MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Where to begin!! Major computer problems
November 22, 2019, 10:30:14 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 22, 2019, 10:30:14 AM

Login with username, password and session length
 Featured Sites:
News
New  Check out our improved Download section for tons of software....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Where to begin!! Major computer problems  (Read 3700 times)
fourstar
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« on: July 23, 2004, 05:59:27 AM »

About 3 months ago you help me fix my moms computer!!!  THANKS, now a friend of mine has a computer that is really bad.

Computer runs slow, freezes up, IE has been hijacked by a p*rn site, major pop ups, sometimes 8 or 10 at a time.  She is also having problems with Active X and her ability to download microsoft updates using her IE.  

To start with here is the hijack this log:


Logfile of HijackThis v1.98.0
Scan saved at 10:37:16 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Kazaa\kazaa.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\uwrhhn.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\docume~1\owner\locals~1\temp\msbb.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\wjview.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Owner\My Documents\HIJACK THIS\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fast-web-search.com/4010/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l2lp9twl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l2lp9twl.slt\prefs.js)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\rundll32 .exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [lbpmdwd] C:\WINDOWS\System32\uwrhhn.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\docume~1\owner\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [zsbmh] C:\WINDOWS\zsbmh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://fast-web-search.com/4010/search.php?url=
O13 - WWW Prefix: http://fast-web-search.com/4010/search.php?url=


*****

Problem with this is her adult son (who paid part of the computer is adamant that whatever I do doesn't effect his ability to run KAZAA).
 
Thank you very much
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: July 23, 2004, 06:27:08 AM »

I'm looking at your log right now, I will edit my reply when I'm ready
Logged

 
fourstar
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #2 on: July 23, 2004, 06:29:26 AM »

Just confirmed with son that I can do "whatever" is necessary to fix computer.  So no issue with Kazaa anymore.  Thanks
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: July 23, 2004, 07:03:36 AM »

That is one nasty log--you may want to print this out
I'm surprised your system can even run Smiley
Let's try some cleanup
Don't worry about Kazaa, that's the least of her problems

Access Add/Remove Programs via Control Panel
REMOVE any of these if you can, if not proceed
WebSavingsfromEbates
KeenValue
P2P Networking <----unneeded addon by Kazaa that can
cause a lot of problems, if prompted to remove Altnet---do it!

Also remove Wild Tangent if you don't use it---known to contain spyware---may of been Installed with AOL instant messenger
WildTangent Web Driver
WildTangent Updater
WildTangent GameChannel

RESTART your computer if needed
Disconnect completely from the Internet

Access your Task Manager (Hold down CTRL+SHIFT and tap the ESC key)

End process on any of these that remain
P2P Networking.exe
points manager.exe
wcmdmgr.exe
kazaa.exe <---we're not removing it, just stopping it on startup
uwrhhn.exe
bargains.exe
optimize.exe
msbb.exe
omniscient.exe
Loader.exe
wjview.exe
asm.exe
WebSavingsfromEbates.exe

Set Windows to Show Hidden Files and Folders
* Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.

Do another Scan with Hijackthis and put a check next to these entries and  then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fast-web-search.com/4010/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
Make sure you get this one

O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [lbpmdwd] C:\WINDOWS\System32\uwrhhn.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\docume~1\owner\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\Run: [zsbmh] C:\WINDOWS\zsbmh.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O13 - DefaultPrefix: http://fast-web-search.com/4010/search.php?url=
O13 - WWW Prefix: http://fast-web-search.com/4010/search.php?url=

These next ones are optional, but they are not needed on startup, Resource hogs, it will not disable the program itself, I would fix them too
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

IMPORTANT
RESTART your Computer in SAFE MODE

Find and delete these files and folders
C:\Windows\System32\wsaupdater.exe <---this file, make sure you get it
C:\WINDOWS\System32\bridge.dll <--this file
C:\WINDOWS\System32\uwrhhn.exe <--this file
C:\WINDOWS\alchem.exe <--this file
C:\WINDOWS\wupdt.exe <--this file
C:\WINDOWS\zsbmh.exe <--this file
C:\Program Files\ClearSearch <--this folder
C:\WINDOWS\System32\P2P Networking <---this folder
c:\program files\altnet <---this folder
C:\WINDOWS\wt <--this folder
C:\Program Files\WildTangent <--this folder
C:\Program Files\Bargain Buddy <---this folder
C:\Program Files\Internet Optimizer <---this folder
C:\Program Files\WindowsSA <--this folder
C:\Program Files\WebSavingsfromEbates <---this folder
C:\Program Files\Common Files\GMT <---this folder
C:\Program Files\Common Files\KeenValue <---this folder

Navigate to this folder
C:\Program Files\Common Files\Real\Update_OB\
Open it
Right click and RENAME realsched.exe>>>>realsched.exe.old

While still in safe mode, go back to where  you unhid hidden files and folders and put a check back in
Hide protected operating system files (recommended) option.
Only change this one

Navigate to these TEMP folders and delete the WHOLE contents, including subfolders but NOT the TEMP directories themselves
# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
# Empty your "Recycle Bin"

RESTART back in Normal Mode
Don't open a browser yet, instead access Internet Options via Control
Panel
Under the Programs tab "Reset Web Settings"
Under the General tab--- Reset home page

Download and Install the Free version of Ad-Aware
CHECK FOR UPDATES
Set these for additional options for a Custom Scan
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

RESTART your computer

Download and Install Spybot S&D 1.3
http://www.safer-networking.org/en/download/index.html
SEARCH FOR UPDATES
Check for problems---FIX everything in RED
RESTART your computer

You may want to disable your AV and go to an ONLINE Virus Scan at Housecall's
http://housecall.trendmicro.com/
Set to Autoclean--delete what it can't fix, if anything

I know it seems like a lot, but you have a lot of junk on your computer, please follow the directions carefully.....
Like I said, you may want to print this out, save to notepad and print

Post back with a Fresh Hijackthis log afterwards and let me know how your doing

« Last Edit: July 23, 2004, 07:16:36 AM by benditup » Logged

 
fourstar
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #4 on: July 23, 2004, 10:11:18 AM »

Thank you so much for responding so quickly.  My friend is older and disabled and was ready to put the whole pc in the dumpster.

Followed your directions, a few folders/files weren't available, but when I got to the TEMP folders, I deleted the contents of C:\Windows\Temp\, but was unable to find the others (C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\)

Nothing in the Adminstration or Owner folders, so I searched by "Local Settings" and still nothing.  So I just pressed on.

Ran the Spybot S& D, and got this message:
Error during check!: Winpup32 (Ungultiger Datentyp fur") ()  

There are two dots over the second u in the first word and the u in "fur".  However I was able to fix 19 files.

I was unable to get the Housecall virus scan to install after downloading from the site you suggested.  The installshield self extracting gets to 100%, then stalls.  Finally I close the application and get this message: non responsive program NTVDM.EXE

Then a message about the 16 bit subsystem needing to be closed.

Here is the current HiJack This Log.

Logfile of HijackThis v1.98.0
Scan saved at 2:43:28 AM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Owner\My Documents\HIJACK THIS\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l2lp9twl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l2lp9twl.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\rundll32 .exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

She is still geting Active X error message:
"Your current security settings prohibit running Active X controls on this page.  As a result, this page my not display correctly"

Could this be related to all the junk she has/had on here.  

Thank you so very much.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #5 on: July 23, 2004, 08:47:55 PM »

Let's try this
Show hidden files and folder again with these instructions
* Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders
    * Click Yes to confirm.
    * Click OK.

RESTART your computer in SAFE MODE

Try navigating to these folders again and empty the contents
C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\


As an example---this line
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\

Would be
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\


Follow my instructions above on how to rename realsched.exe
It is not needed on startup

While still in safe mode
Do another Scan with Hijackthis and put a check next to these entries and then FIX CHECKED when ALL other windows are closed

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\rundll32 .exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

RESTART your computer in Normal Mode

I'm not sure what the process is related too
ntvdm.exe <---usually associated with older hardware drivers or applications
I didn't see it in your first log

Can you access your Task Manager and shut it down
Next: Access your Internet Options via Control Panel
Under the Security tab
Internet---Click Custom Level

Under Active X controls and Plugins
Set these in order
Prompt
Disable
Disable
Enable
Enable

Restart Internet Explorer or restart your computer
Try Housecall's again
and/or try a scan at Panda's
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Post back a fresh hijackthis log afterwards


Logged

 
fourstar
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #6 on: July 23, 2004, 09:56:52 PM »

Benditup:

After I started in Safe Mode, I had to reselect the Show Hidden Files and Folders Option.  Then I was able to find the Local Settings/Temporary folders and delete the contents of them.  

When I selected realsched the first time to open, I get the hourglass for a fraction of a second then nothing.  So I right clicked to rename and named it realsched.exe.old.  I didn't change anything with that this time, and still couldn't get it to do anything with Open except give me the hourglass for a fraction of a second again.

Fixed the two entries in the HijackThis Log done in Safe Mode.  


R3 - Default URLSearchHook is missing <---- this one was missing

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\rundll32 .exe internat.dll,LoadKeyboardProfile <---- fixed
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <---- fixed

After the restart in Normal mode, I was able to shut down the ntvdm.exe from the Task Manager, changed the Active X controls per your suggestion, and rebooted the computer.  Shut down the ntvdm.exe again and was able to download the housecall and actually start the installation.  However, I don't know how to find the Netscape Plug-Ins that the installation said it needs and was unable to finish the install.  

Tried Panda, but kept getting a 404 message after hitting scan pc.

New Hijack This Log

Logfile of HijackThis v1.98.0
Scan saved at 2:42:46 PM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\TEMP\_ins0432._mp
C:\Documents and Settings\Owner\My Documents\HIJACK THIS\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l2lp9twl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l2lp9twl.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Still getting the same Active X meesage on IE, but not in the Netscape browser.

Thank You!!

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #7 on: July 23, 2004, 11:14:57 PM »

Let's try a different route

Click the link to take you to Trojan Hunter
http://www.misec.net/trojanhunter.jsp

Then Click "Download Free Trial Version"
It's good for 30 days...

Download and install Trojan Hunter
IMPORTANT
After Install you will want to manually update the ruleset
from this link
http://www.misec.net/trojanhunter/updating/
Simply save the zip file to your desktop and unzip it to the TrojanHunter folder
It will prompt you to overwrite-----allow it

Disconnect completely from the Internet and run a Full Scan---you may want to do this in safe mode

Normally I'll ask to disable system Restore after you are clean
You may want to do this before restarting in safe mode and running
TrojanHunter--make sure no nasties return
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Forgot to add that housecalls and Panda's---you must use IE, as they work with ACTIVEX controls.....We may have to try a repair of IE, let's try the above first
« Last Edit: July 24, 2004, 01:16:09 AM by benditup » Logged

 
fourstar
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #8 on: July 24, 2004, 03:40:23 AM »

Okay,

Downloaded the Trojan Hunter program.  Installed it. Went to the link for the ruleset update.  Downloaded it, extracted it to the Trojan Hunter folder (it did not prompt me to over-write). Disconnected from the Internet.  Disabled the System Restore.  Rebooted in Safe Mode.  Ran the Trojan Hunter, found 12 trojans & 3 possibles.  Fixed the 12.  Reconnected to the Internet.   Tried to access Panda and Housecall with the IE.  still getting the IE error message regarding Active X.

Here is the current HijackThis Log:

Logfile of HijackThis v1.98.0
Scan saved at 8:31:01 PM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Documents and Settings\Owner\My Documents\HIJACK THIS\hijackthis.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l2lp9twl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l2lp9twl.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll


Thank you!!
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #9 on: July 24, 2004, 04:23:06 AM »

Let's try this, you can remove it after, but its a shot....

In an open Internet Explorer window
Click on Tools----Internet Options----Click on SECURITY tab
Highlight TRUSTED ZONES---Click SITES
Ensure there is a check in "Require Server Verification (https:)
Copy and paste this into the "Add this Web Site into the zone"
https://v4.windowsupdate.microsoft.com/en/default.asp

Close out Internet Explorer and then open it and try Windows update
again or come back here with IE and try the link I supplied above

Just ruling out other possibilities
Your clock in the system tray is set to the right time and date
isn't it?
Did you make Netscape your default browser?
Go back into Internet Options
Under the Programs tab, is there a check in
"Internet Explorer should check and see if it is default browser"

If there's no check you may want to check it and try again
Remember to Restart your browser or your computer.....
Logged

 
fourstar
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #10 on: July 24, 2004, 05:25:51 AM »

Okay,

After following the instructions above, and going to the windowsupdate link with the IE, I still get the Active X error message.  However before I would get blank page or a Page not found error.  Now microsoft gives me this message:

To install items from Windows Update, you must be logged on as an administrator or a member of the Administrators group. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.

Note If you are running a Windows 2000 (except DataCenter), Windows XP, or Windows Server 2003 operating system, you can run the local administrator account on your computer without having to log off and then log on again.

Spoke to the owner of the computer and they don't have any idea about any administrator. Next I went to Control Panel - User Accounts and noticed that the only account was Owner Computer Administator, which we are signed in as.

So..... I went to the Microsoft Windows Update troubleshooter and found this error message:

When trying to access the Windows Update Web site you receive the following error message: Access Denied. Please check with your System Administrator (Windows XP and Windows 2000)

Soooo... I followed the recommendation:

Please follow these steps:

1.  Click on Start, Run and type "REGEDIT" (w/o the quotes).  The Registry Editor will open.

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows XP/2K. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

2.  Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate

However I don't have a "WindowsUpdate" folder or file under Policies.

YIKES!!!

Still gettting that damn Active X error on almost every page when I use IE.

Thanks
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #11 on: July 24, 2004, 05:05:51 PM »

Hi again fourstar, I managed, somehow Smiley to duplicate your problem
exactly
So I hope what I did manages to fix you up
I removed the entry from the trusted zones you added earlier
Probably not necessary, but these are the steps I did

First time too :-).... I know it's a lot of typing in the cmd prompt
but it should work

Here's the steps I took
From the link at Microsoft


Display hidden files
Click Start, click My Computer, click Tools, and then click Folder Options.
Click the View tab.
Under Advanced settings, click Show hidden files and folders.
Under Advanced settings, click to clear the Hide protected operating system files (Recommended) check box.

Note Hidden files and folders will appear dimmed. Hidden files are program or system files that typically should not be deleted or changed.
Delete Temporary Internet Files
Use the Windows Disk Cleanup Wizard to clear your Temporary Internet Files. To do so:
Click Start, and then click Run.
In the Open box, type cleanmgr.
Click Temporary Internet Files, and then click OK.
Delete files from the Windows Update folder
On the Windows desktop, double-click My Computer.
Double-click drive C.
Double-click the Program Files folder, and then double-click the WindowsUpdate folder.
Click the V4 folder, click Edit, click Invert Selection, and then press DELETE.

I highlighted the V4 folder by left clicking and then Deleted it
If you can do that don't worry about these steps in the double dotted lines

==============================================================
Note If you cannot find the V4 folder, click Edit, click Select All and then press DELETE. Skip steps 5 and 6.
Double-click the V4 folder.
Click the Iuhist.xml file, click Edit, click Invert Selection, and then press DELETE.
===============================================================
Remove the Windows Update ActiveX controls
Click Start, and then click Search.
Click More Advanced Options, and then click to select the Search hidden files and folders check box.
Type iuctl.dll and iuengine.dll, and then click Search.

"I did this seperately, I had one instance of iuctl.dll and iuengine.dll in the DLLcache folder which I removed first and then
removed the one in the System32 folder
If you are following along with your browser open, you will want to close your browser down when you try to remove iuctl.dll in the System32 folder first before deleting.......


If these files are found in your C:\Windows\System32\Dllcache folder, delete them.
If these files are found in any folder other than C:\Windows\System32, delete them.
After you have deleted all other copies of these files, delete them from the C:\Windows\System32 folder.
If you are prompted to insert the Windows XP installation CD-ROM, click Cancel.

Note You will download newer versions of the files from the Windows Update Web site.
When you are prompted to answer if you want to keep the unrecognized file versions, click Yes. <---I had to do this a few times before Windows recognize it.....

Additionally, I accessed my Internet Options via Control Panel
Under the General Tab----Click SETTINGS
VIEW OBJECTS---You may see UPDATE CLASS related to Windows update
Right click and delete it, it may say Damaged

I RESTARTED my computer after this



After that is done Follow the procedure below
Worked for me, I hope it helps you too

   1. Click Start, and then click Run.
   2. In the Open box, type cmd, and then click OK.
   3. At the command prompt, type the following commands, pressing ENTER after each line:

      Note Click OK if you are prompted

      regsvr32 softpub.dll
      regsvr32 /u wintrust.dll
      regsvr32 /u initpki.dll
      regsvr32 /u dssenh.dll
      regsvr32 /u rsaenh.dll
      regsvr32 /u gpkcsp.dll
      regsvr32 /u sccbase.dll
      regsvr32 /u slbcsp.dll
      regsvr32 /u cryptdlg.dll
      regsvr32 /u softpub.dll


      exit
   4. Restart your computer.
   5. Click Start, click Run, type cmd in the Open box, and then click OK.
   6. At the command prompt, type the following commands (press ENTER after each command).

      Note Click OK if you are prompted.

      regsvr32 softpub.dll
      regsvr32 wintrust.dll
      regsvr32 initpki.dll
      regsvr32 dssenh.dll
      regsvr32 rsaenh.dll
      regsvr32 gpkcsp.dll
      regsvr32 sccbase.dll
      regsvr32 slbcsp.dll
      regsvr32 cryptdlg.dll
      regsvr32 softpub.dll


      exit

I RESTARTED the computer one more time, again, may not be necessary, but worked for me

EDITING this post---hope it helps
« Last Edit: July 24, 2004, 10:56:11 PM by benditup » Logged

 
fourstar
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #12 on: July 25, 2004, 08:18:34 AM »

Wow!!!

I think we are well on our way to a healthier computer.  

We can now access the Windows Updates, YEEEHAWWW, and have finished that process.  Since I followed your last set of instructions, there have been no more ACTIVE X popups.  Whew!!!

Here is the current Hijack This Log

Logfile of HijackThis v1.98.0
Scan saved at 12:38:48 AM, on 7/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Owner\My Documents\HIJACK THIS\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l2lp9twl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l2lp9twl.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

After this is all over,  I would love to know how to protect her computer from getting screwed up again.

Thanks
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #13 on: July 25, 2004, 05:47:46 PM »

Looks good fourstar, Glad to hear your activeX problems are rid of
Nice to see an 016 entry in your log Smiley

You can have hijackthis fix these entries
R3 - Default URLSearchHook is missing

The next is optional, but not needed on startup, some recommend uninstalling it, just have hijackthis fix it
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

You should install these 2 apps., they add extra security while
silently protecting you without running in the background
 
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
http://www.bleepingcomputer.com/forums/index.php?showtutorial=53

With both---Check for updates every couple of weeks

READ THIS
How did I get Infected

Stay safe Smiley
With the infections you had on the computer you may consider flushing out you system restore points,start fresh with a clean restore point
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

If she hasn't done a disk defrag of the hard drive in a while you may
consider doing that too....
Start---All Programs----Accessories---System Tools----Disk Defragmenter---(give it time too do it's job)
« Last Edit: July 25, 2004, 05:54:23 PM by benditup » Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #14 on: July 26, 2004, 05:27:00 AM »

I'll lock this topic fourstar, If you need it reopened, concerning these
issues, in this topic, Please PM a MOD

Supply a link to this thread
Stay safe
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 07, 2018, 09:48:51 PM