1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Much help needed...

Discussion in 'Virus & Other Malware Removal' started by rudyvr, Sep 19, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. rudyvr

    rudyvr Thread Starter

    Joined:
    Aug 8, 2004
    Messages:
    9
    Hey...
    well.. it looks like my dads computer is infected again..
    His IE wont open and if it does it redirects..
    IM sure theres much more wrong with..

    Heres his Hijack this log


    =====================================
    Logfile of HijackThis v1.98.2
    Scan saved at 5:37:12 PM, on 9/19/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\wscntfy.exe
    C:\Program Files\Kazaa Lite K++\Kazaa.kpp
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\MSWorks.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\g2jkf6lsw6t.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINNT\startsvs.exe
    O4 - HKLM\..\Run: [Network Security Guard] C:\WINNT\System32\1t660b69xm.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINNT\System32\E_SD9.tmp"
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - Startup: Ultimate Mail Manager Event Reminder.LNK = C:\Program Files\Broderbund\The Print Shop\UMM\Crdmind.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: winlogin.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://phgenit.com/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50192/QDow_AS2.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O20 - AppInit_DLLs: stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb yi172oeylk4.tlb xm68zboadbwj0.tlb ug0ebzv0xzabl.tlb e10b8np1y1lp3h.tlb nhjlhfrf7ssja.tlb 74bw21ehiccu.tlb 7i67lu4txubk.tlb baaubut6rl8.tlb cwwm4znkxg0.tlb r0ksv6oznbcryp.tlb fhx0j17epemf5b.tlb 2d8aukmwj31i.tlb







    Heres his FIxnFind log
    ======================================



    ササササササササササササササササササ***LOG!***(*updated *9/1*)ササササササササササササササササ

    *System:
    Microsoft Windows XP Home Edition 5.1 Service Pack 2 (Build 2600)
    *IE version:
    6.0.2900.2180 SP2


    *command.com test passed!

    __________________________________
    !!*Creating backups...!!
    (*Backup already exist!)
    17:35:11.06 Sun 09/19/2004
    __________________________________

    *Local time:
    Sunday, September 19, 2004 (9/19/2004)
    5:35 PM, Central Standard Time
    *Uptime:
    17:35:14 up 0 days, 4:43:29

    *Path:
    C:\FINDnFIX
    ----------------------------------------------------
    ササMember of...: ("ADMIN" logon + group match required!)

    User is a member of group RUDY\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    User is a member of group \LOCAL.
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Group BUILTIN\Administrators matches list.
    Group BUILTIN\Users matches list.

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    User: [RUDY\Owner], is a member of:

    BUILTIN\Administrators
    \Everyone

    Running in WORKSTATION MODE.

    SystemDrive is C:
    SystemRoot is C:\WINNT
    Logon Domain is RUDY
    Administrator's Name is Owner
    Computer Name is RUDY
    LOGON SERVER is \\RUDY

    ササササササササササササササササササ*** Note! ***ササササササササササササササササ
    The list will produce a small database of files that will match certain criteria.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided and registry scan should match the
    corresponding file(s) listed.
    ササササササササササササササササササササササササササササササササササササ
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    ササササササササササササササササササササササササササササササササササササ
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

    ______________________________________________________________________________
    ***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
    ______________________________________________________________________________

    ......Scanning for file(s)...
    *Note! The list(s) may include legitimate files!
    サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ

    サササササ (*1*) サササササ .........
    ササRead access error(s)...


    サササササ (*2*) サササササ........

    サササササ (*3*) サササササ........

    unknown/hidden files...

    サササササ (*4*) サササササ.........
    Sniffing..........

    サササササ(*5*)サササササ

    サササササ(*6*)サササササ

    サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ
    サササササSearch by size...
    *List of files and specs according to 'size' :
    *Note: Not all files listed here are infected, but *may include* the
    name and spces of the offending file...
    ___________________________________________________________________________


    ____________________________________________________________________________
    *By size and date...



    サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ


    BHO search and other files...



    --*sp.html in temp folder was NOT FOUND!--

    *Filter keys search...
    REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html' (2)

    --(*text/html Subkey was NOT FOUND!)--

    REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain' (2)

    --(*text/plain Subkey was NOT FOUND!)--

    サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ
    ササSize of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 1430

    ササChecking for AppInit_DLLs (empty) value...
    ________________________________
    !"AppInit_DLLs"=""!

    Value does not match
    ________________________________

    ササComparing *saved* key with *original*...

    REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

    Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

    Value "AppInit_DLLs" in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" has different lengths (281 vs 491)

    ササDumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb yi172oeylk4.tlb xm68zboadbwj0.tlb ug0ebzv0xzabl.tlb e10b8np1y1lp3h.tlb nhjlhfrf7ssja.tlb 74bw21ehiccu.tlb 7i67lu4txubk.tlb baaubut6rl8.tlb cwwm4znkxg0.tlb r0ksv6oznbcryp.tlb fhx0j17epemf5b.tlb 2d8aukmwj31i.tlb

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb \
    kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb yi172oeylk4.tlb xm68zboadbwj0.tlb ug0ebzv0xzabl.tlb e10b8np1y1lp3h.tlb nhjlhfrf7ssja.tlb 74bw21ehiccu.tlb 7i67lu4txubk.tlb baaubut6rl8.tlb \
    cwwm4znkxg0.tlb r0ksv6oznbcryp.tlb fhx0j17epemf5b.tlb \
    2d8aukmwj31i.tlb

    ササSecurity settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    ササPerforming string scan....

    ---------- WIN.TXT
    AppInit_DLLs倚
    --------------
    --------------
    --------------
    --------------
    stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"="stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb"

    .............
    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    Buffer Problems
    -----------------------

    ササササササBackups list...ササササササ
    17:35:29 up 0 days, 4:43:43
    -----------------------


    *Temp backups...

    ________________________________________________________________________________
    ***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
    AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
    MINIMAL REQUIREMENTS INCLUDE:
    _________XP HOME/PRO; SP1; IE6/SP1
    _________2K/SP4; IE6/SP1
    ________________________________________________________________________________
    サササササ*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***サササササ
    -----END------


    ===========================


    Thanks for your time.. :)
     
  2. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    This is what I suggest you do first.

    Make sure you have the up-to-date versions of Spybot and Ad-aware. All are free and available below.

    Download Spybot, install and update. Then download Ad-aware, install, and update.

    Spybot:
    Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

    Close ALL windows except Spybot S&D
    Click the button to "Search for Updates" and download and install the Updates.
    Next click the button "Check for Problems"
    When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
    Put a check mark beside the RED (RED) entries ONLY.
    Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

    Ad-Aware FULL SCAN:

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Before restart, Empty Recycle Bin.

    Restart your computer.

    Post a new HijackThis log.
     
  3. rudyvr

    rudyvr Thread Starter

    Joined:
    Aug 8, 2004
    Messages:
    9
    Thanks for respnding,,

    I just ran spybot & Adware with the full updates..

    now heres my fresh logs...

    thanks your time...

    ==============
    hijack this log
    =============

    Logfile of HijackThis v1.98.2
    Scan saved at 10:30:41 PM, on 9/20/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\wscntfy.exe
    C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\vt4tyej6tnun1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINNT\startsvs.exe
    O4 - HKLM\..\Run: [Network Security Guard] C:\WINNT\System32\1t660b69xm.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINNT\System32\E_SD9.tmp"
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - Startup: Ultimate Mail Manager Event Reminder.LNK = C:\Program Files\Broderbund\The Print Shop\UMM\Crdmind.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: winlogin.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://phgenit.com/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50192/QDow_AS2.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O20 - AppInit_DLLs: stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb yi172oeylk4.tlb xm68zboadbwj0.tlb ug0ebzv0xzabl.tlb e10b8np1y1lp3h.tlb nhjlhfrf7ssja.tlb 74bw21ehiccu.tlb 7i67lu4txubk.tlb baaubut6rl8.tlb cwwm4znkxg0.tlb r0ksv6oznbcryp.tlb fhx0j17epemf5b.tlb 2d8aukmwj31i.tlb fwvfy0iczt.tlb 28nekygbmgxg.tlb 2dp0t53vr2j5zk.tlb






    =============
    FindnFix log
    ================

    ササササササササササササササササササ***LOG!***(*updated *9/1*)ササササササササササササササササ

    *System:
    Microsoft Windows XP Home Edition 5.1 Service Pack 2 (Build 2600)
    *IE version:
    6.0.2900.2180 SP2


    *command.com test passed!

    __________________________________
    !!*Creating backups...!!
    (*Backup already exist!)
    22:31:22.37 Mon 09/20/2004
    __________________________________

    *Local time:
    Monday, September 20, 2004 (9/20/2004)
    10:31 PM, Central Standard Time
    *Uptime:
    22:31:26 up 0 days, 1:11:22

    *Path:
    C:\FINDnFIX
    ----------------------------------------------------
    ササMember of...: ("ADMIN" logon + group match required!)

    User is a member of group RUDY\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    User is a member of group \LOCAL.
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Group BUILTIN\Administrators matches list.
    Group BUILTIN\Users matches list.

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    User: [RUDY\Owner], is a member of:

    BUILTIN\Administrators
    \Everyone

    Running in WORKSTATION MODE.

    SystemDrive is C:
    SystemRoot is C:\WINNT
    Logon Domain is RUDY
    Administrator's Name is Owner
    Computer Name is RUDY
    LOGON SERVER is \\RUDY

    ササササササササササササササササササ*** Note! ***ササササササササササササササササ
    The list will produce a small database of files that will match certain criteria.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided and registry scan should match the
    corresponding file(s) listed.
    ササササササササササササササササササササササササササササササササササササ
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    ササササササササササササササササササササササササササササササササササササ
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

    ______________________________________________________________________________
    ***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
    ______________________________________________________________________________

    ......Scanning for file(s)...
    *Note! The list(s) may include legitimate files!
    サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ

    サササササ (*1*) サササササ .........
    ササRead access error(s)...


    サササササ (*2*) サササササ........

    サササササ (*3*) サササササ........

    unknown/hidden files...

    サササササ (*4*) サササササ.........
    Sniffing..........

    サササササ(*5*)サササササ

    サササササ(*6*)サササササ

    サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ
    サササササSearch by size...
    *List of files and specs according to 'size' :
    *Note: Not all files listed here are infected, but *may include* the
    name and spces of the offending file...
    ___________________________________________________________________________


    ____________________________________________________________________________
    *By size and date...



    サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ


    BHO search and other files...



    --*sp.html in temp folder was NOT FOUND!--

    *Filter keys search...
    REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html' (2)

    --(*text/html Subkey was NOT FOUND!)--

    REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain' (2)

    --(*text/plain Subkey was NOT FOUND!)--

    サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ*サササ
    ササSize of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 1532

    ササChecking for AppInit_DLLs (empty) value...
    ________________________________
    !"AppInit_DLLs"=""!

    Value does not match
    ________________________________

    ササComparing *saved* key with *original*...

    REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

    Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

    Value "AppInit_DLLs" in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" has different lengths (281 vs 542)

    ササDumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb yi172oeylk4.tlb xm68zboadbwj0.tlb ug0ebzv0xzabl.tlb e10b8np1y1lp3h.tlb nhjlhfrf7ssja.tlb 74bw21ehiccu.tlb 7i67lu4txubk.tlb baaubut6rl8.tlb cwwm4znkxg0.tlb r0ksv6oznbcryp.tlb fhx0j17epemf5b.tlb 2d8aukmwj31i.tlb fwvfy0iczt.tlb 28nekygbmgxg.tlb 2dp0t53vr2j5zk.tlb

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb \
    kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb yi172oeylk4.tlb xm68zboadbwj0.tlb ug0ebzv0xzabl.tlb e10b8np1y1lp3h.tlb nhjlhfrf7ssja.tlb 74bw21ehiccu.tlb 7i67lu4txubk.tlb baaubut6rl8.tlb \
    cwwm4znkxg0.tlb r0ksv6oznbcryp.tlb fhx0j17epemf5b.tlb 2d8aukmwj31i.tlb fwvfy0iczt.tlb 28nekygbmgxg.tlb \
    2dp0t53vr2j5zk.tlb

    ササSecurity settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    ササPerforming string scan....

    ---------- WIN.TXT
    AppInit_DLLs倚
    --------------
    --------------
    --------------
    --------------
    stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"="stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb"

    .............
    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    Buffer Problems
    -----------------------

    ササササササBackups list...ササササササ
    22:31:46 up 0 days, 1:11:42
    -----------------------


    *Temp backups...

    ________________________________________________________________________________
    ***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
    AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
    MINIMAL REQUIREMENTS INCLUDE:
    _________XP HOME/PRO; SP1; IE6/SP1
    _________2K/SP4; IE6/SP1
    ________________________________________________________________________________
    サササササ*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***サササササ
    -----END------



    =======================


    Thanks for your time :)
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Do you know what this is?:

    O4 - HKLM\..\Run: [Network Security Guard] C:\WINNT\System32\1t660b69xm.exe

    Do you use a program called Network Security Guard?
     
  5. rudyvr

    rudyvr Thread Starter

    Joined:
    Aug 8, 2004
    Messages:
    9
    Thanks for your reply


    This windows security program just poped out of no where into my system.
    I was assuming it was a part of the windosws update, but I may be wrong.

    Thanks for your time.
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Go here

    Look at the top of the page for the Submit file box.

    Click on Browse

    Navigate to the C:\WINNT\System32 folder and upload the .... 1t660b69xm.exe .... file and let us know what you find.


    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\vt4tyej6tnun1.dll

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINNT\startsvs.exe

    O4 - HKLM\..\Run: [Network Security Guard] C:\WINNT\System32\1t660b69xm.exe

    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

    O4 - Global Startup: winlogin.exe

    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50192/QDow_AS2.cab

    O20 - AppInit_DLLs: stv9k3synmxy.tlb 6sebzdsa1eg1x.tlb 1du9jlgmkmd.tlb 5zy5a968cyk.tlb ldyoupd0bu9n.tlb 133eu3xzureyxy.tlb x1war62mbpn.tlb ovmo7ui4cd.tlb jglysujgwv.tlb j5xcrepfiu4.tlb nfdgluacys.tlb fzptsulvob.tlb 27al2c8josp2a.tlb kap3tbur5ic.tlb lhndpkfe1b.tlb f2rug2xnbkpfn.tlb v5rnjdiipmwi6m.tlb yi172oeylk4.tlb xm68zboadbwj0.tlb ug0ebzv0xzabl.tlb e10b8np1y1lp3h.tlb nhjlhfrf7ssja.tlb 74bw21ehiccu.tlb 7i67lu4txubk.tlb baaubut6rl8.tlb cwwm4znkxg0.tlb r0ksv6oznbcryp.tlb fhx0j17epemf5b.tlb 2d8aukmwj31i.tlb fwvfy0iczt.tlb 28nekygbmgxg.tlb 2dp0t53vr2j5zk.tlb


    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete these files:

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
    C:\WINNT\startsvs.exe
    Look in the C:\WINNT\System32 folder and delete all of these files:

    stv9k3synmxy.tlb
    6sebzdsa1eg1x.tlb
    1du9jlgmkmd.tlb
    5zy5a968cyk.tlb
    ldyoupd0bu9n.tlb
    133eu3xzureyxy.tlb
    x1war62mbpn.tlb
    ovmo7ui4cd.tlb
    jglysujgwv.tlb
    j5xcrepfiu4.tlb
    nfdgluacys.tlb
    fzptsulvob.tlb
    27al2c8josp2a.tlb
    kap3tbur5ic.tlb
    lhndpkfe1b.tlb
    f2rug2xnbkpfn.tlb
    v5rnjdiipmwi6m.tlb
    yi172oeylk4.tlb
    xm68zboadbwj0.tlb
    ug0ebzv0xzabl.tlb
    e10b8np1y1lp3h.tlb
    nhjlhfrf7ssja.tlb
    74bw21ehiccu.tlb
    7i67lu4txubk.tlb
    baaubut6rl8.tlb
    cwwm4znkxg0.tlb
    r0ksv6oznbcryp.tlb
    fhx0j17epemf5b.tlb
    2d8aukmwj31i.tlb
    fwvfy0iczt.tlb
    28nekygbmgxg.tlb
    2dp0t53vr2j5zk.tlb


    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/275879

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice