Solved: Can't get hijack to pop up

[Xebec52]

I'm having problems with my hijack program. I have downloaded it and unzipped it but every time i go to click on the icon the actual screen that gives you the options to do a scan or save the scan never pops up. Or if it does it's only for a split second. An error message pops up instead but it also quickly disappears and i don't have time to read the entire thing. but by clicking on the icon a few times i was able to read that the warning message was telling me that i shouldn't delete anything on my own but instead ask an expert. this is not my first hijack this log experience but it has never just not poped up before. I'm also having major problems with my computer and figured this would be a starting point. I have windows 2000. any help would be greatly appreciated. Thanks

 

[Rollin' Rog]

Where did you download HijackThis from?

Was it this site?

Download and install HijackThis using the "self extractor". Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

If not, do it following those instructions.

If you get actual error messages, run eventvwr.msc and look in the applications log for any relevant errors.

You can also try running HijackThis in Safe Mode, but it will not tell us all we need to know.

 

[junker39]

If you have a pop-up blocker installed, you may need to disable it to allow the window to show.

 

[Xebec52]

i tried according to what you said and still receive the same problem and it isn't an actual error message so it is not documented. i've also noticed that many other programs don't open like my pop-up stopper and virus scan. do i have major problems?

Thanks for the help thus far

 

[Xebec52]

I downloaded another spyware program from microsoft and the warning window still popped up but I was able to get to the main screen. Thankfully. So here is my log could anyone take a look at it and instruct me on what to do from here. Many thanks




Logfile of HijackThis v1.99.1
Scan saved at 1:19:44 PM, on 7/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\navp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Ontrack\PowerDesk\PDExplo.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: (no name) - {240CF716-CAEA-415F-81E1-8FD7AD5FAF2B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [navp.exe] navp.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [navp.exe] navp.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{A13C80A0-F4A4-459A-B290-2D85DC9B4C6E}: NameServer = 205.152.132.235 205.152.37.254
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: navp.exe - Unknown owner - C:\WINNT\system32\navp.exe" -service (file missing)

 

[Rollin' Rog]

Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View



Then:

1 >> Restart in Safe Mode. Instructions here if you need them:http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

2 >> In Safe Mode run HijackThis and check and "fix" the following entries:

O2 - BHO: (no name) - {240CF716-CAEA-415F-81E1-8FD7AD5FAF2B} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [navp.exe] navp.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe

^^ do a complete drive search for libsysmgr.exe and delete it whereever found

O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

^^ do the same for this file

O4 - HKLM\..\RunServices: [navp.exe] navp.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe

>> Using HijackThis, select "misc tools" > "delete an NT service".

Enter the following to be deleted:

navp.exe



3 >> Go to Start > Run and enter cmd and a command shell will open. At the prompt carefully type and enter each line:

del C:\WINNT\system32\navp.exe

Additional cleanup instructions: Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them



>> Reboot and post another scanlog

Also download, unzip and run Hoster.exe. Have it restore your original Hosts file:

http://www.funkytoad.com/download/hoster.zip

 

[Xebec52]

Ok, I completed step one and most of step two.
I fixed:
O2 - BHO: (no name) - {240CF716-CAEA-415F-81E1-8FD7AD5FAF2B} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [navp.exe] navp.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

However when I went to do the other two:
O4 - HKLM\..\RunServices: [navp.exe] navp.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe

It created backups for both. The reason why it did it for only these two was because I checked and fixed them at a different time. I was wondering if I should delete them from the backup list or leave them. Didn't want to make any move that I wasn't sure about.


When you told me to: >> Using HijackThis, select "misc tools" > "delete an NT service".

Enter the following to be deleted:

navp.exe

It came up with an error. The message said: The service 'navp.exe' is enabled and/or running. Disable it first, using Hijack This itself (from the scan results) or the Services.msc window. I'm not sure what they are talking about here and thought maybe since there was a backup for this file this message was the result.

The last thing includes the search:^^ do a complete drive search for libsysmgr.exe and delete it whereever found

O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

^^ do the same for this file
I'm guessing you are talking about going To start >search >for files or folders and then looking in the C: drive search for libsysmgr.exe and...? Is it syslog32.exe?

I'm sorry if this all sounds elementary but i'm more concerned about doing everything correct so I don't mess anything up. Thanks again for your help and I'll be looking for your answers. And I havn't done the remaing part of your request because I thought it was important to do them in order. But they will be coming shortly. Thanks again.

P.S. If one of my descriptions doesn't make sense, just let me know and I'll try to explain in better terms.

 

[Rollin' Rog]

Ok, I didn't think the service would load in Safe Mode, but go to Start > Run, enter services.msc

Now search for one that says navp.exe and double click it. If the service is running you can click "stop service". Also set the startup mode to "disabled". Reboot and try the HijackThis instruction for that again.

With regard to the search and delete instructions, yes you understand that correctly. It's possible the files may not be found if they were previously detected and deleted by an antivirus program -- so be sure to "fix" the HijackThis entries for them anyway.

 

[Xebec52]

here is my new log, everything appears to be running smoothly, thanks for everything so far and let me know if there are any further steps i may need to take.

Logfile of HijackThis v1.99.1
Scan saved at 10:34:09 PM, on 7/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Acrobat3\Reader\AcroRd32.exe
C:\Documents and Settings\Administrator\Desktop\I Ain't Afraid of no Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

 

[Rollin' Rog]

Looks good to me. If all seems well on your end, feel free to use the Thread Tools menu on this page to mark the thread "Solved".

Of course, you are most welcome for the help!

PS-- By the way, this entry:

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

... was installed by Norton Antivirus, which you no longer seem to have on the machine. If you have uninstalled NAV, I believe you should be able to just check and fix that entry in HijackThis to delete it.