I believe your Radeon 9000 is supported up to Catalyst 4.8, but be sure to read the release notes. I'm currently running 4.6 on a Radeon 9700.

    You must follow the directions to uninstall the old drivers from the Control Panel Add/Remove programs prior to installing. You may need to cancel out of any "automatic" attempt to reinstall drivers on startup and go to where you downloaded the setup file to run that.

    You can't install them in Safe Mode, but you could try VGA mode if you can get there. I suspect you can't though with the safe mode error.

    http://www.ati.com/support/products/radeonwinxppreviousdrivers.html

    I'm not sure if you need to do separate installs for the main driver and the so-called "control panel" driver. The last time I did this I simply removed both from Add/Remove, rebooted to VGA mode and ran the setup for the "single bundle" install. Prior to that I had to do separate downloads. The single bundle is about 26mb as I recall.

    PS: I would advise creating a system checkpoint before proceeding with anything like this. Although you can "rollback" drivers, I like System Restore's. You don't want to restore to a point prior to your new installs and cleanups though.
     
  15. peril0us

    peril0us Banned Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    906
    Thx dude. I have had this driver error for about a year now, it seems to crash the pc when i have java applets running. I will email ati to get info on this because their site is way to confusing lol. :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273186

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice