task manager and some program popup and leave

[colazel]

i try to open task manager, then it popup a 1-2 second then dissappear. It do this to with highjackthis and windows security update and AVG.

i dont know what happen

also i run in safe mode spybot, adaware and highjackthis and it didnt solve the trouble. Also i run stinger.exe, it found a couple a virus then delete it

i need your help, thank

heres the result of highjackthis:

Logfile of HijackThis v1.97.7
Scan saved at 20:43:30, on 2004-09-09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\winserv32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Pierre-Luc\Desktop\HijackThis.exe

O2 - BHO: (no name) - {32FE3D71-961B-5FED-D000-655504D82031} - C:\WINDOWS\System32\xsygnco.dll
O2 - BHO: (no name) - {35AA6C72-C11A-51B2-8300-655504D82030} - C:\WINDOWS\System32\glna.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [XML Service] msxml32.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NTFS16] ntfs16.exe
O4 - HKLM\..\Run: [Java Virtual Machine] javaw.exe
O4 - HKLM\..\Run: [update service] winu32.exe
O4 - HKLM\..\Run: [DLL Manager] dllmngr32.exe
O4 - HKLM\..\Run: [Windows backup] systems.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Windows secure] setver32.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe
O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKLM\..\RunServices: [XML Service] msxml32.exe
O4 - HKLM\..\RunServices: [NTFS16] ntfs16.exe
O4 - HKLM\..\RunServices: [Java Virtual Machine] javaw.exe
O4 - HKLM\..\RunServices: [update service] winu32.exe
O4 - HKLM\..\RunServices: [DLL Manager] dllmngr32.exe
O4 - HKLM\..\RunServices: [Windows backup] systems.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunServices: [Windows secure] setver32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe
O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NTFS16] ntfs16.exe
O4 - HKCU\..\Run: [DLL Manager] dllmngr32.exe
O4 - HKCU\..\Run: [Sdsa] C:\Documents and Settings\Pierre-Luc\Application Data\ltlt.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe
O4 - HKLM\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunOnce: [Windows secure] setver32.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] syscfg32.exe
O4 - HKCU\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\RunOnce: [Windows secure] setver32.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] syscfg32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...e156e63bb092:179ade1cd5bc3312ba88ba9ab77a33c7
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094726868671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{91B09010-32FE-486D-A4A7-D83099889B9F}: NameServer = 204.101.251.1,204.101.251.2

 

[rtty]

Hi colazel,

A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.

 

[colazel]

i perform kaspersky antivirus and it delete some trojan and backdoor.
i dont have the system process popup dissapear anymore. its solve. heres my new hijackthis log, if u see something bad tell me

thanks

Logfile of HijackThis v1.98.2
Scan saved at 22:42:45, on 2004-09-09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\winserv32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Documents and Settings\Pierre-Luc\Application Data\ltlt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Documents and Settings\Pierre-Luc\Desktop\HijackThis.exe

O2 - BHO: (no name) - {32FE3D71-961B-5FED-D000-655504D82031} - C:\WINDOWS\System32\xsygnco.dll (file missing)
O2 - BHO: (no name) - {35AA6C72-C11A-51B2-8300-655504D82030} - C:\WINDOWS\System32\glna.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [XML Service] msxml32.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NTFS16] ntfs16.exe
O4 - HKLM\..\Run: [Java Virtual Machine] javaw.exe
O4 - HKLM\..\Run: [update service] winu32.exe
O4 - HKLM\..\Run: [DLL Manager] dllmngr32.exe
O4 - HKLM\..\Run: [Windows backup] systems.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Windows secure] setver32.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe
O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\RunServices: [XML Service] msxml32.exe
O4 - HKLM\..\RunServices: [NTFS16] ntfs16.exe
O4 - HKLM\..\RunServices: [Java Virtual Machine] javaw.exe
O4 - HKLM\..\RunServices: [update service] winu32.exe
O4 - HKLM\..\RunServices: [DLL Manager] dllmngr32.exe
O4 - HKLM\..\RunServices: [Windows backup] systems.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunServices: [Windows secure] setver32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe
O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NTFS16] ntfs16.exe
O4 - HKCU\..\Run: [DLL Manager] dllmngr32.exe
O4 - HKCU\..\Run: [Sdsa] C:\Documents and Settings\Pierre-Luc\Application Data\ltlt.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...e156e63bb092:179ade1cd5bc3312ba88ba9ab77a33c7
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094726868671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E45B66B-E889-4FB3-B55B-E0A2F617E24E}: NameServer = 206.47.244.133 206.47.244.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{91B09010-32FE-486D-A4A7-D83099889B9F}: NameServer = 204.101.251.1,204.101.251.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E45B66B-E889-4FB3-B55B-E0A2F617E24E}: NameServer = 206.47.244.133 206.47.244.87

 

[rtty]

First go to add/remove programs and uninstall Winad Client if it's there.

Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode or with browser closed.


Run Hijack This again and put a check by these. Close all windows except Hijack This and click Fix checked

O2 - BHO: (no name) - {32FE3D71-961B-5FED-D000-655504D82031} - C:\WINDOWS\System32\xsygnco.dll (file missing)

O2 - BHO: (no name) - {35AA6C72-C11A-51B2-8300-655504D82030} - C:\WINDOWS\System32\glna.dll (file missing)

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O4 - HKLM\..\Run: [XML Service] msxml32.exe

O4 - HKLM\..\Run: [NTFS16] ntfs16.exe

O4 - HKLM\..\Run: [Java Virtual Machine] javaw.exe

O4 - HKLM\..\Run: [update service] winu32.exe

O4 - HKLM\..\Run: [DLL Manager] dllmngr32.exe

O4 - HKLM\..\Run: [Windows backup] systems.exe

O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe

O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe

O4 - HKLM\..\Run: [Windows secure] setver32.exe

O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe

O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe

O4 - HKLM\..\RunServices: [XML Service] msxml32.exe

O4 - HKLM\..\RunServices: [NTFS16] ntfs16.exe

O4 - HKLM\..\RunServices: [Java Virtual Machine] javaw.exe

O4 - HKLM\..\RunServices: [update service] winu32.exe

O4 - HKLM\..\RunServices: [DLL Manager] dllmngr32.exe

O4 - HKLM\..\RunServices: [Windows backup] systems.exe

O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe

O4 - HKLM\..\RunServices: [Windows secure] setver32.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe

O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe

O4 - HKCU\..\Run: [NTFS16] ntfs16.exe

O4 - HKCU\..\Run: [DLL Manager] dllmngr32.exe

O4 - HKCU\..\Run: [Sdsa] C:\Documents and Settings\Pierre-Luc\Application Data\ltlt.exe

O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe

O4 - HKCU\..\Run: [Windows secure] setver32.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe

O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe

O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe

O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8ba9ab77 a33c7

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Find and delete:

The C:\Program Files\Winad Client folder
The C:\WINDOWS\System32\winserv32.exe file
The C:\Documents and Settings\Pierre-Luc\Application Data\ltlt.exe file

Next navigate to the C:\Documents and Settings\Pierre-Luc\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


Empty the Recycle Bin

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.