1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Windows keeps launching media player

Discussion in 'Virus & Other Malware Removal' started by harrysk, May 30, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. harrysk

    harrysk Thread Starter

    Joined:
    May 30, 2005
    Messages:
    7
    Hi, can somebody please help me. I started my computer yestoday and when it loaded up it launched windows media player with a message saying "Windows Media Player cannot play the file. The file is either corrupt or the Player does not support the format you are trying to play". anyway I managed to get rid of that message, only trouble is is launches itself everytime I try to do anything( open all programs, amend files,) I lets me use the net and downlaod stuff but its will not let me run the program. I though about reloading xp but I cannot afford to lose any programs i've got on there (and I cannot backup files either) the same thing keeps on happening, please please can somebody help me
     
  2. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,823
    go to here and download 'Hijack This!' double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
    Click on the entry in start menu or on the desktop to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    once we see the log we can hopefully determine whether it's a baddie or a systems setting at fault
     
  3. harrysk

    harrysk Thread Starter

    Joined:
    May 30, 2005
    Messages:
    7
    Logfile of HijackThis v1.99.1
    Scan saved at 08:20:03, on 01/06/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EPSON Stylus C66 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P32 "EPSON Stylus C66 Series (Copy 1)" /O6 "USB001" /M "Stylus C66"
    O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [vpxkar] c:\windows\system32\vpxkar.exe -start
    O4 - HKLM\..\Run: [Virgins] C:\Program Files\Mpb\Dialers\Virgins\Virgins.exe /dontdial
    O4 - HKLM\..\Run: [Gay_Sexy_gb] C:\Program Files\SCom\Dialers\Gay_Sexy_gb\Gay_Sexy_gb.exe /dontdial
    O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0009.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://10.0.0.5:8000/Ctl/WinWebPush.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
     
  4. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,823
    You have few problems there but that log was taken in safe mode and we do need to see a log in normal mode to be sure of getting everything
     
  5. harrysk

    harrysk Thread Starter

    Joined:
    May 30, 2005
    Messages:
    7
    Unable to to run HJT in normal mode, cannot open anything in normal mode, I get another window opening up that says "Open with" and displays a list of programs, then I get a message window saying "Windows cannot access the spcial devise,path or file, you may not have the appropriate permission to access the item
     
  6. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,823
    uninstall errorguard from add/remove programs in control panel

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [vpxkar] c:\windows\system32\vpxkar.exe -start
    O4 - HKLM\..\Run: [Virgins] C:\Program Files\Mpb\Dialers\Virgins\Virgins.exe /dontdial
    O4 - HKLM\..\Run: [Gay_Sexy_gb] C:\Program Files\SCom\Dialers\Gay_Sexy_gb\Gay_Sexy_gb.exe /dontdial
    O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe

    O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0009.exe

    O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://10.0.0.5:8000/Ctl/WinWebPush.cab



    now Start killbox paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

    [Note: Killbox makes backups of all deleted files in a folder called C:\!submit we might ask you to submit those files for further examination a bit later on ]

    c:\windows\system32\vpxkar.exe
    C:\Program Files\SCom\Dialers\Gay_Sexy_gb\Gay_Sexy_gb.exe
    C:\Program Files\Mpb\Dialers\Virgins\Virgins.exe

    C:\Program Files\ErrorGuard\ErrorGuard.Exe

    Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

    then as some of the folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    delete these folders

    C:\Program Files\Mpb
    C:\Program Files\SCom
    C:\Program Files\ErrorGuard

    then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then reboot and see if you can get into normal mode and get us full hjt log

    if you still can't get into normal mode then please try this so we can see some additional places
    download and unzip http://www.diamondcs.com.au/index.php?page=asviewer and double click the asviewer.exe file
    press main and make sure the top 3 items are ticked, press refresh & then save and copy that log back here
     
  7. harrysk

    harrysk Thread Starter

    Joined:
    May 30, 2005
    Messages:
    7
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Administrator@DVR1, 06-01-2005
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
    C:\WINDOWS\System32\igfxtray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
    C:\WINDOWS\System32\hkcmd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PCMService
    C:\Program Files\Dell\Media Experience\PCMService.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\dla
    C:\WINDOWS\system32\dla\tfswctrl.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdateManager
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
    c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MCAgentExe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe
    c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VirusScan
    c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
    C:\WINDOWS\System32\\NeroCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpeedTouch USB Diagnostics
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VirusScan Online
    c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EPSON Stylus C66 Series (Copy 1)
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P32 "EPSON Stylus C66 Series (Copy 1)" /O6 "USB001" /M "Stylus C66"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EPSON Stylus C66 Series
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gcasServ
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
    C:\WINDOWS\System32\CTFMON.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\ISP signup reminder 1.job
    C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
    C:\WINDOWS\Tasks\McAfee.com Update Check (DHJ0T51J-Owner).job
    c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    C:\WINDOWS\Tasks\McAfee.com Update Check (DVR1-user).job
    C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
     
  8. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,823
    has the latest fixes with HJT made any difference
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/366778