1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

(Resolved): Unsure about a couple of files

Discussion in 'Windows XP' started by scotty_b, Jan 22, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. scotty_b

    scotty_b Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    42
    I have a couple of questions actually.

    First, I use Microsoft AntiSpyware and I clicked on 'Manage allowed WindowsServices...' which of course gave me a list of programs. There were two I which I was unable to determine where they came from: JBR.exe and WIFMDOZ.exe. Both were in a Temp folder, but I was wondering if I should remove them from the 'allowed WindowsServices' list.

    Second. About a month ago, I was messing around and I found a thing on the computer where I could change how Windows searches for various things. Stupidly, I changed a couple (like changing the default search engine to Google, I think) and now I can't find where I changed those settings. I would like to change them back to defaults because every now and then, when I click a link, it takes me to the Google page and does a search for whatever.

    Any help would be appreciated,
    Scotty B

    p.s. if it helps for any reason, here's my Hijack This log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:41:09 AM, on 1/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Scott and Beth\Desktop\anti spyware and such\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Iowa Telecommunications
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
    O14 - IERESET.INF: START_PAGE_URL=http://www.iowatelecom.net
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126668316043
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132057144965
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{685380B7-4C2B-4B62-9FCB-DF4D8AEE62F0}: NameServer = 85.255.113.146,85.255.112.23
    O17 - HKLM\System\CCS\Services\Tcpip\..\{782FDF07-9720-4CB5-B870-D095AF74EC17}: NameServer = 85.255.113.146,85.255.112.23
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB7E9EE-4E89-46F1-85D2-240C6B6DF5B2}: NameServer = 85.255.113.146,85.255.112.23
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Thanks again,
    -S
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, To see if those files, or any that you suspect, might be infected, go here and scan one file at a time:


    http://www.kaspersky.com/scanforvirus

    Simply hit the Browse button there, then navigate using Windows Explorer, to the file in question, click on it and then hit the Submit button, when you see the filepath in the space, it will upload the file for an exam, takes just a minute, and give you results right back. If anything is found infected, post the results into a reply.

    Do any antivirus/antispyware apps or scanners detect something?
    Let us know either way, and I can close this for you.
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi scotty_b, Was there anything found for those files, anything new to tell us?
     
  4. scotty_b

    scotty_b Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    42
    Sorry for the delay. The files seem to have disappeared. I'm at a loss. Thanks for your suggestion though. By the way... any ideas about the second part to my question?

    -Scotty B
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,

    I think I spotted something in the log that needs looking at, expect a reply about it tomorrow from dvk01 or someone....

    You will need these instructions. Print them out or save them to a Notepad text file on the desktop.

    BEFORE you try to make the changes shown below, you will have to temporarily turn off Microsoft Antispyware program and it's protections- I don't know if you have the steps to do that, I include them below:

    Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye].
    Click on "Security Agents Status".
    Click on "Disable real-time protection".

    Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.

    Click on the Options menu and choose Settings.
    In the left pane column click on "Real Time Protection".
    Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
    Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
    Click the Save button and close Microsoft AntiSpyware.
    Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware".


    Be sure to reset the above and turn the program back on when you are done. Save those steps, but if you don't, here is a page you can bookmark with several of the programs that block changes you sometimes need to make, outlined with steps to turn them off:

    http://forums.techguy.org/security/110854-security-help-tools.html

    It's the link in RED there


    To set the default settings:

    Open Internet Explorer, at the top, hit the Tools tab, select Internet Options, then Programs, and use the Reset Web Settings button, either uncheck the home page box, and set it to what you want, or leave it if you want to keep the same page.

    If the above doesn't do what you want let us know.

    This entry, shows that you had PC Tools Site Guard....is it still installed? You may have used that to make changes for the above settings. If it has been uninstalled, then you can fix those items with Hijackthis.


    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


    CLOSE all other windows> when you fix anything in Hijackthis.

    Put a check next to them in a new scan with HJT and click Fix Checked.

    If dvk01 replies, and has something for you to do, take care of that and do what he tells you.
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    It's very possible that you have wareout trojan

    • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!

    Reboot into Safe Mode
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Doubleclick WinPFind.exe
    • Click " Configure Scan Options"
    • Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
    • Now Click "Start Scan"
    • It will scan the entire System, so please be patient!
    • Once the Scan is Complete
      • Reboot back to Normal Mode!
      • Go to the WinPFind folder
      • Locate WinPFind.txt
      • Place those results in the next post!. It will be too big to post so you will need to attach it to your reply
     
  7. scotty_b

    scotty_b Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    42
    Well, I restarted in safe mode and ran WinPFind.exe as suggested. After a little while I got an error message that said: Invalid data type for 'System'. I clicked 'OK' then I let it continue for about half an hour (because it still had the little hour glass) but nothing was happening so I stopped. I have attached a screen shot of the spot where it was stuck if that helps.

    Scotty B

    [​IMG]
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Can't tell much from the screenshot but maybe Derek can help with running the PFfind. He might have a reply when you check back here, he is in the United Kingdom and on different time.

    Were you able to save the log at all?
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Open wpfind

    click scan options and on the right hand registry section uncheck hklm winlogon

    press apply and try again

    if it still does it, recheck taht one & uncheck the next one down & so on until we find the one that is causing the problem
    It's normally a corrupt registry entry so once we know which section is hanging we can fix that entry another way
     
  10. scotty_b

    scotty_b Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    42
    Thanks for the suggestion dvk01, worked like a charm. Attached is the WinPFind.txt file.

    Scotty B
     

    Attached Files:

  11. scotty_b

    scotty_b Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    42
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    There are stacks of things wrong
    BUT if this is the same computer that has the IE problem it is a waste of time fixing it as it is all connected and I won't waste time fixing all this for you to wiper it out & reinstall to cure the IE beta problems

    That is why we always say EVERYTHING in one post

    If it's a different computer then OK we can have a go at it

    let us know what it is
     
  13. scotty_b

    scotty_b Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    42
    Sorry about the two posts, but the two problems/posts were about a three weeks apart.

    Yes it is the same computer, but I'm not sure I fully understand the situation here. Byteman suggested a Repair Install. How do I do this, and will it cause me to lose everything or will it just revert some Windows components to their original settings? Either way, will it also take care of my 'stacks of things wrong'?

    On the flipside, if we go your way (fixing the many issues), might it take care of the IE problems?

    Thank you for your patience,
    Scotty B

    p.s. Out of curiosity, what sort of problems are we looking at here?
     
  14. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I have replied to your other thread in Web and Email forum about doing a Repair installation of XP.

    For you to decide if you want to do that. I am not sure with IE 7.0 what trying a Repair will do> at the very least it should remove it if you were not able to uninstall it correctly...as I see was tried in the other thread.

    Derek is a very busy man and cannot spend time trying all the malware removal you may need, and then have you do some sort of Repair and end up wiping the hard drive and doing a fresh install.


    It may end up just that way- be prepared to reinstall everything is all I can tell you...

    You will be very vulnerable to malware just after the Repair, since it removes Windows Updates, so you need a way to at least reinstall SP2, do you have the Microsoft CD for it, or does your copy of XP have it preinstalled> the XP media may tell you on the cover or on the CD itself? The Microsoft CD is available free, takes only several days to get it, despite what is posted at the order site (4 to six weeks--I have them in 4 days usually)

    You can borrow someone's Service Pack 2 CD (I do NOT mean the operating system XP CD!) to install the service pack from.

    http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    From reports I have had IE7 beta is a pain to fix problems and most people have ended up doing a complete format & reinstall

    Beta products aren't really suitable for a working computer as beta means it goes wrong

    My advise is try the reinstall as advised by byteman and see if that works
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/436224

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice