1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help: Windows cannot find '1'

Discussion in 'Windows XP' started by olof, Nov 17, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. olof

    olof It's My Birthday! Thread Starter

    Joined:
    Aug 3, 2006
    Messages:
    30
    I downloaded AVG antivirus and ran the program; it did its thing and removed some of the bad stuff it found, but since then every time I try to start up my computer I get the error message

    "Windows cannot find '1'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

    I've tried running several .exe files but to no avail. The only way I've managed to even access an internet browser is to open up My Documents and type in a website in the address bar; I cannot open IE (or Netscape) through the traditional method.

    I've tried running Hijack this, but that won't work as well.

    What do I do? Any help is greatly appreciated.
     
  2. olof

    olof It's My Birthday! Thread Starter

    Joined:
    Aug 3, 2006
    Messages:
    30
    OK, I managed to fix the exe problem.

    Ran a hijack this log and here's what I got...

    Logfile of HijackThis v1.99.1
    Scan saved at 11:06:00 PM, on 11/17/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Grisoft\AVG Free\avgwb.dat
    C:\Documents and Settings\gk\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:80;http=127.0.0.1:80;https=127.0.0.1:80
    R3 - URLSearchHook: (no name) - {BA7905BF-EA79-92DB-28E6-B69EFB4207B8} - C:\WINDOWS\System32\kela.dll (file missing)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe 1
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\System32\internst.exe
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\default\e4rhz0e0.slt\prefs.js)
    O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {BA7905BF-EA79-92DB-28E6-B69EFB4207B8} - C:\WINDOWS\System32\kela.dll (file missing)
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [WildTangent CDA] "RUNDLL32.exe" "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [intranet] C:\WINDOWS\System32\intranet.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Txk] C:\Documents and Settings\gk\Application Data\??mantec\w?wexec.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C53624BB-A589-43B3-B821-300D17CFA16E}: NameServer = 66.75.160.62,66.75.160.41
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Z2tpb3Vzc2lz\command.exe (file missing)
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
     
  3. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    Hello olof. Welcome. I am reviewing your HijackThis log now and will be back with a reply as soon as possible.

    Please note that I am currently an undergraduate at a malware removal school which means that all of my responses are checked by an expert (teacher) before they reach the persons that I am helping. So there may be a slight lag in response time, but this assures that you receive quality assistance and that I get properly trained. Your patience is appreciated.:)

    Here are a few tips to help make things go smoothly:

    • * Feel free to stop and ask about anything that you are unsure of before proceeding.
      * It is often worth reading through the instructions and printing them for ease of reference.
      * Please reply only to this thread rather than start a new one.
      * Leave System Restore enabled during the handling.
      * If possible, continue to follow the topic until the system is pronounced clean; absence of symptoms does not necessarily mean absence of all malware.
     
  4. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    First click "Start > Run", type in the below commands one by one and hit "Enter" after each line:

    • sc stop cmdService
      sc delete cmdService
      sc stop "Network Monitor"
      sc delete "Network Monitor"


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Paste the contents of the Report.txt in your next reply along with a new HijackThis log
    -----------------------------------------------------------------------------------------------------------------

    Next....

    Look in your control panels add/remove programs for any of these and uninstall them:

    Oin
    Yazzle by Oin
    Purityscan by Oin
    Snowballwars by Oin
    or anything similar with Oin or Outerinfo in it.
    Zolero
    Tizzletalk
    MediaTickets
    Cowabanga
    and any other programs you didn't install or don't recognize - if your not sure please ask first


    Download and run this uninstaller:
    http://www.outerinfo.com/OiUninstaller.exe

    Tutorial for the uninstaller if needed


    Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
    Place a check against the following items if present:


    O4 - HKLM\..\Run: [intranet] C:\WINDOWS\System32\intranet.exe

    O4 - HKCU\..\Run: [Txk] C:\Documents and Settings\gk\Application Data\??mantec\w?wexec.exe


    Click on Fix Checked and exit HijackThis.


    Please print out the following instructions or copy them to Notepad as you will not have internet access from Safe Mode:

    Now, boot the computer into Safe Mode using the instructions above.

    --------------------------------------------------------------------------------------------------------------------------
    Next, using Explorer and/or XP's Search function, find and delete the following file marked in bold if present. Delete ONLY the part in bold:

    C:\WINDOWS\System32\intranet.exe

    Then find and delete the following folder the same way:

    C:\Documents and Settings\gk\Application Data\??mantec
    --------------------------------------------------------------------------------------------------------------------------


    • Still In Safe Mode, right click the SDFix.zip folder on the Desktop and choose Extract All,
    • Open the extracted folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
     
  5. olof

    olof It's My Birthday! Thread Starter

    Joined:
    Aug 3, 2006
    Messages:
    30
    kdd9,

    Thanks you so much for the help; it is greatly appreciated.

    I went ahead and ran the processes you advised me to run. Here are the "Report" and the "Hijack This" logs...


    SDFix: Version 1.42
    -------------------

    Scan run on:
    Tue 11/21/2006

    Time:
    08:56 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running from: C:\SDFix

    Stage One...

    Checking Services...

    Name:
    -----

    Path:
    ----


    Repairing Registry...


    Restoring Default Hosts File...

    Stage One Complete

    Rebooting...

    Stage Two...

    Checking For Malware:
    --------------------


    Backing Up and Removing any Files Found...

    Final Check:

    Services:
    ---------


    Files:
    ------


    Backups folder is located here - C:\SDFix\backups\backups.zip

    FINISHED















    Logfile of HijackThis v1.99.1
    Scan saved at 12:54:34 AM, on 11/22/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Documents and Settings\gk\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:80;http=127.0.0.1:80;https=127.0.0.1:80
    R3 - URLSearchHook: (no name) - {BA7905BF-EA79-92DB-28E6-B69EFB4207B8} - C:\WINDOWS\System32\kela.dll (file missing)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\default\e4rhz0e0.slt\prefs.js)
    O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {BA7905BF-EA79-92DB-28E6-B69EFB4207B8} - C:\WINDOWS\System32\kela.dll (file missing)
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [WildTangent CDA] "RUNDLL32.exe" "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C53624BB-A589-43B3-B821-300D17CFA16E}: NameServer = 66.75.160.62,66.75.160.41
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
     
  6. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    Very good. Let's continue.

    Please download and install CCleaner from here.
    Do not run CCleaner just yet.

    Then download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.



    While we clean off the rest, two of the fixes will be optional. They are WildTangent and Weatherbug. It is up to you whether or not to remove them. I will give you some data on them and then the choice is yours. If you feel that you can live without them then it may just be best to get rid of them. If you really need and use them then you can leave them as they are not exactly malware.

    WildTangent:

    It is not malware, but is sometimes thought to bring malware along. Unless you are an extremely avid games player, I recommend you fix this...
    Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although it’s not technically considered spyware, it does have built in components to update itself and gather information about the computer system including
    1. Operating System Version
    2. CPU Type and Speed
    3. Memory Amount
      Video Card type and Driver Version
    4. Sound Card type and Driver Version
    5. DirectX Version
      Location that the Web Driver was installed from
    6. It is also a MAJOR resource hog.


    Weatherbug:

    WeatherBug is a system tray icon that offers weather information and includes built-in ads. WeatherBug is controlled by AWS Convergence Technologies (weatherbugmedia.com).
    There is some controversy over whether WeatherBug should be targeted by anti-parasite software. AWS strongly deny their software is ‘spyware’, and by the definition used here, it is not, as it does not leak information back to its controlling servers.
    However, WeatherBug has in the past been silently installed by the FavoriteMan parasite and Freeze.com screensavers, and more recently has been bundled by software such as AIM and Blubster. This makes it ‘unsolicited’, and since it is installed to raise money for its creators through the built-in ads it is certainly ‘commercial’. So it does meet the definition for ‘parasite’: unsolicited commercial software. It is nonetheless listed as a borderline case because it is not overtly harmful and many people do install it deliberately.
    WeatherBug bundles the MySearch parasite in its standalone distribution and has in the past, installed Gator and SVAPlayer.

    To uninstall either, open the Control Panel, click Add/Remove Programs, find the entry on the list, click it once to highlight it, then click "Remove" to uninstall it.
    While you are there, find the entry for jre1.5.0_06 (under Java) and remove that too. There is a newer version to install.
    You may also want to check the list for MySearch, Gator, and SVAPlayer and remove those as well if they are there.
    If you chose to keep WildTangent and/or Weatherbug, then you can ignore their entries in the following HijackThis fix and just fix the rest.

    Now open HijackThis, do a system scan only, and when it finishes place a check before the following lines if present:

    R3 - URLSearchHook: (no name) - {BA7905BF-EA79-92DB-28E6-B69EFB4207B8} - C:\WINDOWS\System32\kela.dll (file missing
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {BA7905BF-EA79-92DB-28E6-B69EFB4207B8} - C:\WINDOWS\System32\kela.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [WildTangent CDA] "RUNDLL32.exe" "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    Then make sure ALL windows are closed except HijackThis and hit the "Fix checked" button.
    Exit HijackThis.

    Next, please reboot the pc to Safe Mode.

    • # Restart your computer.
      # When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
      #Choose your usual account.
      # Select the option for Safe Mode using the arrow keys.
      # Then press enter on your keyboard to boot into Safe Mode.


    Next, using Windows Explorer, locate and delete the following file marked in bold if present. Delete ONLY the part in bold:

    C:\WINDOWS\System32\kela.dll


    Then, using Windows Explorer, locate and delete the following folders:

    C:\Program Files\WildTangent (optional)
    C:\Program Files\AWS (optional, Weatherbug)
    C:\WINDOWS\Z2tpb3Vzc2lz
    C:\Program Files\Network Monitor

    Were you able to find and delete this folder?

    C:\Documents and Settings\gk\Application Data/??mantec

    I should have stated that the first two characters will not likely be "??" but something else. It just showed up as "??mantec" as HijackThis was not able to identify the first two characters. Go to that folder again if you need to, find what folder that would be and delete it. The folder may appear to be named Symantec and it's possible that the S and y may look a little bit odd.



    Then Run CCleaner: (Still in Safe Mode)

    • * Double-click it's desktop icon to open the program.
      * Click the "Options" button, then click "Advanced".
      * Uncheck, "Only delete files in Windows Temp folders older than 48 hours".
      * Click the "Cleaner" button (where the brush is.)
      * Click the "Run Cleaner" button.
      * Click "OK" to proceed.
      * Let it scan and clean until it's finished, and when it says, "Cleaning complete" in the status window, exit the program.
    Note: Please do not use the "Issues" button on CCleaner as this may lead to problems.


    Run AVG Antispyware
    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
        [​IMG]
    • When done, click the Save Scan Report button. (4)
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    Reboot in Normal Mode.


    There is a newer version of Java available now. It is important to have the latest updates for java not only for Java applets but to reduce chances of certain infection as well.
    First go to "Control Panel" > "Add/Remove Programs" and find (under "Java"). Click the entry once to highlight it, then click the "Remove" button to uninstall it. If the java uninstaller prompts you to reboot to complete the uninstallation, do so.
    Then go here
    http://java.sun.com/javase/downloads/index.jsp

    • * Click the Download button next to
      Java Runtime Environment (JRE) 5.0 Update 9

      * You should be taken to a page that says
      J2SE(TM) Runtime Environment 5.0 Update 9

      * Click to put a dot in the circle where it says, "Accept license agreement".

      * Then, from the Windows Platform box at the top of the list, click where it says, " Windows Online Installation (typical download size is ~MB), Multi-language".

      * Choose to run the installation.


    Then please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
    Note: You have to use Internet Explorer to do the online scan.


    Please post the results of the AVG Antispyware scan, the Panda Active Scan, and a new HijackThis log.
     
  7. olof

    olof It's My Birthday! Thread Starter

    Joined:
    Aug 3, 2006
    Messages:
    30
    Thanks again for the help.

    I did find the Symantec folder and deleted it. Looked for Weatherbug and Wildtangent in my Add/Remove Programs but didn't see either of them. If I remember correctly, I think I uninstalled them a while back, although some traces of them may have remained on my computer.

    Also, I wasn't sure if this warranted mentioning, but a couple of days ago I saw a bunch of different folders in "My Network Places." I wasn't sure what they were exactly (hackers?), but they had never been there before, so I quickly deleted them (or at least the shortcuts).

    Anyways, here are the logs...

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 8:00:52 PM 11/23/2006

    + Scan result:



    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP63\A0018657.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP59\A0017649.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP59\A0017650.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP60\A0017822.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP60\A0018018.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP63\A0018538.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\WINDOWS\SYSTEM32\awtutqp.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\Documents and Settings\gk\Desktop\Combined\Back6\MB_files\upd_data\script-2.htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).


    ::Report end











    Incident Status Location

    Adware:adware/sqwire Not disinfected c:\windows\system32\tsuninst.exe
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.statcounter.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.2o7.net/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.advertising.com/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.doubleclick.net/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.advertising.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.2o7.net/]
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.atwola.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.2o7.net/]
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.questionmarket.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[ad.yieldmanager.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.atdmt.com/]
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt[.mediaplex.com/]
    Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Mozilla\Profiles\default\a90uhcdo.slt\cookies.txt[.toplist.cz/]
    Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\hufkbdal.exe
    Adware:Adware/CommAd Not disinfected C:\WINDOWS\Z2tpb3Vzc2lz\tZQDvapWwZ5W.vbs










    Logfile of HijackThis v1.99.1
    Scan saved at 2:03:34 AM, on 11/24/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\BitTorrent\bittorrent.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\gk\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:80;http=127.0.0.1:80;https=127.0.0.1:80
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\default\e4rhz0e0.slt\prefs.js)
    O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C53624BB-A589-43B3-B821-300D17CFA16E}: NameServer = 66.75.160.62,66.75.160.41
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
     
  8. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    Looking better. There are a few things showing in the Panda scan to take care of.

    First let's set XP to show all files:
    To enable the viewing of Hidden files follow these steps:

    • 1. Close all programs so that you are at your desktop.
      2. Double-click on the "My Computer" icon.
      3. Select the "Tools" menu and click "Folder Options".
      4. After the new window appears select the "View" tab.
      5. Put a checkmark in the checkbox labeled "Display the contents of system folders".
      6. Under the Hidden files and folders section select the radio button labeled "Show hidden files and folders".
      7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
      8. Remove the checkmark from the checkbox labeled "Hide protected operating system files".
      9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
      10. Now your computer is configured to show all hidden files.


    Please print out the following instructions or copy them to Notepad as you will not have internet access from Safe Mode:

    Now, boot the computer into Safe Mode

    • # Restart your computer.
      # When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
      #Choose your usual account.
      # Select the option for Safe Mode using the arrow keys.
      # Then press enter on your keyboard to boot into Safe Mode.

    Next, using Windows Explorer, locate and delete the following folder marked in bold if present. (Delete only the part in bold.):

    C:\WINDOWS\Z2tpb3Vzc2lz


    Then locate the following files and delete them:

    c:\windows\system32\tsuninst.exe

    C:\WINDOWS\SYSTEM32\hufkbdal.exe

    C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\Default User\zg8hdmp0.slt\cookies.txt

    C:\WINDOWS\Mozilla\Profiles\default\a90uhcdo.slt\cookies.txt

    Reboot to Normal Mode

    I'm not sure about the extra folders in "My Network Places". If they are still there you could list them by name and I could check them out.

    Are you still getting the error message, "Windows cannot find '1' or any other error messages?
    Are you still having trouble opening the browsers?
    Any other problems?

    Please check back even if all seems well as there is still the issue of getting Service Pack 2 for XP installed. This is very important. I will advise on that and also give some further recommendations for protection.
     
  9. talkingdog

    talkingdog

    Joined:
    Nov 30, 2006
    Messages:
    47
    I have just run into this same problem after 'healing' a virus with AVG free edition in XP Home edition

    I am, however, slightly reluctant to try and just follow the same procedure outlined here as I am not totally sure whether same problem identified here has led to this state of affairs on my PC.

    Should I try and instal and run 'Hijack This' to get a log report? I'm not even sure if I will be able to do this as it wasn't installed prior to the "windows cannto find 1" error occuring - which means I can't run any programs.

    Or am I OK to follow the steps outlined above?

    Any advice gratefully received!

    Pete
     
  10. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    Yes, let's try to get a HijackThis log to start with and take it from there.

    * Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Doubleclick on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

    Instead of posting it to this topic though, please begin a new topic to avoid confusion and I will keep an eye out for it. You can call the topic whatever you wish; I will be looking for topics started by talkingdog.

    Let me know if you have any trouble getting a HijackThis log run and posted.
     
  11. talkingdog

    talkingdog

    Joined:
    Nov 30, 2006
    Messages:
    47
    Thanks for this - I'll start a new topic and copy in the first two messages starting with my OP.
     
  12. olof

    olof It's My Birthday! Thread Starter

    Joined:
    Aug 3, 2006
    Messages:
    30
    Thanks again for the help, kdd9. Sorry for not getting back sooner - it's been a long week. I went ahead and ran the processes - I deleted the four files but couldn't locate a "Z2tpb3Vzc2lz" folder to get rid of. The computer is running better and I don't get the "Windows cannot find '1'" or any other error messages. The programs are running as they should and the Network Places thing I mentioned does't seem to be an issue. I've posted a new HijacThis log below...

    Logfile of HijackThis v1.99.1
    Scan saved at 12:56:06 AM, on 12/2/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[/RIGHT]
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\gk\Desktop\hijackthis\HijackThis.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HP\hpcoretech\soln\HPOSM.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:80;http=127.0.0.1:80;https=127.0.0.1:80
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\gk\Application Data\Mozilla\Profiles\default\e4rhz0e0.slt\prefs.js)
    O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C53624BB-A589-43B3-B821-300D17CFA16E}: NameServer = 66.75.160.62,66.75.160.41
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
     
  13. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    You're welcome. No problem.

    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.
    Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):


      C:\WINDOWS\Z2tpb3Vzc2lz\tZQDvapWwZ5W.vbs


    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.




    Then let's do one more scan to ensure that the system is clean and then we'll get that service pack installed.

    Please do an online scan with Kaspersky WebScanner
    (You will need to use Internet Explorer for this.)

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.

    Then post the scan results here.
     
  14. talkingdog

    talkingdog

    Joined:
    Nov 30, 2006
    Messages:
    47
    Olof, how did you fix your .exe problem? (just in case I can't get the exe fix I've had suggested to me to work...)
     
  15. olof

    olof It's My Birthday! Thread Starter

    Joined:
    Aug 3, 2006
    Messages:
    30
    I downloaded and ran a file called "xp_exe_fix." If you don't have XP, then I'm guessing you'll need a fix for a different platform.

    This is where I found it. http://www.kellys-korner-xp.com/xp_abc.htm (Under "EXE File Association Fix for Windows XP" in the "E" category.)

    But before using it, I'd check w/ kdd9 or another computer expert. I just kinda surfed around, stumbled across it, and was very fortunate that it worked.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/519251

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice