1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

something found

Discussion in 'Virus & Other Malware Removal' started by lax30, Sep 21, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. lax30

    lax30 Thread Starter

    Joined:
    Sep 21, 2003
    Messages:
    44
    After putting up with this MSsvc.exe error for the last little while I decided to look deeper into the issue to fix the problem. I went through the usual steps and found the hidden "Recycler folder" in my drive. I went through some of the postings on this forum and went through the necassary steps to run Hijackthis. I did it from "Safe Mode and came up with this entry.

    Logfile of HijackThis v1.97.2
    Scan saved at 3:11:02 PM, on 21/09/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - D:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - D:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - D:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O4 - HKLM\..\Run: [Versato] C:\WINDOWS\System32\USB_Kbd\Versato.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [WinKnight32] e:\windows\knight.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37803.8077662037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    If any of you guys could help me clean up my system I would be greatly appreciative.
     
  2. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    Close all browser windows - run hijackthis - tick to fix :-


    O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    steam
     
  3. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    Steamwiz, I'm not an expert like you, but some items poped out at me.{pun intended}.

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    What do you think about this "MyBar" thing?
     
  4. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    BillC, nothing nefarious about MyWay:

    http://www.myway.com/


    lax30

    ....do you know what this entry is:

    O4 - HKLM\..\Run: [WinKnight32] e:\windows\knight.exe

    I don't know what it is, it may be legitimate.

    :)
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    About the MyWay search bar, IMHO it depends whether it was installed wittingly.
    It gets stealth installed on an extremely wide basis, being bundled with Grokster, and other P2P apps.

    If you didn't actually intend to install it, simply uninstall it through Add/Remove programs.

    And it's wise to have this one fixed:

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

    It's routinely responsible for system slowdowns.
     
  6. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    Buckaroo. Thanks for the heads-up on MyWay. I'm no expert and it looked to be one of those unwanted BHOs.

    All I can find about knight.exe points me to games, but I know you already know that.
     
  7. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    I used to have MyWay as my homepage and nothing else installed with it. I didn't know the other aspects of MyWay that TK mentioned. Of course he's right on, if it installed behind your back, then by all means remove it.

    Thanks Tony!

    :)
     
  8. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
  9. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Thanks Tony. Nice to know there's no advertising or privacy issues with MyWay, but, need to be cautious anyway.
     
  10. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    Hi BillC

    Tony's the expert - not me

    In fact I checked Tony's list of BHO's for the status of myBar

    http://www.spywareinfo.com/bhos/

    Hi Tony - keep up the good work :D

    steam
     
  11. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Other, formerly reputable apps have recently gone the same way:

    The DogPile toolbar and Lycos SideSearch are now confirmed to get stealth installed, bundled with other software... :(

    NOT a good development, methinks...
     
  12. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    No, I agree.....glad there's folks out there like yourself and forums like this to keep the rest of us apprised of what's really going on out there.

    To second steam........keep up the good fight Tony. (y)
     
  13. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    Hey Tony, nice to see you drop in again. I haven't seen you here for awhile, but I notice you do stay busy on other forums.

    And Steamwiz... thanks for the link. I didn't know that BHOLiist.exe was even around until a few minutes ago. So that is how you guys look BHOs up sodarn fast!! What a GREAT tool. Thanks to Tony and the young fella Merjin in Holland.
     
  14. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hi Bill,

    Nice to see you too! :)
     
  15. lax30

    lax30 Thread Starter

    Joined:
    Sep 21, 2003
    Messages:
    44
    I appreciate all the help that you guys have given. The speed at which you gave was most generous as well.

    As far as the knight.exe file is concerned, I've never installed any type of games that had that executable. I just formatted this summer so I have a pretty good idea of what I've put on the comp.

    The other thing that is fishy about it is that it's path is e: and that would be my cd writer.

    Any thoughts?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166449

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice