Solved: KERNEL32 DLL fix

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

MAM52

Thread Starter
Joined
Aug 26, 2005
Messages
34
Can you help me get the KERNEL32 back in it's right place? This is the messege that popped up on the desktop on Windows 2000 OS:

Dark.exe – Unable to Locate DLL

The dynamic link library KERNEL32 could not be found in the specified path
C:\WINNT\system32\gkjprnpshi;.;C:\WINNT\system32;C:\WINNT\system;C\WINNT;C:WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Hi MAM52 :)
Welcome to TSG

I want to make sure that error is not due to some infection.

Download Hijack This: http://thespykiller.co.uk/files/hijackthis_sfx.exe

Let it extract to C:\Program Files

Close out any open browsers
Launch the program
Click on "do a system scan only"
When that finishes, click on "save log"
The log will open in Notepad
Copy & paste that log into this thread

Do not fix anything yet
 

MAM52

Thread Starter
Joined
Aug 26, 2005
Messages
34
Good morning, Cheeseball81.
Tried your suggestion but when click to launch, no program showed up. What did happen was the desktop blinked and then went to "Refresh Active Desktop." So I did. Tried launching several times. no luck. Any suggestions.
 

MAM52

Thread Starter
Joined
Aug 26, 2005
Messages
34
This Hijack This worked. here is the log. Advice to fix soon is much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 9:32:42 PM, on 8/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\gkjprnpshi\csrss.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINNT\webshots.scr
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Valued Customer\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=C:\WINNT\system32\gkjprnpshi\csrss.exe
F3 - REG:win.ini: run=C:\WINNT\system32\gkjprnpshi\csrss.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Schoolpop0] "C:\Program Files\Schoolpop_ShoppingBuddy\Schoolpop0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Startup: csrss.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG Spirit\AGremind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Schoolpop - file://C:\Program Files\Schoolpop_ShoppingBuddy\Sy950\Tp950\scri950a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {011E1110-AF57-11d4-AC1C-E843E6000000} - file://C:\Program Files\SchoolCashReminderService\System\Temp\scash_script.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Schoolpop - {B46F2A6A-3216-461c-BEEA-FBE442469812} - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm (file missing) (HKCU)
O9 - Extra button: Schoolpop - {D0887919-FB2E-4530-85B2-B7E1D571CE28} - file://C:\Program Files\Schoolpop_ShoppingBuddy\Sy950\Tp950\scri950a.htm (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {05CE4481-8015-11D3-9811-C4DA9F000000} - http://www.topmoxie.com/external/builds/schoolcash/scmoxie.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D5382F3F-32AA-41E1-9FFF-5D1EFAC80D40} (FileClean.Clean) - http://www.contentpurity.com/members/FileClean.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Do you have anti-virus protection??
I see entries for Trend Micro but doesn't seem like you have an active AV program.

Get AVG (it's free): http://free.grisoft.com/doc/1

Then, click here to download the trial version of Ewido Security Suite:
http://www.ewido.net/en/download/

· Install Ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido.
· It will prompt you to update click the OK button and it will go to the main screen.
· On the left side of the main screen click update.
· Click on Start and let it update.
· DO NOT run a scan yet.

Restart your computer into Safe Mode now.
(Start tapping the F8 key at Startup, before the Windows logo screen).
Perform the following steps in Safe Mode:

* Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK.
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop.

Reboot.

Post a new Hijack This log and the results of the Ewido scan.
 

MAM52

Thread Starter
Joined
Aug 26, 2005
Messages
34
i have Trend Micro 2005. However, it is down as well. Everytime I tried to check certain boxes and then press "apply" the check marks go away. So virus protection is down.

Last night I ran a free House cleaner from Trend but program never gave me the results of the scan. So I am not sure what is going on here.
 

MAM52

Thread Starter
Joined
Aug 26, 2005
Messages
34
i'll try that next. i also have run Ad-Aware last night with no signifcant problems.
 

MAM52

Thread Starter
Joined
Aug 26, 2005
Messages
34
here is the new Hijack this & the Ewido scan:

Logfile of HijackThis v1.99.1
Scan saved at 2:17:45 PM, on 8/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINNT\webshots.scr
C:\PROGRA~1\TRENDM~1\INTERN~3\PccGuide.exe
C:\Documents and Settings\Valued Customer\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=C:\WINNT\system32\gkjprnpshi\csrss.exe
F3 - REG:win.ini: run=C:\WINNT\system32\gkjprnpshi\csrss.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Schoolpop0] "C:\Program Files\Schoolpop_ShoppingBuddy\Schoolpop0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Startup: csrss.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG Spirit\AGremind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Schoolpop - file://C:\Program Files\Schoolpop_ShoppingBuddy\Sy950\Tp950\scri950a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {011E1110-AF57-11d4-AC1C-E843E6000000} - file://C:\Program Files\SchoolCashReminderService\System\Temp\scash_script.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Schoolpop - {B46F2A6A-3216-461c-BEEA-FBE442469812} - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm (file missing) (HKCU)
O9 - Extra button: Schoolpop - {D0887919-FB2E-4530-85B2-B7E1D571CE28} - file://C:\Program Files\Schoolpop_ShoppingBuddy\Sy950\Tp950\scri950a.htm (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D5382F3F-32AA-41E1-9FFF-5D1EFAC80D40} (FileClean.Clean) - http://www.contentpurity.com/members/FileClean.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:03:19 PM, 8/28/2005
+ Report-Checksum: DBD20F1E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{05CE4481-8015-11D3-9811-C4DA9F000000} -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Valued Customer\Application Data\Mozilla\Firefox\Profiles\ff9a1g4f.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\S42NS.EXE -> Spyware.MyWay : Cleaned with backup
C:\Program Files\Schoolpop_ShoppingBuddy\disp950.exe -> Spyware.WebRebates : Cleaned with backup
C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINNT\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINNT\system32\gkjprnpshi\csrss.exe -> Backdoor.Landis.l : Cleaned with backup


::Report End


Chesseball81, I was able to run the Trend Micro Virus Program last night but not this morning. This afternoon, the program is up but haven't run the program yet. I sure hope I don't have to reinstall Windows 2000!

Thanks for all the help.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

F3 - REG:win.ini: load=C:\WINNT\system32\gkjprnpshi\csrss.exe

F3 - REG:win.ini: run=C:\WINNT\system32\gkjprnpshi\csrss.exe

O4 - Startup: csrss.lnk = ?

O9 - Extra button: (no name) - {011E1110-AF57-11d4-AC1C-E843E6000000} - file://C:\Program Files\SchoolCashReminderService\System\Temp\scash_script.htm (file missing) (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O9 - Extra button: Schoolpop - {B46F2A6A-3216-461c-BEEA-FBE442469812} - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm (file missing) (HKCU)

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe


Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINNT\system32\gkjprnpshi\csrss.exe

Note: It is possible that Killbox will tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the KillBox.

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Find and delete this folder: C:\WINNT\system32\gkjprnpshi

Also in safe mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new log.
 

MAM52

Thread Starter
Joined
Aug 26, 2005
Messages
34
>I think I got this first one but along with 2 or three others that had the same folder id.

Find and delete this folder: C:\WINNT\system32\gkjprnpshi

> I think I may be pc out at this point but how do I get to this next one?

Also in safe mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

> Found this one but not sure of to delete since many of them are programs I use. I presume they will come back outside of safe mode?

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Anything in Temp can safely be deleted. But if you want, you can let the items you deleted stay in the Recycle Bin for a day or 2. That way you can be sure no programs were affected.
 

MAM52

Thread Starter
Joined
Aug 26, 2005
Messages
34
Okay. I'll try that.

Help to get this one.

> I think I may be pc out at this point but how do I get to this next one?

Also in safe mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top