1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

task manager and some program popup and leave

Discussion in 'Windows XP' started by colazel, Sep 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. colazel

    colazel Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    2
    i try to open task manager, then it popup a 1-2 second then dissappear. It do this to with highjackthis and windows security update and AVG.

    i dont know what happen

    also i run in safe mode spybot, adaware and highjackthis and it didnt solve the trouble. Also i run stinger.exe, it found a couple a virus then delete it

    i need your help, thank

    heres the result of highjackthis:

    Logfile of HijackThis v1.97.7
    Scan saved at 20:43:30, on 2004-09-09
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\winserv32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Pierre-Luc\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {32FE3D71-961B-5FED-D000-655504D82031} - C:\WINDOWS\System32\xsygnco.dll
    O2 - BHO: (no name) - {35AA6C72-C11A-51B2-8300-655504D82030} - C:\WINDOWS\System32\glna.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [XML Service] msxml32.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [NTFS16] ntfs16.exe
    O4 - HKLM\..\Run: [Java Virtual Machine] javaw.exe
    O4 - HKLM\..\Run: [update service] winu32.exe
    O4 - HKLM\..\Run: [DLL Manager] dllmngr32.exe
    O4 - HKLM\..\Run: [Windows backup] systems.exe
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
    O4 - HKLM\..\Run: [Windows secure] setver32.exe
    O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe
    O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
    O4 - HKLM\..\RunServices: [XML Service] msxml32.exe
    O4 - HKLM\..\RunServices: [NTFS16] ntfs16.exe
    O4 - HKLM\..\RunServices: [Java Virtual Machine] javaw.exe
    O4 - HKLM\..\RunServices: [update service] winu32.exe
    O4 - HKLM\..\RunServices: [DLL Manager] dllmngr32.exe
    O4 - HKLM\..\RunServices: [Windows backup] systems.exe
    O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
    O4 - HKLM\..\RunServices: [Windows secure] setver32.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe
    O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NTFS16] ntfs16.exe
    O4 - HKCU\..\Run: [DLL Manager] dllmngr32.exe
    O4 - HKCU\..\Run: [Sdsa] C:\Documents and Settings\Pierre-Luc\Application Data\ltlt.exe
    O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
    O4 - HKCU\..\Run: [Windows secure] setver32.exe
    O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe
    O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
    O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe
    O4 - HKLM\..\RunOnce: [Win32 Configuration] videosd32.exe
    O4 - HKLM\..\RunOnce: [Windows secure] setver32.exe
    O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] syscfg32.exe
    O4 - HKCU\..\RunOnce: [Win32 Configuration] videosd32.exe
    O4 - HKCU\..\RunOnce: [Windows secure] setver32.exe
    O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] syscfg32.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
    O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...e156e63bb092:179ade1cd5bc3312ba88ba9ab77a33c7
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094726868671
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91B09010-32FE-486D-A4A7-D83099889B9F}: NameServer = 204.101.251.1,204.101.251.2
     
  2. rtty

    rtty

    Joined:
    May 11, 2003
    Messages:
    294
    Hi colazel,

    A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.
     
  3. colazel

    colazel Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    2
    i perform kaspersky antivirus and it delete some trojan and backdoor.
    i dont have the system process popup dissapear anymore. its solve. heres my new hijackthis log, if u see something bad tell me

    thanks

    Logfile of HijackThis v1.98.2
    Scan saved at 22:42:45, on 2004-09-09
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\winserv32.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Documents and Settings\Pierre-Luc\Application Data\ltlt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\Documents and Settings\Pierre-Luc\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {32FE3D71-961B-5FED-D000-655504D82031} - C:\WINDOWS\System32\xsygnco.dll (file missing)
    O2 - BHO: (no name) - {35AA6C72-C11A-51B2-8300-655504D82030} - C:\WINDOWS\System32\glna.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [XML Service] msxml32.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [NTFS16] ntfs16.exe
    O4 - HKLM\..\Run: [Java Virtual Machine] javaw.exe
    O4 - HKLM\..\Run: [update service] winu32.exe
    O4 - HKLM\..\Run: [DLL Manager] dllmngr32.exe
    O4 - HKLM\..\Run: [Windows backup] systems.exe
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
    O4 - HKLM\..\Run: [Windows secure] setver32.exe
    O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe
    O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
    O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - HKLM\..\RunServices: [XML Service] msxml32.exe
    O4 - HKLM\..\RunServices: [NTFS16] ntfs16.exe
    O4 - HKLM\..\RunServices: [Java Virtual Machine] javaw.exe
    O4 - HKLM\..\RunServices: [update service] winu32.exe
    O4 - HKLM\..\RunServices: [DLL Manager] dllmngr32.exe
    O4 - HKLM\..\RunServices: [Windows backup] systems.exe
    O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
    O4 - HKLM\..\RunServices: [Windows secure] setver32.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe
    O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NTFS16] ntfs16.exe
    O4 - HKCU\..\Run: [DLL Manager] dllmngr32.exe
    O4 - HKCU\..\Run: [Sdsa] C:\Documents and Settings\Pierre-Luc\Application Data\ltlt.exe
    O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
    O4 - HKCU\..\Run: [Windows secure] setver32.exe
    O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe
    O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
    O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
    O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...e156e63bb092:179ade1cd5bc3312ba88ba9ab77a33c7
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094726868671
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3E45B66B-E889-4FB3-B55B-E0A2F617E24E}: NameServer = 206.47.244.133 206.47.244.87
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91B09010-32FE-486D-A4A7-D83099889B9F}: NameServer = 204.101.251.1,204.101.251.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3E45B66B-E889-4FB3-B55B-E0A2F617E24E}: NameServer = 206.47.244.133 206.47.244.87
     
  4. rtty

    rtty

    Joined:
    May 11, 2003
    Messages:
    294
    First go to add/remove programs and uninstall Winad Client if it's there.

    Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode or with browser closed.


    Run Hijack This again and put a check by these. Close all windows except Hijack This and click Fix checked

    O2 - BHO: (no name) - {32FE3D71-961B-5FED-D000-655504D82031} - C:\WINDOWS\System32\xsygnco.dll (file missing)

    O2 - BHO: (no name) - {35AA6C72-C11A-51B2-8300-655504D82030} - C:\WINDOWS\System32\glna.dll (file missing)

    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll

    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll

    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

    O4 - HKLM\..\Run: [XML Service] msxml32.exe

    O4 - HKLM\..\Run: [NTFS16] ntfs16.exe

    O4 - HKLM\..\Run: [Java Virtual Machine] javaw.exe

    O4 - HKLM\..\Run: [update service] winu32.exe

    O4 - HKLM\..\Run: [DLL Manager] dllmngr32.exe

    O4 - HKLM\..\Run: [Windows backup] systems.exe

    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe

    O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe

    O4 - HKLM\..\Run: [Windows secure] setver32.exe

    O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe

    O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe

    O4 - HKLM\..\RunServices: [XML Service] msxml32.exe

    O4 - HKLM\..\RunServices: [NTFS16] ntfs16.exe

    O4 - HKLM\..\RunServices: [Java Virtual Machine] javaw.exe

    O4 - HKLM\..\RunServices: [update service] winu32.exe

    O4 - HKLM\..\RunServices: [DLL Manager] dllmngr32.exe

    O4 - HKLM\..\RunServices: [Windows backup] systems.exe

    O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe

    O4 - HKLM\..\RunServices: [Windows secure] setver32.exe

    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe

    O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe

    O4 - HKCU\..\Run: [NTFS16] ntfs16.exe

    O4 - HKCU\..\Run: [DLL Manager] dllmngr32.exe

    O4 - HKCU\..\Run: [Sdsa] C:\Documents and Settings\Pierre-Luc\Application Data\ltlt.exe

    O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe

    O4 - HKCU\..\Run: [Windows secure] setver32.exe

    O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe

    O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe

    O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe

    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8ba9ab77 a33c7


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Find and delete:

    The C:\Program Files\Winad Client folder
    The C:\WINDOWS\System32\winserv32.exe file
    The C:\Documents and Settings\Pierre-Luc\Application Data\ltlt.exe file

    Next navigate to the C:\Documents and Settings\Pierre-Luc\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


    Empty the Recycle Bin

    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.

    When you are sure you are clean turn it back on and create a restore point.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272244

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice