Something Seriously Wrong! Please help!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

sinsug

Thread Starter
Joined
Sep 21, 2003
Messages
63
Ok, I have windows XP, and I noticed something earlier today that was weird. My homepage on IE changed and was made to where I could not change it back, the buttons were greyed out. I also noticed that supposidly an msn messenger program was running even though I hadn't signed on. I blocked it with zone alarm but it keeps trying to connect anyway. And no matter how hard I try, I cannot download any virus updates for Norton, or any antivirus programs for that matter. I sometimes use Trend's Housecall, but I can't get that to work either. Somehow I was able to download F-Prot Antivirus and it found a file
C:\WINDOWS\System32\mset_bbi8010.exe and it was deleted but I am still having the same problems so I don't know if that was it. I can't download any virus programs, so if that is what it is, I think I am screwed. Can anyone help me?
 
Joined
Jul 26, 2002
Messages
46,331
sinsug

Please do this. Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Un Zip it and click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

Do NOT have Hijack This fix anything yet. Most of what it finds will be harmless. Someone here will be glad to advise you on what to fix.
 

sinsug

Thread Starter
Joined
Sep 21, 2003
Messages
63
Here are my Hijack this results....Also, is it strange that even though I have msn messenger disabled at start up and haven't even opened it after turning on my computer, that it still starts up? I mean, it doesn't show it down on the system tray, but it's in my running processes. And no matter what I do, I cannot delete it out of windows explorer and it's not in my add/remove program list. Thanks for any help.

Logfile of HijackThis v1.97.2
Scan saved at 11:52:37 AM, on 9/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\ICRAfilter\data\ICRASrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jackie Villarreal\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [myNetWatchman] C:\Program Files\myNetWatchman\NWClient.exe
O4 - HKLM\..\Run: [SpyStopper] C:\Program Files\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37648.5913888889
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v49/swapit/swapit.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_1.cab
 
Joined
Jul 26, 2002
Messages
46,331
sinsug

That log is clean.

The only thing in the log that is questionable is AWS Weatherbug.

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

Which is adware. I will leave it up to you as to whether to keep it or not.


As far as the home page being locked (greyed) that is because this has been restricted by Spybot's Immunize feature. If you wish to change it open Spybot in Advanced Mode and click on the "Spybot S&D" tab in the right hand column and uder that click on "Immunize". Look at the bottom of the Immunize window and uncheck "Lock IE start page against user changes {current user}".

Here is a little checklist to use to help disable MSN Messenger:

1. Go to Messenger/Tools/Options and uncheck "Run this program when Windows starts" on the Preferences tab.
2. In Outlook Express, Tools/Options/General tab and uncheck the option to automatically log on, if it's there.
3. Also in Outlook Express, View/Layout and uncheck the option to display Contacts. The program will open a connection and display a list of all Contacts on line if you do not.
4. Startup Folder. Make sure no entry there for Messenger.
5. Go to Start/Run, and type Msconfig. On the Startup tab , uncheck any option for it.
6. If you are using NAV 2003, disable Instant Messenger monitoring.


This little check list ought to work in dissociating MSN from Outlook Express, so that it'll only start up if you really want it to.

If it doesn't, here's a reg tweak that will do so on all operating systems, without actually uninstalling MSN, which may not be what you want:

http://www.winguides.com/registry/display.php/989 : Remove MSN Messenger from Outlook Express

If all else fails, shut down MSN Messenger, go to your Program Files\MSN Messenger directory, and rename Msgsc.dll to Msgsc.bak
 
Joined
Oct 9, 2001
Messages
9,396
run hijackthis again and put a checkmark against these entries....double check
in case you miss anything
.....then,close all browser and outlook windows and "fix checked"

apart from this,i can see nothing that shouldnt be there.

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

re-boot and delete the C:\Program Files\AWS [folder]
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top