1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] system32 popup - please help

Discussion in 'Windows XP' started by etnamaid, Apr 18, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. etnamaid

    etnamaid Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    94
    hi there,

    please check this log. everytime i restart my friend's computer, the System32 folder popup.

    please help.

    thanks
    =============================

    Logfile of HijackThis v1.97.7
    Scan saved at 3:11:05 PM, on 4/18/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\S3apphk.exe
    C:\WINDOWS\System32\yvwekpdk.exe
    C:\WINDOWS\System32\igfgtkqf.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca5.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ca5.hpwis.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O1 - Hosts: HTTP/1.1 200 Lose weight, eat less spam
    O1 - Hosts: Server: Freedom HTTP Proxy
    O1 - Hosts: Content-Type: image/gif
    O1 - Hosts: Accept-Ranges: bytes
    O1 - Hosts: Content-Length: 44
    O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {ABCA2B61-DFD9-20E4-7C49-10D4BDD6DD0C} - C:\WINDOWS\system32\yeilmaje.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [lssrv32] c:\WINDOWS\System32\lssrv32.exe
    O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
    O4 - HKLM\..\Run: [cpjxbnm] rundll32 C:\WINDOWS\System32:cpjxbnm.dll,Init 1
    O4 - HKLM\..\Run: [Outwar] C:\WINDOWS\syslaunch.exe
    O4 - HKLM\..\Run: [anpdojb] c:\WINDOWS\System32\anpdojb.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [rckcrpas] C:\WINDOWS\nlwkpozq.exe
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\yvwekpdk.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [stwzgapu] C:\WINDOWS\System32\igfgtkqf.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [GNT] C:\WINDOWS\GNT.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [lssrv32] c:\WINDOWS\System32\lssrv32.exe
    O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\Owner\Application Data\iebs.exe
    O4 - HKCU\..\Run: [anpdojb] c:\WINDOWS\System32\anpdojb.exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\RunOnce: [*cpjxbnm] rundll32 C:\WINDOWS\System32:cpjxbnm.dll,Init 1
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
    O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
    O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &RSDN Search - res://C:\WINDOWS\2020SE~1.DLL/GoRSDN.dll.htm
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/Install.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_37.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://arcade.icq.com/multiplayer/odyssey_web8.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
     
  2. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
    Based on the list, you should download a good spyware removal program.

    However these have nothing to do with the folder opening after login. If the System32 folder shows on the desktop, there may be an invalid entry in the Registry

    Start Regedit
    Go to both:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Double check that the values do not have incorrect, incomplete, or blank entries
     
  3. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,966
    First Name:
    James
    Ouch you have a lot of crap!

    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ - This is the problem, but you have much worse stuff going on.

    Download and run Spybot S&D, LAvasoft Ad-Aware and CWShredder. When you have run these programs, reboot and redo the log. We can then fish out the files that were left.
     
  4. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
    I'm constantly amazed with how much people has downloaded. For some locations of the better spyware removal tools:

    You need to download a good Spyware and Trojan Removal program.

    Spybot Search and Destroy:
    http://www.safer-networking.org/index.php?page=spybotsda

    SpySweeper:
    http://www.webroot.com/wb/products/spysweeper/index.php
    This will also protect your home page from being hijacked.

    Ad-Aware:
    http://www.lavasoft.de/

    With any of the above three programs, just like with Anti-Virus software, should have the latest updates installed before doing a scan.

    CWShredder:
    http://www.spywareinfo.com/downloads/tools/CWShredder.exe

    KazaaBeGone
    http://www.spywareinfo.com/~merijn/files/kazaabegone.zip

    Programs that can help prevent getting infected:

    Spyware Blaster
    http://www.javacoolsoftware.com/spywareblaster.html

    Spyware Guard
    http://www.wilderssecurity.net/spywareguard.html
     
  5. etnamaid

    etnamaid Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    94
    please check if i should fix the following too.
    thanks
    ======================

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca5.hpwis.com/
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {ABCA2B61-DFD9-20E4-7C49-10D4BDD6DD0C} - C:\WINDOWS\system32\yeilmaje.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
     
  6. etnamaid

    etnamaid Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    94
    everytime i restart the computer, end program - wupater.exe popup

    should i fix this?
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

    please advice.

    thanks
     
  7. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Did you run Adaware and spybot if so post a new hijackthis log than we can help you
     
  8. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,966
    First Name:
    James
    Those should be fixed by Spybot S&D and or Lavasoft Ad-Aware. Please run those programs and then repost a log.
     
  9. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,966
    First Name:
    James
    While you are at it, download Spyware blaster. Make sure you use the update function. It prevents any further attacks like what you have here.
     
  10. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,966
    First Name:
    James
    If you are that worried, start by removing all of the R0s, R1s, R3s and O1s. Those can be removed.

    For your wupdater.exe - go here
     
  11. etnamaid

    etnamaid Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    94
    yes, i run Spybot Search & Destroy, Ad-Aware, and CWShredder.

    thanks
     
  12. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,966
    First Name:
    James
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca5.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ca5.hpwis.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O1 - Hosts: HTTP/1.1 200 Lose weight, eat less spam
    O1 - Hosts: Server: Freedom HTTP Proxy
    O1 - Hosts: Content-Type: image/gif
    O1 - Hosts: Accept-Ranges: bytes
    O1 - Hosts: Content-Length: 44
    O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {ABCA2B61-DFD9-20E4-7C49-10D4BDD6DD0C} - C:\WINDOWS\system32\yeilmaje.dll
    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O4 - HKLM\..\Run: [cpjxbnm] rundll32 C:\WINDOWS\System32:cpjxbnm.dll,Init 1
    O4 - HKLM\..\Run: [Outwar] C:\WINDOWS\syslaunch.exe
    O4 - HKLM\..\Run: [rckcrpas] C:\WINDOWS\nlwkpozq.exe
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\yvwekpdk.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [stwzgapu] C:\WINDOWS\System32\igfgtkqf.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [GNT] C:\WINDOWS\GNT.exe
    O4 - HKCU\..\Run: [lssrv32] c:\WINDOWS\System32\lssrv32.exe
    O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\Owner\Application Data\iebs.exe
    O4 - HKCU\..\Run: [anpdojb] c:\WINDOWS\System32\anpdojb.exe
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\RunOnce: [*cpjxbnm] rundll32 C:\WINDOWS\System32:cpjxbnm.dll,Init 1
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
    O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe

    Well something didn't go right if the log was AFTER the checks. You will need to run in safe mode, turn off System Restore and then redo the scans, including an antivirus scan. Then run the HJT and check to see if you have any of the entries I have listed and remove them. You will need to also delete the files that are listed to from the locations. After you have did that reboot and do one last HJT and post it here. (dont forget to turn the System Restore back on.)

    Also I believe you have the peper.a trojan. Go to this link: http://www.zerosrealm.com/downloads/uninst.exe
    You will need to be online for the file to work. It will ask you to SAVE or OPEN it. OPEN it (with the connection still active!) so you can remove the trojan.
     
  13. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,966
    First Name:
    James
  14. etnamaid

    etnamaid Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    94
    here is the latest log.
    still the "end program - wupdater.exe" is there
    when i restart. i can't find any download fom this link
    http://www.doxdesk.com/parasite/KeenValue.html

    please help.

    thanks


    Logfile of HijackThis v1.97.7
    Scan saved at 12:56:33 AM, on 4/19/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [lssrv32] c:\WINDOWS\System32\lssrv32.exe
    O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &RSDN Search - res://C:\WINDOWS\2020SE~1.DLL/GoRSDN.dll.htm
    O8 - Extra context menu item: Allow popups - file://C:\Program Files\Ultimate Popup Killer\Popupkiller.html
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/Install.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_37.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://arcade.icq.com/multiplayer/odyssey_web8.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Probaby best to reboot in Safe Mode to carry this out.

    Check these two items and "fix" them in the Scanlog:

    4 - HKLM\..\Run: [lssrv32] c:\WINDOWS\System32\lssrv32.exe

    ^^ unless you KNOW what that is and can vouch for it.

    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll

    ^^ a known malware component.

    Then just go to the C:\Program Files\Common files\updater\wupdater.exe. You can delete lssrv32.exe as well.

    "updater" folder and delete it manually.

    How to restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

    And just a side note: that was sure one mess of a Scanlog. If you have been using file sharing applications, you can bet they will return if you continue to do so.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221657

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice