1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

internet connection

Discussion in 'Windows XP' started by zainu, Oct 4, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. zainu

    zainu Thread Starter

    Joined:
    Nov 8, 2000
    Messages:
    179
    My OS win2000 SP3. Just recently i noticed the two monitor
    screen in taskbar perpetually downloading something eventhough
    i did not launch IE and it never stops. I have done a scan with
    Adaware and had removed all spyware but still it perists. Below is
    HijackThis result. Pls help to see if there are anything amiss: -


    Logfile of HijackThis v1.97.2
    Scan saved at 5:57:49 PM, on 10/4/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\WINNT\System32\S24EvMon.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\System32\QCONSVC.EXE
    C:\WINNT\System32\RegSrvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\wins\DLLHOST.EXE
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINNT\System32\PRPCUI.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\WINNT\AGRSMMSG.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINNT\System32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\WINNT\System32\rundll32.exe
    C:\WINNT\System32\metalrock.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\PrintKey2000\Printkey2000.exe
    C:\WINNT\System32\NotifyPhoneBook.exe
    C:\WINNT\system32\netd32.exe
    C:\Documents and Settings\user\Desktop\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
    O4 - HKLM\..\Run: [Windows MeTaLRoCk service] metalrock.exe
    O4 - HKLM\..\RunServices: [Windows MeTaLRoCk service] metalrock.exe
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37817.8022222222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thks for any help.

    :(
     
  2. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    You've been infected with: Backdoor.IRC.Tastyred
    check it out here: http://www.symantec.com/avcenter/venc/data/backdoor.irc.tastyred.html

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    O4 - HKLM\..\Run: [Windows MeTaLRoCk service] metalrock.exe
    O4 - HKLM\..\RunServices: [Windows MeTaLRoCk service] metalrock.exe

    Then reboot in safe mode and delete the following file (in bold):

    C:\WINNT\System32\metalrock.exe

    Reboot in normal mode and that hopefully should be that.
    Hope this helps!

    :D
     
  3. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
  4. zainu

    zainu Thread Starter

    Joined:
    Nov 8, 2000
    Messages:
    179
    Thks. I'll give it a try.(y)
     
  5. zainu

    zainu Thread Starter

    Joined:
    Nov 8, 2000
    Messages:
    179
    TopCat, i think that did it. My two monitor screen in not flashing
    anymore. I have check with HijackThis and those files that i had
    removed is no longer that. BTW do i need to delete anything
    from the registry :confused:
     
  6. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    If your problem is solved then HJT should have fixed everything that needs to be fixed.

    In future a good rule of thumb is:
    DO NOT TOUCH THE REGISTRY unless both:
    1. a back-up of the registry has been made, and
    2. you know exactly what you are doing.

    Have you tried an online scan with links that i posted earlier?

    You should, if you haven't already done so, go here and install Spybot Search & Destroy: http://tomcoyote.org/SPYBOT/index1.html including a tutorial on removing spyware/adware etc.
    Then use this thread to install and configure Lavasoft AdAware: http://forums.techguy.org/t164245/s.html
    You would also be advised to goto http://www.javacoolsoftware.com/spywareblaster.html and download SpywareBlaster and SpyGuard which will help prevent the spyware from being installed in the first place.

    After all that then do another scan with HJT and post log here to see if everything is as it should be.

    Hopefully that should have your pc running smoothly.
    :D
     
  7. zainu

    zainu Thread Starter

    Joined:
    Nov 8, 2000
    Messages:
    179
    Thanks for all the great help that you had given. At present i am
    not able to do the online scanning for reasons i cannot disclosed
    now. Perhaps some other time. Than you again for helping. (y)
     
  8. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    No problem zainu.
    (y)
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169441

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice