Any help at this stage would be truly appreciated. Below is a log from HijackThis. Again thank you for any advice you can give.
Logfile of HijackThis v1.99.1
Scan saved at 1:39:50 PM, on 5/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\NT_USDM.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Documents and Settings\Merlin\My Documents\Information from Spy Sweeper\Hijackthis(2971\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8082
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\PropelAC.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: NT_USDM.LNK = ?
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
0
HijackThis log help needed
Started by merlynh, May 04 2005 08:58 PM
19 replies to this topic
#2 OFFLINE
-
- Banned
-
- 3,071 posts
Lunarian
Posted 04 May 2005 - 09:04 PM
Generated by Tarun's HijackThis Converter.
Created registry value. Safe to remove:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
Changed registry value. Safe to remove:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
Changed *.ini file value forced into registry. Safe to remove:
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
Enumeration of existing IE's BHO's. Safe to remove:
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
Enumeration of suspicious auto-loading registry entries. Safe to remove:
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: NT_USDM.LNK = ?
Extra IE context menu items. Safe to remove:
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
Extra "Tools" menu items and buttons. Safe to remove:
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
System looks perfectly clean to me. The above is simply optimization suggestions.
Created registry value. Safe to remove:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
Changed registry value. Safe to remove:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
Changed *.ini file value forced into registry. Safe to remove:
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
Enumeration of existing IE's BHO's. Safe to remove:
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
Enumeration of suspicious auto-loading registry entries. Safe to remove:
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: NT_USDM.LNK = ?
Extra IE context menu items. Safe to remove:
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
Extra "Tools" menu items and buttons. Safe to remove:
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
System looks perfectly clean to me. The above is simply optimization suggestions.
#3 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 05 May 2005 - 07:34 PM
I thank you very much. This computer stuff gets a little too much for me. Some of the entries didn't get uninstalled.
Logfile of HijackThis v1.99.1
Scan saved at 12:01:10 PM, on 5/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\NT_USDM.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\intmonp.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Merlin\My Documents\Information from Spy Sweeper\Hijackthis(2971\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8082
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\PropelAC.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
Do you have any suggestions?
I do have another computer that is really giving me troubles, it's my daughter's and it so slow online she can't even use it. The HijackThis log is as follows. Any help would be appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 4:59:19 PM, on 5/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\wualcts.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\navprotect.exe
C:\WINDOWS\System32\urnqbu.exe
C:\WINDOWS\System32\trass.exe
C:\WINDOWS\System32\navupdaters.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Michelle\Local Settings\Temp\Temporary Directory 1 for hijackthis(2971).zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [Windows Compliant] urnqbu.exe
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\viadqc.exe
O4 - HKLM\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\PropelAC.exe"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [Windows Compliant] urnqbu.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunOnce: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows Compliant] urnqbu.exe
O4 - HKCU\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\RunOnce: [Task Help] wualcts.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O21 - SSODL: mtkle - {8191A5D5-6371-433B-5084-621DF460E4AF} - C:\WINDOWS\System32\jkelnn32.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
Once I can get an idea of what a clear log looks like I know I can get on top of these problems. If there is anything I can do to help you let me know. I've been writer for a number of years and would be more than glad to return the favor.
Sincerely,
Merlyn
Logfile of HijackThis v1.99.1
Scan saved at 12:01:10 PM, on 5/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\NT_USDM.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\intmonp.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Merlin\My Documents\Information from Spy Sweeper\Hijackthis(2971\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8082
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\PropelAC.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
Do you have any suggestions?
I do have another computer that is really giving me troubles, it's my daughter's and it so slow online she can't even use it. The HijackThis log is as follows. Any help would be appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 4:59:19 PM, on 5/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\wualcts.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\navprotect.exe
C:\WINDOWS\System32\urnqbu.exe
C:\WINDOWS\System32\trass.exe
C:\WINDOWS\System32\navupdaters.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Michelle\Local Settings\Temp\Temporary Directory 1 for hijackthis(2971).zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [Windows Compliant] urnqbu.exe
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\viadqc.exe
O4 - HKLM\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\PropelAC.exe"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [Windows Compliant] urnqbu.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunOnce: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows Compliant] urnqbu.exe
O4 - HKCU\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\RunOnce: [Task Help] wualcts.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O21 - SSODL: mtkle - {8191A5D5-6371-433B-5084-621DF460E4AF} - C:\WINDOWS\System32\jkelnn32.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
Once I can get an idea of what a clear log looks like I know I can get on top of these problems. If there is anything I can do to help you let me know. I've been writer for a number of years and would be more than glad to return the favor.
Sincerely,
Merlyn
#4 OFFLINE
-
- Banned
-
- 3,071 posts
Lunarian
Posted 05 May 2005 - 08:25 PM
Your pc is clean. Also, do you both use dial-up or do you have a better connection such as DSL or Cable?
Here's the log of your daughter's HijackThis.
Disable System Restore (My Computer, right click and choose Properties, System Restore tab, check off "Turn off System Restore". When you reboot, boot her computer into Safe Mode by pressing F8 at the Windows XP screen.
Generated by Tarun's HijackThis Converter.
Changed *.ini file value forced into registry. Safe to remove:
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
Enumeration of existing IE's toolbars. Safe to remove:
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
Enumeration of suspicious auto-loading registry entries. Safe to remove:
CRITCIAL ALERT. WORMS FOUND! Remove these IMMEDIATELY!
(The black text is links to removal instructions)
Added by RBOT:
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
Added by RBOT-AIX:
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
Added by RBOT-IR:
O4 - HKLM\..\Run: [Windows Compliant] urnqbu.exe
O4 - HKLM\..\RunServices: [Windows Compliant] urnqbu.exe
O4 - HKCU\..\Run: [Windows Compliant] urnqbu.exe
Added by RBOT-UN:
O4 - HKLM\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] navupdaters.exe
O4 - HKCU\..\Run: [NAV Auto Updates] navupdaters.exe
Added by KORGO.W or KORGO.X or KORGO.AB:
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\viadqc.exe
Added by RBOT:
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunOnce: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\RunOnce: [Task Help] wualcts.exe
Not virus related, but safe to remove:
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
ShellServiceObjectDelayLoad (SSODL) autorun Registry key. Safe to remove:
O21 - SSODL: mtkle - {8191A5D5-6371-433B-5084-621DF460E4AF} - C:\WINDOWS\System32\jkelnn32.dll
I recommend you get Avast Anti-Virus if you do not have an actively running virus scanner on her computer. You can click here to download Avast.
Here's the log of your daughter's HijackThis.
Disable System Restore (My Computer, right click and choose Properties, System Restore tab, check off "Turn off System Restore". When you reboot, boot her computer into Safe Mode by pressing F8 at the Windows XP screen.
Generated by Tarun's HijackThis Converter.
Changed *.ini file value forced into registry. Safe to remove:
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
Enumeration of existing IE's toolbars. Safe to remove:
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
Enumeration of suspicious auto-loading registry entries. Safe to remove:
CRITCIAL ALERT. WORMS FOUND! Remove these IMMEDIATELY!
(The black text is links to removal instructions)
Added by RBOT:
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
Added by RBOT-AIX:
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
Added by RBOT-IR:
O4 - HKLM\..\Run: [Windows Compliant] urnqbu.exe
O4 - HKLM\..\RunServices: [Windows Compliant] urnqbu.exe
O4 - HKCU\..\Run: [Windows Compliant] urnqbu.exe
Added by RBOT-UN:
O4 - HKLM\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] navupdaters.exe
O4 - HKCU\..\Run: [NAV Auto Updates] navupdaters.exe
Added by KORGO.W or KORGO.X or KORGO.AB:
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\viadqc.exe
Added by RBOT:
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunOnce: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\RunOnce: [Task Help] wualcts.exe
Not virus related, but safe to remove:
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
ShellServiceObjectDelayLoad (SSODL) autorun Registry key. Safe to remove:
O21 - SSODL: mtkle - {8191A5D5-6371-433B-5084-621DF460E4AF} - C:\WINDOWS\System32\jkelnn32.dll
I recommend you get Avast Anti-Virus if you do not have an actively running virus scanner on her computer. You can click here to download Avast.
#5 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 06 May 2005 - 12:39 AM
We both us a dail up connection which is all that is available where we live.
The update after doing the fixes with HijackThis is as follows for my daughter's computer. The
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe keeps coming back after I try and fix it. Doesn't that matter? I'm downloading the other program you suggested also. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 5:11:33 PM, on 5/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Michelle\Local Settings\Temp\Temporary Directory 10 for hijackthis(2971).zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\PropelAC.exe"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
The update after doing the fixes with HijackThis is as follows for my daughter's computer. The
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe keeps coming back after I try and fix it. Doesn't that matter? I'm downloading the other program you suggested also. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 5:11:33 PM, on 5/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Michelle\Local Settings\Temp\Temporary Directory 10 for hijackthis(2971).zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\PropelAC.exe"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
#7 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 06 May 2005 - 07:53 PM
Thanks you really got stuff straightened out. My daughter’s computer is running on line again and I finally got my computer back again all to myself. I do have one other problem I keep getting pop-ups about trying to sell me spyware. Sometimes a yellow triangle in my system tray with an explanation mark blinking. I’ve run all the suggested anti-spyware programs and they don’t seem to remove this pop-up. Could you suggest a good pop-up blocker I could use? Thank you for your help you been very kind.
Sincerely,
Merlyn
Sincerely,
Merlyn
#8 OFFLINE
-
- Banned
-
- 3,071 posts
Lunarian
Posted 06 May 2005 - 08:16 PM
merlynh, on May 6 2005, 03:53 PM, said:
Thanks you really got stuff straightened out. My daughter’s computer is running on line again and I finally got my computer back again all to myself. I do have one other problem I keep getting pop-ups about trying to sell me spyware. Sometimes a yellow triangle in my system tray with an explanation mark blinking. I’ve run all the suggested anti-spyware programs and they don’t seem to remove this pop-up. Could you suggest a good pop-up blocker I could use? Thank you for your help you been very kind.
Sincerely,
Merlyn
Sincerely,
Merlyn
Have you tried my Anti-Malware package? If not you can get it here.
#9 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 08 May 2005 - 09:26 PM
I am presently downloading your Anit-Malware package.
Though I've let my daughter use my computer and now I have things I can not get rid of by Hijackthis this and it keeps coming up. Please advise. I did check off the other items as safe so they wouldn't keep showing up on HijackThis. Was that wise?
Lasted log as follows:
Logfile of HijackThis v1.99.1
Scan saved at 2:21:57 PM, on
5/8/2005
Platform: Windows XP (WinNT
5.01.2600)
MSIE: Internet Explorer v6.00
(6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.e
xe
C:\WINDOWS\system32\services.e
xe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.ex
e
C:\WINDOWS\System32\svchost.ex
e
C:\WINDOWS\System32\svchost.ex
e
C:\WINDOWS\System32\svchost.ex
e
C:\WINDOWS\system32\spoolsv.ex
e
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.ex
e
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\pccguide.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\PCCClient.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.
exe
C:\Program
Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe
C:\Program Files\Microsoft
Office\Office\OSA.EXE
C:\WINDOWS\System32\intmonp.ex
e
C:\Program
Files\Logitech\MouseWare\syste
m\em_exec.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\WebTrap.EXE
C:\Program
Files\ISP50\Bin\Bartshel.exe
C:\WINDOWS\System32\intmon.exe
C:\PROGRA~1\ISP50\bin\ppshared
.exe
C:\Program
Files\Lavasoft\Ad-Aware SE
Personal\Ad-Aware.exe
C:\Program
Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALE
R.EXE
C:\Program Files\Mozilla
Firefox\firefox.exe
C:\WINDOWS\system32\notepad.ex
e
C:\Documents and
Settings\Merlin\My
Documents\Information from Spy
Sweeper\Hijackthis(2971\Hijack
This.exe
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Main,Default_Page_URL
= about:blank
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Main,Default_Search_U
RL =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Search Bar =
http://www.quicknavigate.com/b
ar.html
R1 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Search Page =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Search,SearchAssistan
t =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Search,CustomizeSearc
h =
http://www.quicknavigate.com/s
earch.php?qq=%1
R0 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Local Page =
http://www.quicknavigate.com/
R1 -
HKCU\Software\Microsoft\Window
s\CurrentVersion\Internet
Settings,ProxyServer =
http=localhost:8081
F2 - REG:system.ini:
Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class -
{FFFFFFFF-FFFF-FFFF-FFFF-FFFFF
FFFFFFF} -
C:\WINDOWS\System32\hp95BF.tmp
O8 - Extra context menu item:
Refresh Pa&ge with Full
Quality - C:\Program
Files\PeoplePC
Accelerated\pac-page.html
O8 - Extra context menu item:
Refresh Pi&cture with Full
Quality - C:\Program
Files\PeoplePC
Accelerated\pac-image.html
O17 -
HKLM\System\CCS\Services\Tcpip
\..\{45CB1DAD-BF13-404A-BC7D-7
00EC0993268}: NameServer =
206.134.133.10 206.134.224.5
Though I've let my daughter use my computer and now I have things I can not get rid of by Hijackthis this and it keeps coming up. Please advise. I did check off the other items as safe so they wouldn't keep showing up on HijackThis. Was that wise?
Lasted log as follows:
Logfile of HijackThis v1.99.1
Scan saved at 2:21:57 PM, on
5/8/2005
Platform: Windows XP (WinNT
5.01.2600)
MSIE: Internet Explorer v6.00
(6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.e
xe
C:\WINDOWS\system32\services.e
xe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.ex
e
C:\WINDOWS\System32\svchost.ex
e
C:\WINDOWS\System32\svchost.ex
e
C:\WINDOWS\System32\svchost.ex
e
C:\WINDOWS\system32\spoolsv.ex
e
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.ex
e
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\pccguide.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\PCCClient.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.
exe
C:\Program
Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe
C:\Program Files\Microsoft
Office\Office\OSA.EXE
C:\WINDOWS\System32\intmonp.ex
e
C:\Program
Files\Logitech\MouseWare\syste
m\em_exec.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\WebTrap.EXE
C:\Program
Files\ISP50\Bin\Bartshel.exe
C:\WINDOWS\System32\intmon.exe
C:\PROGRA~1\ISP50\bin\ppshared
.exe
C:\Program
Files\Lavasoft\Ad-Aware SE
Personal\Ad-Aware.exe
C:\Program
Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALE
R.EXE
C:\Program Files\Mozilla
Firefox\firefox.exe
C:\WINDOWS\system32\notepad.ex
e
C:\Documents and
Settings\Merlin\My
Documents\Information from Spy
Sweeper\Hijackthis(2971\Hijack
This.exe
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Main,Default_Page_URL
= about:blank
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Main,Default_Search_U
RL =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Search Bar =
http://www.quicknavigate.com/b
ar.html
R1 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Search Page =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Search,SearchAssistan
t =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Search,CustomizeSearc
h =
http://www.quicknavigate.com/s
earch.php?qq=%1
R0 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Local Page =
http://www.quicknavigate.com/
R1 -
HKCU\Software\Microsoft\Window
s\CurrentVersion\Internet
Settings,ProxyServer =
http=localhost:8081
F2 - REG:system.ini:
Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class -
{FFFFFFFF-FFFF-FFFF-FFFF-FFFFF
FFFFFFF} -
C:\WINDOWS\System32\hp95BF.tmp
O8 - Extra context menu item:
Refresh Pa&ge with Full
Quality - C:\Program
Files\PeoplePC
Accelerated\pac-page.html
O8 - Extra context menu item:
Refresh Pi&cture with Full
Quality - C:\Program
Files\PeoplePC
Accelerated\pac-image.html
O17 -
HKLM\System\CCS\Services\Tcpip
\..\{45CB1DAD-BF13-404A-BC7D-7
00EC0993268}: NameServer =
206.134.133.10 206.134.224.5
#10 OFFLINE
-
- Banned
-
- 3,071 posts
Lunarian
Posted 08 May 2005 - 10:36 PM
Is it at all possible you can repost the log or even attach it please? The above is unfortunately broken. :|
#11 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 09 May 2005 - 05:40 PM
We'll try it again. I just love computers they reflect the flaws of those who created them. 
Logfile of HijackThis v1.99.1
Scan saved at 10:33:36 AM, on
5/9/2005
Platform: Windows XP (WinNT
5.01.2600)
MSIE: Internet Explorer v6.00
(6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.e
xe
C:\WINDOWS\system32\services.e
xe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.ex
e
C:\WINDOWS\System32\svchost.ex
e
C:\WINDOWS\system32\spoolsv.ex
e
C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil
Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\Tmntsrv.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\PCCPFW.exe
C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.e
xe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft
AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\msole32.ex
e
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\pccguide.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\PCCClient.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\Pop3trap.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\WebTrap.EXE
C:\Program
Files\Logitech\MouseWare\syste
m\em_exec.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.
exe
C:\Program
Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ALWILS~1\Avast4\as
hDisp.exe
C:\PROGRA~1\ISP50\bin\ppshared
.exe
C:\Program Files\Microsoft
Office\Office\OSA.EXE
C:\Program
Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALE
R.EXE
C:\Program Files\Mozilla
Firefox\firefox.exe
C:\Program Files\Microsoft
AntiSpyware\GIANTAntiSpywareMa
in.exe
C:\Documents and
Settings\Merlin\My
Documents\Information from Spy
Sweeper\Hijackthis(2971\Hijack
This.exe
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Main,Default_Page_URL
= about:blank
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Main,Default_Search_U
RL =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Search Bar =
http://www.quicknavigate.com/b
ar.html
R1 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Search Page =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Search,SearchAssistan
t =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Search,CustomizeSearc
h =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\SearchURL,(Default) =
http://www.quicknavigate.com/s
earch.php?qq=%1
R0 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Local Page =
http://www.quicknavigate.com/
O2 - BHO: VMHomepage Class -
{FFFFFFFF-FFFF-FFFF-FFFF-FFFFF
FFFFFFF} -
C:\WINDOWS\System32\hpBC3D.tmp
O4 - HKLM\..\Run: [gcasServ]
"C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!]
C:\PROGRA~1\ALWILS~1\Avast4\as
hDisp.exe
O8 - Extra context menu item:
Refresh Pa&ge with Full
Quality - C:\Program
Files\PeoplePC
Accelerated\pac-page.html
O8 - Extra context menu item:
Refresh Pi&cture with Full
Quality - C:\Program
Files\PeoplePC
Accelerated\pac-image.html
O17 -
HKLM\System\CCS\Services\Tcpip
\..\{45CB1DAD-BF13-404A-BC7D-7
00EC0993268}: NameServer =
206.134.133.10 206.134.224.5
O23 - Service: avast! iAVS4
Control Service (aswUpdSv) -
Unknown owner - C:\Program
Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 - Service: avast!
Antivirus - Unknown owner -
C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail
Scanner - Unknown owner -
C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe"
/service (file missing)
O23 - Service: avast! Web
Scanner - Unknown owner -
C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe"
/service (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 10:33:36 AM, on
5/9/2005
Platform: Windows XP (WinNT
5.01.2600)
MSIE: Internet Explorer v6.00
(6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.e
xe
C:\WINDOWS\system32\services.e
xe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.ex
e
C:\WINDOWS\System32\svchost.ex
e
C:\WINDOWS\system32\spoolsv.ex
e
C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil
Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\Tmntsrv.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\PCCPFW.exe
C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.e
xe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft
AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\msole32.ex
e
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\pccguide.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\PCCClient.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\Pop3trap.exe
C:\Program Files\Trend
Micro\PC-cillin
2002\WebTrap.EXE
C:\Program
Files\Logitech\MouseWare\syste
m\em_exec.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.
exe
C:\Program
Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ALWILS~1\Avast4\as
hDisp.exe
C:\PROGRA~1\ISP50\bin\ppshared
.exe
C:\Program Files\Microsoft
Office\Office\OSA.EXE
C:\Program
Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALE
R.EXE
C:\Program Files\Mozilla
Firefox\firefox.exe
C:\Program Files\Microsoft
AntiSpyware\GIANTAntiSpywareMa
in.exe
C:\Documents and
Settings\Merlin\My
Documents\Information from Spy
Sweeper\Hijackthis(2971\Hijack
This.exe
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Main,Default_Page_URL
= about:blank
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Main,Default_Search_U
RL =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Search Bar =
http://www.quicknavigate.com/b
ar.html
R1 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Search Page =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Search,SearchAssistan
t =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\Search,CustomizeSearc
h =
http://www.quicknavigate.com/s
earch.php?qq=%1
R1 -
HKCU\Software\Microsoft\Intern
et
Explorer\SearchURL,(Default) =
http://www.quicknavigate.com/s
earch.php?qq=%1
R0 -
HKCU\Software\Microsoft\Intern
et Explorer\Main,Local Page =
http://www.quicknavigate.com/
O2 - BHO: VMHomepage Class -
{FFFFFFFF-FFFF-FFFF-FFFF-FFFFF
FFFFFFF} -
C:\WINDOWS\System32\hpBC3D.tmp
O4 - HKLM\..\Run: [gcasServ]
"C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!]
C:\PROGRA~1\ALWILS~1\Avast4\as
hDisp.exe
O8 - Extra context menu item:
Refresh Pa&ge with Full
Quality - C:\Program
Files\PeoplePC
Accelerated\pac-page.html
O8 - Extra context menu item:
Refresh Pi&cture with Full
Quality - C:\Program
Files\PeoplePC
Accelerated\pac-image.html
O17 -
HKLM\System\CCS\Services\Tcpip
\..\{45CB1DAD-BF13-404A-BC7D-7
00EC0993268}: NameServer =
206.134.133.10 206.134.224.5
O23 - Service: avast! iAVS4
Control Service (aswUpdSv) -
Unknown owner - C:\Program
Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 - Service: avast!
Antivirus - Unknown owner -
C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail
Scanner - Unknown owner -
C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe"
/service (file missing)
O23 - Service: avast! Web
Scanner - Unknown owner -
C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe"
/service (file missing)
#12 OFFLINE
-
- Banned
-
- 3,071 posts
Lunarian
Posted 09 May 2005 - 06:10 PM
Ok, I cleaned up the log paste manually. 
Generated by Tarun's HijackThis Converter.
Created registry value. Safe to remove:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
Changed registry value. Safe to remove:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
Enumeration of existing IE's BHO's. Safe to remove:
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpBC3D.tmp
Domain hijack. Safe to remove:
O17 - HKLM\System\CCS\Services\Tcpip\..\{45CB1DAD-BF13-404A-BC7D-700EC0993268}: NameServer = 206.134.133.10 206.134.224.5
Enumeration of NT Services. Safe to remove:
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
Generated by Tarun's HijackThis Converter.
Created registry value. Safe to remove:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
Changed registry value. Safe to remove:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
Enumeration of existing IE's BHO's. Safe to remove:
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpBC3D.tmp
Domain hijack. Safe to remove:
O17 - HKLM\System\CCS\Services\Tcpip\..\{45CB1DAD-BF13-404A-BC7D-700EC0993268}: NameServer = 206.134.133.10 206.134.224.5
Enumeration of NT Services. Safe to remove:
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
#13 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 09 May 2005 - 08:51 PM
Hijackthis will not remove these files. I tried also in SafeMode but it still didn't work. Any sugesstions? I got all the lastest spyware removers, and Avast.
Logfile of HijackThis v1.99.1
Scan saved at 1:46:55 PM, on 5/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\intmon.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Merlin\My Documents\Information from Spy Sweeper\Hijackthis(2971\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp704F.tmp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
Logfile of HijackThis v1.99.1
Scan saved at 1:46:55 PM, on 5/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\intmon.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Merlin\My Documents\Information from Spy Sweeper\Hijackthis(2971\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp704F.tmp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
#14 OFFLINE
-
- Banned
-
- 3,071 posts
Lunarian
Posted 09 May 2005 - 09:42 PM
Disable System Restore (My Computer, right click and choose Properties, System Restore tab, check off "Turn off System Restore". When you reboot, boot her computer into Safe Mode by pressing F8 at the Windows XP screen.
In Safe Mode, kill off these tasks if they exist:
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
-------------------------------------------------------
Run CWShredder two to four times.
Make sure to get the latest updates for Ad-Aware, Spybot, and Microsoft-AntiSpyware (If you don't have it, I can provide the link).
Let them scan and check for spyware as well with the latest definition files.
-------------------------------------------------------
Click on Start > Run... > type CMD
This opens a command prompt. Now, type the following: cd C:\Windows\System32
Next, type the following: del hp704F.tmp
-------------------------------------------------------
Now run HijackThis and remove the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp704F.tmp
Now you should be able to safely reboot.
In Safe Mode, kill off these tasks if they exist:
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
-------------------------------------------------------
Run CWShredder two to four times.
Make sure to get the latest updates for Ad-Aware, Spybot, and Microsoft-AntiSpyware (If you don't have it, I can provide the link).
Let them scan and check for spyware as well with the latest definition files.
-------------------------------------------------------
Click on Start > Run... > type CMD
This opens a command prompt. Now, type the following: cd C:\Windows\System32
Next, type the following: del hp704F.tmp
-------------------------------------------------------
Now run HijackThis and remove the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp704F.tmp
Now you should be able to safely reboot.
#15 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 12 May 2005 - 05:20 AM
Didn't work. I tried what you suggested three times and the only thing that changed was the BHo temp file changed after I booted up again everything else came back. What else should I try?
Logfile of HijackThis v1.99.1
Scan saved at 10:16:49 PM, on 5/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Merlin\My Documents\Information from Spy Sweeper\Hijackthis(2971\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6294.tmp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{45CB1DAD-BF13-404A-BC7D-700EC0993268}: NameServer = 206.134.133.10 206.134.224.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
Logfile of HijackThis v1.99.1
Scan saved at 10:16:49 PM, on 5/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Merlin\My Documents\Information from Spy Sweeper\Hijackthis(2971\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6294.tmp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{45CB1DAD-BF13-404A-BC7D-700EC0993268}: NameServer = 206.134.133.10 206.134.224.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
#16 OFFLINE
-
- Banned
-
- 3,071 posts
Lunarian
Posted 12 May 2005 - 02:41 PM
merlynh, on May 12 2005, 01:20 AM, said:
Didn't work. I tried what you suggested three times and the only thing that changed was the BHo temp file changed after I booted up again everything else came back. What else should I try?
#17 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 12 May 2005 - 08:34 PM
Tarun, on May 12 2005, 02:41 PM, said:
Was System Restore disabled and did you boot into Safe Mode?
I did everything that you said and took the time to study what you advised. I realize that this computer mess is getting out of hand. I realize through experience that it is hard to find experts in many fields because we all live in world mandated by self-evaluating reasoning, instead of careful thinkers open to the fact that no one knows everything. I want to thank you for displaying your careful consideration in giving advice. I tried to do some research and read the following sites for advice yet hesitated about the advice because issues such as these should be considered with caution because one may only remove part of the problem.
http://www.geekstogo.com/forum/quicknaviga...lem-t23192.html
http://www.geekstogo.com/forum/Quicknaviga...VED-t23326.html
Today Avast just downloaded the latest update and detected this trojan, Win32:puper-E. It removed it from back up files in Hijack and found five files, with a total of 14 files in other temp files the BHO created. It’s most differently a worm capable of duplicating itself. Any effort to try and remove single files is not going to remove all of them. It is far too complex problem to do without the help of a program designed to do the searching.
I would like to thank you for giving sound advice in having faith in programs designed to fix these types of problems.
I still have problems with something that is causing pop-ups. Thank you again for careful consideration in the advice you have given. My lasted log is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 1:29:58 PM, on 5/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\WINDOWS\System32\intmonp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\AHEDW\AHD4.EXE
C:\Documents and Settings\Merlin\My Documents\Information from Spy Sweeper\Hijackthis(2971\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{45CB1DAD-BF13-404A-BC7D-700EC0993268}: NameServer = 206.134.133.10 206.134.224.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
#19 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 13 May 2005 - 04:34 AM
Done everything you advised. Logfile from HijackThis as follows:
Logfile of HijackThis v1.99.1
Scan saved at 9:31:01 PM, on 5/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Merlin\My Documents\Information from Spy Sweeper\Hijackthis(2971\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{45CB1DAD-BF13-404A-BC7D-700EC0993268}: NameServer = 206.134.133.10 206.134.224.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 9:31:01 PM, on 5/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\PROGRA~1\PEOPLE~1\PropelAC.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Merlin\My Documents\Information from Spy Sweeper\Hijackthis(2971\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{45CB1DAD-BF13-404A-BC7D-700EC0993268}: NameServer = 206.134.133.10 206.134.224.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
#20 OFFLINE
-
- Members
-
- 1,339 posts
Dial-a-fix author
Posted 13 May 2005 - 04:42 AM
Very impressive job to both you merlynh and Tarun!
Now remove this:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Might as well remove:...
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
...since those two files are missing anyway.
To be certain, and also to clean up little remnants, I suggest downloading and playing with the free, excellent, F-Prot for DOS from here:...
http://files.f-prot..../dos/f-prot.zip
...and then unzipping these two files in the same place you unzip f-prot.zip, and overwrite all:...
http://updates.f-pro...randomly?fp-def
http://updates.f-pro...ndomly?macrdef2
(Tarun can explain how to run it if you have issues... and oh yeah it works well within Windows - see f-prot.com for details or read the included .TXT files)
Now remove this:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Might as well remove:...
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
...since those two files are missing anyway.
To be certain, and also to clean up little remnants, I suggest downloading and playing with the free, excellent, F-Prot for DOS from here:...
http://files.f-prot..../dos/f-prot.zip
...and then unzipping these two files in the same place you unzip f-prot.zip, and overwrite all:...
http://updates.f-pro...randomly?fp-def
http://updates.f-pro...ndomly?macrdef2
(Tarun can explain how to run it if you have issues... and oh yeah it works well within Windows - see f-prot.com for details or read the included .TXT files)
Click here if CCleaner Issues are re-appearing
DjLizard.net
DjLizard.net wiki
Dial-a-fix
Dial-a-fix tips
DjLizard.net software support forum
Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work :)
DjLizard.net
DjLizard.net wiki
Dial-a-fix
Dial-a-fix tips
DjLizard.net software support forum
Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work :)
