1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Startup/File Problems

Discussion in 'Windows XP' started by dtrulez, Oct 27, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. dtrulez

    dtrulez Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    193
    I was browsin the net and came across one of those free-software sites, I clicked it and well right after like tons of downloads and stuff tried to start I immediatly X-ed out everything but I fear things were downloaded. I did a search on my pc over everything that was created that day. I managed to delete some .exe files that were created that I wasn't sure about. But now im down to this file called Winnet.exe and Comwiz.exe. I dunno what it is but I tried to delete it. But it wont cause its being ran. So I tried starting in diagnostic mode and well it still loaded even after I unclicked it! I have no clue how to get rid of it normally I wont start up in Dos but now with XP I don't have that option. Any clues?
     
  2. kiwiguy

    kiwiguy

    Joined:
    Aug 17, 2003
    Messages:
    17,584
    Download and run Spybot Search and Destroy.
    Look for it on Google, to find a suitable download site.

    If that does not remove the nasty piece of code, post back.
     
  3. KeithKman

    KeithKman

    Joined:
    Dec 28, 2002
    Messages:
    1,983
    Do this in order:

    1) Open Internet Explorer -> Tools -> Internet Options -> delete cookies, delete files (select off-line content), clear history. Then click ok and exit Internet Explorer.


    2) Read http://tomcoyote.org/SPYBOT/index1.html then download and run SpyBot. Make sure to get the updates for SpyBot before you have it scan your computer. After you scan and remove anything SpyBot finds, make sure to click the Immunize button followed by OK and then click the Immunize button in the right pane.


    3) Run one of the following free Anti-Virus programs here:

    http://housecall.trendmicro.com - I found this to work the best.

    http://www.pandasoftware.com/activescan

    http://www.ravantivirus.com/scan


    4) Read http://www.tomcoyote.org/hjt/ then download and install HiJackThis. Open up HiJackThis and click "Scan". After you do so, click "Save Log" and save it to your desktop. Exit HiJackThis and open the log you created on your desktop and copy everything in the log and post it here.
     
  4. dtrulez

    dtrulez Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    193
    Hey thanks for the help guys, so far I did what ya said and it looks like its working I had to reboot in diagnostic mode to get some of the software removed using spybot but I think I was in bad shape it removed 200+ items. Now im running the antivirus keith gave me and so far its found one virus, its sad cause I managed to stay uptodate with norton til the subscription expired. Thanks alot im hoping that when this is all done maybe my computer will run at a normal speed cause I noticed a considerable slow down since I first bought it, I think that this could be the cause.
     
  5. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    As long as you are in the mood to do a thorough cleaning ...

    You might wish to download Ad-Aware 6 and have it do a thorough cleaning of any unwanted files .

    Go here for the free Ad-Aware 6 Personal Build 181: http://www.lavasoft.de/support/download/

    Launch the program ... on the start-up screen, you will need to first run the Webupdate Feature (globe at the top), or click "check for updates" to get the Reference File up to date.

    Please use the Custom Scan with Memory and Both registry scans ON. Also.... make sure that you activate IN-DEPTH scanning before you proceed.

    Then see that you have these options checked:
    Under Ad-Aware 6 Settings, Tweaks, Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-Aware 6 Settings, Tweaks, Cleaning Engine:
    "Let Windows remove files in use after reboot."

    Next ...

    Run Ad-Aware 6.
    Mark the objects you wish to eliminate for removal. There are many options available with a right-click.
    Make a Quarantine only if you do not have the Auto-Quarantine option ON.
    Then choose "Next" to remove the chosen objects.
    Finally ... Reboot

    Please read http://forums.techguy.org/t164245/s.html for further instructions, settings , etc.

    Then, please post a fresh HJT log to see if any orphans remained behind ...

    Once you are cleaned up, you might want to visit http://www.wilderssecurity.net/index.html and download the following:

    SpywareBlaster v2.6.1
    SpywareGuard v2.2

    These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

    Lastly, consider installing IE-SPYAD, a registry file that adds a long list of known crapware to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
     
  6. dtrulez

    dtrulez Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    193
    Logfile of HijackThis v1.97.3
    Scan saved at 6:31:10 PM, on 10/27/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HideFilesAndFoldersA.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Kazaa Lite\kazaalite.kpp
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Desktop Lock\DeskLock.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\America Online 8.0a\aol.exe
    C:\Program Files\America Online 8.0a\waol.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://public.searchbarcash.com/homepages_manager.php?origin=homepage&software_id=0001
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jf1yqrxs.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4D959BC5-CF42-D383-2F14-D3EF84BEFBF0} - C:\WINDOWS\system32\ivlysdua.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [redirect] C:\WINDOWS\system32\redirect4.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DesktopLock] C:\Program Files\Desktop Lock\DeskLock.exe -B
    O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O8 - Extra context menu item: Free Software - C:\Program Files\TextTally\hh.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail09a.shu.edu/iNotes.cab
    O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://members.aol.com/_ht_a/babe4525/webcam.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4353653F-971A-4C82-98B2-ED3C6235549A}: NameServer = 205.188.196.4
     
  7. dtrulez

    dtrulez Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    193
    You guys are really incredible thanks Winchester im doing your Ad aware program now. The above was from HisJackThis.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/175069

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice