Troj_StartPAG.AQ help to remove

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

BilleG

Thread Starter
Joined
Jun 10, 2004
Messages
12
Trend Micro House Call - Troj_StartPAG.AQ non cleanable found in /Winnt/Rundll32.exe
Configuration: Win2000 Professional SP4, IE6.0 SP1
Symtoms: Get message "Your current security settings prohibit running ActiveX on this page" for Windows Explorer and Control Panel (IExplorer is fine). Cannot Restart or Shutdown completely (goes through shut down process but hangs and never shuts down) but LogOff works.
Have HiJackThis, AdAware SE (originally showed Alexa) and SpyBot logs (shows error during check - Z-Demon plus German text) logs for each.

Please let me know the next steps.
Thanks in advance.

Bill
 
Joined
Jul 26, 2002
Messages
46,349
Hi BilleG

Welcome to TSG! :)

Please do this:

First create a permanent folder somewhere like in My Documents and name it Hijack This.

Now Click here to download Hijack This. Download it and click "Save". Save it to the Hijack This folder you just created.

Click on Hijackthis.exe to launch the program. Click on the Do a system scan and save a logfile button. It will scan and then ask you to save the log. Click "Save" to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

BilleG

Thread Starter
Joined
Jun 10, 2004
Messages
12
Logfile of HijackThis v1.99.0
Scan saved at 12:41:08 PM, on 1/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Elementis VPN Client\cvpnd.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\InoculateIT PE\InoRpc.exe
C:\Program Files\InoculateIT PE\InoRT.exe
C:\Program Files\InoculateIT PE\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\ZONELABS\minilog.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\TaskPlus\taskplus0.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\InoculateIT PE\realmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\StormTrack 3 Personal Weather Wizard\TrueWeather.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRA~1\WS_FTP~1\wsbho2k0.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [TaskPlus] C:\Program Files\TaskPlus\taskplus0.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\InoculateIT PE\realmon.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaptureBat] C:\Program Files\!Quick Screen Capture\capture.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Grabber2k] C:\Program Files\Grabber2k\grabber2k.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: StormTrack 3 Personal Weather Wizard.lnk = C:\Program Files\StormTrack 3 Personal Weather Wizard\TrueWeather.exe
O4 - Global Startup: Elementis Holdings Ltd Elementis VPN Client.lnk = C:\Program Files\Elementis VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {10000000-1000-1234-1000-000000000000} - ms-its:mhtml:file://C:\foo.mhtml!http://www.xpehbam.biz/test/ii.chm::/ex.exe
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1677a02020ba362c7f20/netzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipview.com/fvlite/fvliteY.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94908617-0D0A-470E-977F-7BAB6920D184} (CustomToolbar.Setup) - http://www.infocrawler.com/toolbar/Customtoolbar.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thewercssupport.webex.com/client/latest/support/ieatgpc.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab
O21 - SSODL: systemp - {DE42D092-C3A7-4953-B99F-AE9891E3D840} - systemp.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Elementis VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Ipswitch WS_FTP Queue - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: eTrust InoculateIT RPC Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoTask.exe
O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\minilog.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: O&O Defrag 2000 - O&O Software GmbH - C:\WINNT\SYSTEM32\OOD2000.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
 
Joined
Jul 26, 2002
Messages
46,349
Download TDS-3 from http://tds.diamondcs.com.au/index.php?page=download

This is a Trial version so you will have to do the update manually.
The automatic update only works with the registered version which costs $49.

Update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update

Under the "Manual Update" right click on the radius.td3 file and choose "Save target as".
Then in the "Save in" box browse to the C:\Program Files\TDS3 folder
(provided that is the location of your TDS-3 directory)and save it there.
A prompt will appear telling you that there is already a radius.td3 file there "do you want to overwrite it" click Yes.

Run the "full System scan" , preferably in safe mode.

Note: Temporarily disable your Antivirus program.
Launch TDS-3 and click on "System Testing" then "Full System Scan" and the scan will begin.

TDS-3 does not automatically remove infected files that it finds. It will display what it has found in the lower portion of the main window and it will either say "Positive Identification etc...." or "Suspicious File". Anything with a positive identification you should right click and delete. Don't do anything with the suspicious ones yet. Right click on any suspicious entry found and choose "Save as Text" then go to the TDS-3 folder (usually C:\Program Files\TDS) and look for a scandump.txt file. Open the scandump.txt file and copy and paste it's contents here. Once we see the scandump file we can determine what to do with the suspicious ones. Many times the suspicious files are harmless.
 

BilleG

Thread Starter
Joined
Jun 10, 2004
Messages
12
Scan Control Dumped @ 13:50:05 02-02-05
File Trace: Default trojan filename: Suspicious
File: C:\WINNT\mstasks1.exe

(DELETED) Positive identification (DLL): Adware.WebEx (dll)
File: c:\program files\webex\ieatgpc.dll

Suspicious Filename: Dual extensions
File: c:\allwercsconversionsetc\software\mpeg\apicviewer5.5.9.exe


NOTES:
1. After DELETE - attempted to restart the PC but it would not - have to
power down
2. Windows Explorer gets ActiveX error as described above in this thread
3. Ran SpyBot - in the Problem Window:
Error during check!
Z-Demon (Ungultiger Datentyp fur ") <= In German ?
4. TrendMicro HouseCall did not find Troj StartPAG.AQ
5. System is sluggish - will run HJT log and another TDS3 tonight.
 

BilleG

Thread Starter
Joined
Jun 10, 2004
Messages
12
HJT - Log 02/04/2005 - Please respond

Logfile of HijackThis v1.99.0
Scan saved at 10:55:00 AM, on 2/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Elementis VPN Client\cvpnd.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\InoculateIT PE\InoRpc.exe
C:\Program Files\InoculateIT PE\InoRT.exe
C:\Program Files\InoculateIT PE\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\SYSTEM32\ZONELABS\minilog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\TaskPlus\taskplus0.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\InoculateIT PE\realmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\StormTrack 3 Personal Weather Wizard\TrueWeather.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\2xExplorer\2xExplorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Microsoft Visual Studio\VB98\vb6.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRA~1\WS_FTP~1\wsbho2k0.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [TaskPlus] C:\Program Files\TaskPlus\taskplus0.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\InoculateIT PE\realmon.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaptureBat] C:\Program Files\!Quick Screen Capture\capture.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Grabber2k] C:\Program Files\Grabber2k\grabber2k.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: StormTrack 3 Personal Weather Wizard.lnk = C:\Program Files\StormTrack 3 Personal Weather Wizard\TrueWeather.exe
O4 - Global Startup: Elementis Holdings Ltd Elementis VPN Client.lnk = C:\Program Files\Elementis VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {10000000-1000-1234-1000-000000000000} - ms-its:mhtml:file://C:\foo.mhtml!http://www.xpehbam.biz/test/ii.chm::/ex.exe
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1677a02020ba362c7f20/netzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipview.com/fvlite/fvliteY.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94908617-0D0A-470E-977F-7BAB6920D184} (CustomToolbar.Setup) - http://www.infocrawler.com/toolbar/Customtoolbar.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thewercssupport.webex.com/client/latest/support/ieatgpc.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab
O21 - SSODL: systemp - {DE42D092-C3A7-4953-B99F-AE9891E3D840} - systemp.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Elementis VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Ipswitch WS_FTP Queue - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: eTrust InoculateIT RPC Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoTask.exe
O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\minilog.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: O&O Defrag 2000 - O&O Software GmbH - C:\WINNT\SYSTEM32\OOD2000.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
 
Joined
Jul 26, 2002
Messages
46,349
First please navigate to the C:\WINNT\system32 folder and locate the fltmgr.dll file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the System32 folder. Attach a copy of that zipped folder and send it to me here. Please include a link to this thread so I'll remember where it came from.


Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O16 - DPF: {10000000-1000-1234-1000-000000000000} - ms-its:mhtml:file://C:\foo.mhtml!http://www.xpehbam.biz/test/ii.chm::/ex.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1677a02020ba36...tzip/RdxIE2.cab

O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab

O21 - SSODL: systemp - {DE42D092-C3A7-4953-B99F-AE9891E3D840} - systemp.dll (file missing)


Restart your computer.


Download DelDomains.inf from here:

http://www.mvps.org/winhelp2002/DelDomains.inf

Rightclick DelDomains.inf and choose install.

Reboot and post another log please.
 

BilleG

Thread Starter
Joined
Jun 10, 2004
Messages
12
NOTES:
Shut down does not work
Saving Settings ... Windows is shutting down ... blank blue screen ... wait indefinetly ... must power off and back on ... boots up fine (does not do a check disk).
Windows explorer / Control Panel ... ActiveX error when attemtping to open folders.
System is sluggish.

HJT Log 02/06/2005:

Logfile of HijackThis v1.99.0
Scan saved at 10:17:59 AM, on 2/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Elementis VPN Client\cvpnd.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\InoculateIT PE\InoRpc.exe
C:\Program Files\InoculateIT PE\InoRT.exe
C:\Program Files\InoculateIT PE\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\ZONELABS\minilog.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\TaskPlus\taskplus0.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\InoculateIT PE\realmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\StormTrack 3 Personal Weather Wizard\TrueWeather.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRA~1\WS_FTP~1\wsbho2k0.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [TaskPlus] C:\Program Files\TaskPlus\taskplus0.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\InoculateIT PE\realmon.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaptureBat] C:\Program Files\!Quick Screen Capture\capture.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Grabber2k] C:\Program Files\Grabber2k\grabber2k.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: StormTrack 3 Personal Weather Wizard.lnk = C:\Program Files\StormTrack 3 Personal Weather Wizard\TrueWeather.exe
O4 - Global Startup: Elementis Holdings Ltd Elementis VPN Client.lnk = C:\Program Files\Elementis VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipview.com/fvlite/fvliteY.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94908617-0D0A-470E-977F-7BAB6920D184} (CustomToolbar.Setup) - http://www.infocrawler.com/toolbar/Customtoolbar.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thewercssupport.webex.com/client/latest/support/ieatgpc.cab
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Elementis VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Ipswitch WS_FTP Queue - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: eTrust InoculateIT RPC Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoTask.exe
O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\minilog.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: O&O Defrag 2000 - O&O Software GmbH - C:\WINNT\SYSTEM32\OOD2000.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
 
Joined
Jul 26, 2002
Messages
46,349
Click here to download LspFix

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of fltmgr.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish.

The following that I am having you remove with Hijack This are not malware, but they do not need to run at startup.


Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup

O4 - HKCU\..\Run: [Grabber2k] C:\Program Files\Grabber2k\grabber2k.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

Now find and delete the c:\winnt\system32\fltmgr.dll file.

Also in safe mode navigate to the C:\WINNT\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin


Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.
 

BilleG

Thread Starter
Joined
Jun 10, 2004
Messages
12
NOTES:
Shut down does not work
Saving Settings ... Windows is shutting down ... blank blue screen ... wait indefinetly ... must power off and back on ... boots up fine (does not do a check disk).
My Computer / Windows explorer / Control Panel ... ActiveX error when attemtping to open folders.
SafeMode: My Computer / Windows explorer / Control Panel worked fine.
System response is much better.

Scans: no errors found with Trend Micro - HouseCall or Symatec - Online Scan

HJT Log 02/07/2005:

Logfile of HijackThis v1.99.0
Scan saved at 4:48:58 PM, on 2/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Elementis VPN Client\cvpnd.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\InoculateIT PE\InoRpc.exe
C:\Program Files\InoculateIT PE\InoRT.exe
C:\Program Files\InoculateIT PE\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\ZONELABS\minilog.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\TaskPlus\taskplus0.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\InoculateIT PE\realmon.exe
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\StormTrack 3 Personal Weather Wizard\TrueWeather.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\2xExplorer\2xExplorer.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRA~1\WS_FTP~1\wsbho2k0.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [TaskPlus] C:\Program Files\TaskPlus\taskplus0.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\InoculateIT PE\realmon.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CaptureBat] C:\Program Files\!Quick Screen Capture\capture.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: StormTrack 3 Personal Weather Wizard.lnk = C:\Program Files\StormTrack 3 Personal Weather Wizard\TrueWeather.exe
O4 - Global Startup: Elementis Holdings Ltd Elementis VPN Client.lnk = C:\Program Files\Elementis VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipview.com/fvlite/fvliteY.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {94908617-0D0A-470E-977F-7BAB6920D184} (CustomToolbar.Setup) - http://www.infocrawler.com/toolbar/Customtoolbar.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thewercssupport.webex.com/client/latest/support/ieatgpc.cab
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Elementis VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Ipswitch WS_FTP Queue - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: eTrust InoculateIT RPC Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server - Computer Associates International, Inc. - C:\Program Files\InoculateIT PE\InoTask.exe
O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\minilog.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: O&O Defrag 2000 - O&O Software GmbH - C:\WINNT\SYSTEM32\OOD2000.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
 

BilleG

Thread Starter
Joined
Jun 10, 2004
Messages
12
Did you receive the eMail with the ActiveX error ?
Sent to your hotmail account yesterday afternoon.
 
Joined
Jul 26, 2002
Messages
46,349
Open Spybot and click on Tools then System startup. Uncheck everything in there except these:

HKLM\..\Run: [Realtime Monitor] "C:\Program Files\InoculateIT PE\realmon.exe"

HKLM\..\Run: [LoadQM] loadqm.exe

HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe


Restart your computer and see how it runs then.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top