1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I've Been HIJACKED! (((HELP)))

Discussion in 'Virus & Other Malware Removal' started by Sitka, Aug 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    They won't fit on a floppy, but you can put them on CD.
     
  2. Sitka

    Sitka Thread Starter

    Joined:
    May 2, 2001
    Messages:
    237
    flrman1>

    I loaded shredder onto a CD then here's what it found:

    These files it wasn't sure what they were so it prompted me on what to do. And said if I didn't know what they were then don't delete them.. "I didn't"
    Here's what it showed me>

    C:\Windows\WCTWO48.exe
    C:\Windows\WCTWO48B.exe
    C:\Windows\WCTWO48C.exe
    C:\Windows\WCTWO48D.exe
    C:\Windows\WCTWO51.exe
    C:\WIndows\WCTWO51B.exe


    I looked the above up in this site, Norton & Microsoft and none showed what these were. So I didn't delete them...

    Then this is the results it also gave me>

    Removed from your system (5) infected IE registry values.

    Then when I started to reboot as you said I got this error message>

    "A Fatal Exception Has Occurred A 015F-00005B80

    When I rebooted the computer I got the error and the computer would not shut down so I shut the computer down because it would not reboot. When I turned the computer back on it stopped and was STUCK on my blue HP window and will NOT load any further. I've tried afew times and it keeps staying at the HP blue screen. It wouldn't let me reboot and hit F8 to get to my safe mode, command prompt, etc.
    But it finally let me into my bios screen. I moved afew things around and finally got it to let me into the safe mode. And here I sit in safe mode not sure what to do next. I've been messing with the computer for hours and its midnight now. So hopefully we can figure this out tomorrow. Thanks so much for you help, Chara :)
     
  3. Sitka

    Sitka Thread Starter

    Joined:
    May 2, 2001
    Messages:
    237
    I finally worked with the computer and made it to my desktop without being in safe mode. I still can't get online though to log anything on here from that computer. Maybe that step can come next. Its after 1:00am so I'm going to call it a night. I'll be back in the morning. Thank you, Chara
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I think you can safely delete these files:

    C:\Windows\WCTWO48.exe
    C:\Windows\WCTWO48B.exe
    C:\Windows\WCTWO48C.exe
    C:\Windows\WCTWO48D.exe
    C:\Windows\WCTWO51.exe
    C:\WIndows\WCTWO51B.exe


    Go ahead and post another Hijack This log.
     
  5. Sitka

    Sitka Thread Starter

    Joined:
    May 2, 2001
    Messages:
    237
    Logfile of HijackThis v1.98.1
    Scan saved at 5:28:59 PM, on 8/9/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSGLOOP.EXE
    C:\WINDOWS\SYSTEM\MSG32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.pagesubmit.com/search/side.shtml
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wlox.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\SYSTEM\NDRV.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [Aclt] C:\WINDOWS\Application Data\admt.exe
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O10 - Broken Internet access because of LSP provider 'c:\windows\system\cslsp.dll' missing
    O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
    O16 - DPF: {73020B72-CDD6-4F80-8098-1B2ECD9CA4CA} (HearMe VoiceCREATOR) - http://vp.hearme.com/products/vp/embedded/plugins/evp.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Ctp Class) - http://www.americangreetings.com/create/Install/AxCtp.cab
    O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - http://activex.microsoft.com/controls/iexplorer/x86/ielabel.cab
    O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
    O16 - DPF: {B5AC24C2-1B3B-11D4-80FD-005004993CCA} - http://toolbar.excite.com/download/exbar.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://communities.msn.com/scr/MsnPUpld.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! WebCam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\SYSTEM\NDRV.DLL (file missing)

    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKCU\..\Run: [Aclt] C:\WINDOWS\Application Data\admt.exe

    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab


    Restrart to safe mode and delete these files:

    C:\WINDOWS\Application Data\admt.exe
    C:\WINDOWS\SYSTEM\NDrv.exe


    Click here to download LspFix

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of cslsp.dll (and nothing else) , and move them to the "Remove" pane.
    Then click Finish.

    After you run LspFix see if you can get online then.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Sorry, I meant to tell you that you can fit LspFix on a floppy disk and run it on the other machine.
     
  8. Sitka

    Sitka Thread Starter

    Joined:
    May 2, 2001
    Messages:
    237
    I didn't know if it would fit on a floppy so I downloaded on a CD. I never could find the (2) files you were telling me to delete. They were there yesterday but wondering if they moved since I had to scanreg\restore to a earlier date to get the computer to load yesterday. You think that would have moved them? But went ahead and did the LspFix and WE'RE ONLINE!!!
    WOOOOOHOOOOOO! :)
    You've done an awesome job here.... thanks! :)
    Its SUPERRRRR Slow though. But atleast its online towhere I can work on it easlier :)
    Yesterday I even had the AVG Virus program on that computer and its not there now. Ad-Aware is also gone. All the Icons are still there but the programs are gone. Plus, I have lots of programs in my Add/Remove that wasn't there the other day... Old programs that have been gone are back. I tried taking them out again while I was in safe mode but they would not remove. It keep saying the files are not there anymore but it left everything in the Add/Remove..... Is there anything else I need to do to clean this up and speed the computer up? I want to tank you so much. You have NO idea how wonderful this is to get this fixed and to be able to rest my mind alittle now. Let me know if there is anything else I can do to tweak the little problems...
    I also bought a Norton for the sick computer today while at wal-mart. But I have an old McAfee on there now that wasn't there the other day. Will this cause a problem with the Norton? The other day I deleted the McAfee because it was taken out afew years back but when it came back this week I deleted it again and the computer would not load without those files. So I had to download the McAfee program again. Just let me know what I should do with these programs.
    Thank you so much, Chara :)
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    The reason that you have all those programs in Add/Remove and missing programs is because you did the scanreg /restore and restore an old registry that does not have the necessary registry entries to run some of the programs that were installed after that particular registry that you restored. You will have to reinstall those programs.

    You don't have anything unnecessary running so it's not the startups. The first the that I would do is run scandisk and defrag.
     
  10. Sitka

    Sitka Thread Starter

    Joined:
    May 2, 2001
    Messages:
    237
    Thanks so much for all the info. I'm going to scan/defrag now...
    *smiles* Chara
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    (y)

    Let us know how it goes.
     
  12. Sitka

    Sitka Thread Starter

    Joined:
    May 2, 2001
    Messages:
    237
    Oh, I will ! :)
    This is so great! Thank you bunches! :)
    I've got the scan running right now... then on to the defrag... :)
    *smiles* Chara
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  14. Sitka

    Sitka Thread Starter

    Joined:
    May 2, 2001
    Messages:
    237
    Good afternnoon! :)
    Just wanted to touch base with you. I stayed up very late last night running the thorough disk scan & defrag.
    It said NO errors were found :)
    I got on the computer this morning to check everything out to see if things were running smooth.... nope :(
    The minute the computer made it to the desktop it turned off and re-booted itself and then was stuck on the HP blue screen. So I ctrl+alt+delete and rebooted again then it went to a black screen and said this>

    C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE

    C:\DOS/16M ERROR [40]

    NOT ENOUGH AVAILABLE EXTENDED MEMORY (XMIN)


    Not sure why it said that because I have lots of memory in this computer. We even added more 4 years ago...
    I looked at the info I had and here it is>

    HP 98se
    56mb ram
    86% system resources free
    windows drive C (7833 mb free)
    available space on C:
    7833 of 14662 mb (fat32)

    Since I seen it was a McAfee problem do you think I should uninstall it again? It hasn't been on this computer in a very long time and when I scan/restore it came back. Still not sure how to solve these few problems. I'm on the computer right now posting this. I hope it hangs with me until I finish posting. Just trying everything out to see if there are anymore problems.
    I'm just so thankful to have it online again. I feel that alot has been done to get to this point. And I could have never done it without your help.
    Thank you, Chara :)
     
  15. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    56 megs or ram? That means you probably have 8 going towards video.

    You need to go to start, run, type msconfig, statup tab and uncheck process autoexec.bat and config.sys files.

    I'm not sure why you did a scanreg/restore, but as mentioned above, many programs are not going to work after you uninstalled them, then reverted back to a VERY old registry. You won't be able to uninstall it since it doesn't exist.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/258322

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice