Hi guys, I got an annoying problem. When I want to restart/shut down my computer, the windows pops up "wait - end task - close" you know? I dunno what to do...also, when I want to open an document doc, ANY documents and images (jpg,bmp, etc.) my comp always begins to freeze :( They won't show up.

Some 28 people have looked at your question without responding. Can you give more specifics, or at least redefine it so it leads us in one direction or another ?

what is the program windows is trying to end task when you restart/shut down?

what do you use to open document files and images?
can you open other things?

jc2035, is there anything you've done lately? Installed any games? Changed any settings? Kazaa?

Go here and get the start-up list program (it's a small file, and isn't something you install), and post the results (2nd item).

http://www.lurkhere.com/~nicefiles/index.html

Hey guys........sorry didn't respond for a little long time...here.
-------------------------------------------------------------------------------
StartupList report, 16/01/2003, 12:37:46 PM
StartupList version: 1.50
Started from : C:\WINDOWS\DESKTOP\NEW FOLDER\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\PROGRAM FILES\SAVE\SAVE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\GAMECHANNEL.EXE
C:\PROGRAM FILES\COMMONNAME\TOOLBAR\WINNET.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\DOWNLOADWARE\DW.EXE
C:\PROGRAM FILES\DELFIN\PROMULGATE\PGMONITR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\PROGRAM FILES\SQWIRE\CC.EXE
C:\PROGRAM FILES\WEATHERCAST\WEATHER.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\PRECISIONTIME\PRECISIONTIME.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
wcmdmgr = C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
Registry = C:\WINDOWS\SYSTEM\registry.exe
Belowjze = C:\WINDOWS\SYSTEM\belowjze.exe
LoadQM = loadqm.exe
QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
CMESys = "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
WhenUSave = C:\PROGRA~1\SAVE\Save.exe
XupiterToolbarUninstaller = C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\KBL46MWH\XupiterToolbarUninstall er.exe
WT GameChannel = C:\Program Files\WildTangent\Apps\GameChannel.exe
WinServices = C:\WINDOWS\SYSTEM\WinServices.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
winnet = C:\PROGRA~1\COMMON~2\TOOLBAR\WINNET.EXE
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
EanthologyApp = C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
WebScan = C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
MediaLoads Installer = "C:\Program Files\DownloadWare\dw.exe" /H
PromulGate = "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
SQUpdatesChecker = C:\Program Files\Sqwire\uc.exe
SQConfigChecker = C:\Program Files\Sqwire\cc.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

WinServices = C:\WINDOWS\SYSTEM\WinServices.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Attune Download = C:\PROGRA~1\AVEO\ATTUNE\UPDATER1\ATTUNEL.EXE
ICQ Plus = C:\PROGRA~1\ICQPLUS\vplus.exe
WeatherCast = C:\Program Files\WeatherCast\Weather.exe /q
MSNHelper = C:\PROGRAM FILES\MSNHELPER\MSNWatch.exe
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
eZmmod = C:\PROGRA~1\ezula\mmod.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 13/1/2003, 14:34:42)

[rename]
NUL=C:\WINDOWS\TEMP\IRSETUP.EXE
NUL=C:\WINDOWS\TEMP\IRSETUP.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

@C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\COMMON~1\MSIETS\MSIETS.DLL - {0A68C5A2-64AE-4415-88A2-6542304A4745}
(no name) - C:\PROGRA~1\COMMON~1\MSIETS\MSIELINK.DLL - {A6250FB8-2206-499E-A7AA-E1EC437E71C0}
(no name) - C:\WINDOWS\SYSTEM\MSIEIN.DLL - {D6E66235-7AA6-44ED-A06C-6F2033B1D993}
(no name) - C:\PROGRAM FILES\FLT\FLT.DLL - {665ACD90-4541-4836-9FE4-062386BB8F05}
(no name) - C:\Program Files\NewDotNet\newdotnet4_50.dll - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
(no name) - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRAM FILES\SQWIRE\U.DLL (file missing) - {2662BDD7-05D6-408F-B241-FF98FACE6054}
BabeIE - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBABE.DLL - {00000000-0000-0000-0000-000000000000}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{3D7247DE-5DB8-11D4-8A72-0050DA2EE1BE}]
CODEBASE = http://a94.g.akamai.net/7/94/1622/50_9/www.ezula.com/Address/download/eZulaBoot.cab

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GSDA.DLL
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[{9DBAFCCF-592F-FFFF-FFFF-00608CEC297C}]
CODEBASE = http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{A45F39DC-3608-4237-8F0E-139F1BC49464}]
CODEBASE = http://php.offshoreclicks.com/dialup_files/99950093.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[NPX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\NPX.OCX
CODEBASE = http://nprotect1.gravity.co.kr/nprotect/npx.cab

[&Search Toolbar]
InProcServer32 = C:\PROGRA~1\COMMON~1\MSIETS\MSIETS.DLL
CODEBASE = http://www.trafficsyndicate.com/TB/Cabs/T_210/toolbar_new.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT45.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.3808912037

[{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}]
CODEBASE = http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002121801/housecall.antivirus.com/housecall/xscan53.cab

[GigexCtrl ActiveX]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GIGEXAGENT.DLL
CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

[{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}]

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #2: C:\Program Files\NewDotNet\newdotnet4_50.dll
Protocol #1: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
Protocol #2: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
Protocol #9: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
Protocol #10: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL

--------------------------------------------------
End of report, 12,240 bytes
Report generated in 0.594 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

So...........what now?

Right off I see plenty of spyware-Precision Time and Xupiter and Promulgate and Ezula and NewDotNet. Wild Tangent is considered by many to be spyware. WeatherBug might be.

I suggest you download SpyBot and run it:

http://security.kolla.de/index.php?lang=en&page=download

Note all the things in red print, which will be first. The stuff with green are less worrisome, (yet still worth considering later).

EDIT-you might find this page of interest:


http://www.doxdesk.com/parasite/

http://sitebilder.com/hosting/privacy/wild-t.php

Oh, what's spyware?

What is spyware? Well, this is cranky old JoJo's view of it, (as clean a version I know how to post here). ;)

How would you like some stranger following you around the mall, with a cell phone to his ear, looking over your shoulder, telling whoever he's talking to every step you take, every store you go into, every item you browse, what you bought or rejected? Would you like that person you don't even know to tell other strangers your credit card or checking account number? Address and phone number? The most intimate of things, like perhaps your underwear size?

In the real world we call them stalkers. They the same as stalk us on our computers, keeping up with every web site we visit and sending that information, (and no telling what else), to God knows where, and it's always a battle not just against their criminal practices, but also for the damage they can sometimes do. Spyware can make some people's machines very unstable, and perhaps yours is one of them.

This isn't to say you might not have other legitimate problems as well....

Ooooooooooooooo I see, yeah i get it now, thanks for explanation, dude! :D

So, If I delete few spywares, and my computer will work better?

Great explanation JoJo :D

jc2035 - once you get rid of the viruses and trojans also running on your PC, I am sure it will. Get rid of the viruses first, then tackle the spyware. Actually, I am surprized that your PC can run.

Download and run the W32.Yaha Removal Tool (http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.removal.tool.html) first.

When you have done that, go here (http://housecall.trendmicro.com/) and run an online scan. Report back on what it finds (write down the names and post them back here).

Registry = C:\WINDOWS\SYSTEM\registry.exe (this is a trojan)
Belowjze = C:\WINDOWS\SYSTEM\belowjze.exe (I dont know what this is but I dont like the look of it).

Oh, thanks for advice, annmarie. I don't have any viruses on my computer.

Thanks, AnnMarie. That was the "sanitized" version, ya know. :) But I'm glad you jumped in here. I'm still learning a few things, such as how to spot Yaha? Where is that line, by the way? Admittedly some things run together.

jc2035, you can't go wrong with this lady around to help.

Oh, all right, sorry, JoJo Gunn. You're right.

Hi JoJo Gunn...here's the Yaha infection:

WinServices = C:\WINDOWS\SYSTEM\WinServices.exe

I also like your "sanitized" explanation of spyware. ;)

Thanks, HKEd. Yeah, they sometimes try to make things look kosher, don't they? This one would appear easy to dismiss to the untrained eye.

Hey, anybody want to see the raw version of what I think of cyber-stalkers? :eek: :eek: :eek: :D :D :D

Oh, thanks for advice, annmarie. I don't have any viruses on my computer.

LOL..ya think! You are welcome jc2035 :D

Ed..what do you think this is?

Belowjze = C:\WINDOWS\SYSTEM\belowjze.exe

"Oh, all right, sorry, JoJo Gunn. You're right."

In all fairness, I posted something before that about jc2035 taking AnnMarie's advice, and not to simply trust he was virus free, since some viruses now effectively "kill" AV programs so they can do their damage unhindered. But I deleted it thinking maybe he did the outside scan, but he read it. Just don't want him to look like he's ghost talking.

No, no, no, no, I didn't mean that i thought that i don't have any viruses, because i scanned viruses since my comp started to work in "dirrrty" way. No viruses were found. But hey, do you want me to scan it again? All right, i'll scan it again...hold on...scanning...

jc2035, go to that link AnnMarie gave you. Get a second opinion, since maybe your own AV could be compromised.

JoJo - dont sweat it. Your efforts helping others are much appreciated. :D

Hey, anybody want to see the raw version of what I think of cyber-stalkers?

Ummmm...how about emailing it to me LOL!

I won't sweat too much. I'm also surrounded by good hands.

Uh, the raw version might get you 10 years to Life for just reading it. :D

:D

Since this is a constant learning experience for me, what is this? Doesn't look good....


[{A45F39DC-3608-4237-8F0E-139F1BC49464}]
CODEBASE = http://php.offshoreclicks.com/dialup_files/99950093.cab


EDIT-went to their site. It's a pay per click deal, where the "advantage" in dealing with them is no IRS. Yeah, right.... :rolleyes:

Hi JoJo - it looks like the install file for a premium rate dialer of some sort but there is so much crud in the startup list that I didnt get down that far. There are also some nasty looking BHO's (http://www.spywareinfo.com/articles/bho/) in that list.

Didn't get that far? Y'all really do see some things, eh?

That's a good site. I love the title of this one:


http://www.spywareinfo.com/yabbse/index.php?board=7;action=display;threadid=1335


:cool:

back.....yo, I scanned....no viruses were found.

Originally posted by JoJo Gunn
jc2035, go to that link AnnMarie gave you. Get a second opinion, since maybe your own AV could be compromised.

what's AV?

Okay, so have you run SpyBot yet? If not, use it. Check off all the things that come up on top in red, if they're not already, and click "Fix Selected problems". Then make another start-up list and post it.

(It'll save what it deletes, in case you have to "recover". Some spyware can be stubborn, but we'll take that one step at a time).

You got it, sir, i'm downloading it right now...

jc2035 - did you scan with Norton or from here (http://housecall.trendmicro.com/)? if you used Norton, disable it and go and scan online at HouseCall

Sir, i used it with housecall antivirus.

Hey, am I installing a right program - Spybot - Search & Destroy?

Yeah, that's it. Should be version 1.4

Uh, make that 1.1 release 4.

Aight.....whoa...i see different flags, what's that?!

LOL! You're on the English page, so you're okay, unless you want the Spanish version. :D

Ha.........I see :D

Okay........this is my first time using this program....how am i gonna scan it?

I'm going to have to be away for about an hour and a half.

By the way, you ran Housecall, and the fixYaha tool, right? Since this is Winduhs ME, did you disable System Restore? It has to be disabled to make things right, and you can't go back to a time when things were "clean" anyway, just my opinion.

Right click My Computer>Properties>Performance>File System>TroubleShooting. There you'll see the option to disable it, and you'll have to restart. Run that fixYaha tool again AnnMarie told you about, since it might not work right with SR on.

oh ok

Well......why it needs to be disabled?

Because of the System Restore function. Virus scanners will report viruses in System Restore as they have been in there since the last restore point. "Unlocking" System Restore will flush out what nasties lurk in there, and resetting SR will set a "clean" restore point for future use. I haven't explained this very well, but I'm posting from what seems like my deathbed (Hong Kong flu.)

Some bedtime reading here:

How to disable or enable Windows Me System Restore (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239)

Oops...AnnMarie posted this and I forgot to reply"

Ed..what do you think this is?

Belowjze = C:\WINDOWS\SYSTEM\belowjze.exe

Malware...pure and simple. As a rule of thumb (well, my rule of thumb :rolleyes: ), any file in the Windows\System folder with a dodgy name that does not get hits on search engines is a nastie - uncheck the startup in msconfig, reboot and delete the file.

Oh, i see...i think i get it

So.......I ran spybot....fixed problems...restarted comp.....and comp's still in "dirrty" way...nothing's helped :(

Yeah.....I disabled system restore....so what now?
OH! After i fixed problems....here's startup list.

jc2035, the fixyaha tool warned you about System Restore. If you're not sure about something, yell, or we'll assume you followed instructions.

HKEd, good luck on fighting the bug.

StartupList report, 16/01/2003, 8:54:42 PM
StartupList version: 1.50
Started from : C:\WINDOWS\DESKTOP\NEW FOLDER\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SAVE\SAVE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DOWNLOADWARE\DW.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SQWIRE\CC.EXE
C:\PROGRAM FILES\COMMONNAME\TOOLBAR\WINNET.EXE
C:\PROGRAM FILES\WEATHERCAST\WEATHER.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
Registry = C:\WINDOWS\SYSTEM\registry.exe
Belowjze = C:\WINDOWS\SYSTEM\belowjze.exe
LoadQM = loadqm.exe
QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
WhenUSave = C:\PROGRA~1\SAVE\Save.exe
WT GameChannel = C:\Program Files\WildTangent\Apps\GameChannel.exe
WinServices = C:\WINDOWS\SYSTEM\WinServices.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
WebScan = C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
MediaLoads Installer = "C:\Program Files\DownloadWare\dw.exe" /H
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
SQUpdatesChecker = C:\Program Files\Sqwire\uc.exe
SQConfigChecker = C:\Program Files\Sqwire\cc.exe
winnet = C:\PROGRA~1\COMMON~2\TOOLBAR\winnet.exe
DownloadWare = "C:\Program Files\DownloadWare\dw.exe" /H

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

WinServices = C:\WINDOWS\SYSTEM\WinServices.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ICQ Plus = C:\PROGRA~1\ICQPLUS\vplus.exe
WeatherCast = C:\Program Files\WeatherCast\Weather.exe /q
MSNHelper = C:\PROGRAM FILES\MSNHELPER\MSNWatch.exe
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 13/1/2003, 14:34:42)

[rename]
NUL=C:\WINDOWS\TEMP\IRSETUP.EXE
NUL=C:\WINDOWS\TEMP\IRSETUP.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

@C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - (no file) - {00000000-0000-0000-0000-000000000000}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GSDA.DLL
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{A45F39DC-3608-4237-8F0E-139F1BC49464}]
CODEBASE = http://php.offshoreclicks.com/dialup_files/99950093.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[NPX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\NPX.OCX
CODEBASE = http://nprotect1.gravity.co.kr/nprotect/npx.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT45.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.3808912037

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002121801/housecall.antivirus.com/housecall/xscan53.cab

[GigexCtrl ActiveX]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GIGEXAGENT.DLL
CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

[{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}]

--------------------------------------------------
End of report, 9,514 bytes
Report generated in 0.442 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

No, I meant that System Restore was enabled before, so you told me to disable it and i did it.

btw, i'm glad you're back :)

Well, to my eyes it looks somewhat better. I see that offshore dialer thing is still there. And there's WhenUSave.

AnnMarie mentioned this trojan earlier:

Registry = C:\WINDOWS\SYSTEM\registry.exe

EDIT-thanks, jc2035. You might not be when I'm through giving advice, LOL! :D

Maybe I should let wiser heads prevail now. At least the list is up.

By the way, how often do you update Norton? When's the last time you went there? Is Automatic Live Update enabled?

np, JoJo Gunn, and what, I have a trojan virus? Live Update - I'm not sure if it's enabled, I dunno, i think it is. But LiveUpdate isn't a problem, i suppose so.

Hey, JoJo Gunn - wanna use msn messenger? We could talk over msn messenger and use netmeeting, like desktop sharing? :D

Automatic Live Update, if enabled, lets Norton check the update site for the latest virus definitions.

Double click on the Norton AV icon in the tray, and tell us the date of the virus definitions under "Virus Definition Service".

EDIT- I don't use chat rooms. Besides, others might learn something here.

Okay, like I said, maybe others can help you better, but I can maybe give you another tool to use to speed up things a little. Go here and get Trojan Hunter. It's a 30 day trial. I think AnnMarie taught me this one too. ;)


http://www.misec.net/trojanhunter.jsp

I dont remember that JoJo and I have an incredible memory (you told me so) :D

Hi again jc2035 - I see that you are still having problems with your PC. I also see from your most recent Startup List that you have been to HouseCall and Panda but I am still sure that you have a virus and at least one trojan on your PC. What I cannot understand is why neither scan picked them up.

Copy and paste the below two entries and run a google search or whatever search engine that you prefer. This is what I get (amongst other similar sites) Trojan.Zasil (http://securityresponse.symantec.com/avcenter/venc/data/trojan.zasil.html) and W32.Yaha.L@mm (http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.l@mm.html) although in the case of the trojan, there are others that add registry.exe so it may not be Zazil.

Registry = C:\WINDOWS\SYSTEM\registry.exe
WinServices = C:\WINDOWS\SYSTEM\WinServices.exe

I have grave misgivings about the below executable too. It is not a windows file. Try rightclicking on it and selecting Properties. Post back all the information.

Belowjze = C:\WINDOWS\SYSTEM\belowjze.exe

Also, what can you tell us about these programs?

SQUpdatesChecker = C:\Program Files\Sqwire\uc.exe
SQConfigChecker = C:\Program Files\Sqwire\cc.exe

*EDIT* You could always humour me and run the W32.Yaha Removal Tool (http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.removal.tool.html) anyways :D

Hey :) Aight, i'll try

Oh yeah, I think Sqwire is spyware.

Hey, I'll try to scan my comp with Norton Antivirus. (I have Norton AV 2003 Pro Edition, btw) I never scanned it before, I installed that program about 4 weeks ago or 3, I don't remember.

I downloaded it from Kazaa, by the way, and it's a full version :D :D :D

Hmmmmmmm.........no viruses were found.....

Originally posted by JoJo Gunn
Okay, like I said, maybe others can help you better, but I can maybe give you another tool to use to speed up things a little. Go here and get Trojan Hunter. It's a 30 day trial. I think AnnMarie taught me this one too. ;)


http://www.misec.net/trojanhunter.jsp


So, If i'll download this and i'll find a virus in my comp?

Originally posted by AnnMarie
I dont remember that JoJo and I have an incredible memory (you told me so) :D

Hi again jc2035 - I see that you are still having problems with your PC. I also see from your most recent Startup List that you have been to HouseCall and Panda but I am still sure that you have a virus and at least one trojan on your PC. What I cannot understand is why neither scan picked them up.

Copy and paste the below two entries and run a google search or whatever search engine that you prefer. This is what I get (amongst other similar sites) Trojan.Zasil (http://securityresponse.symantec.com/avcenter/venc/data/trojan.zasil.html) and W32.Yaha.L@mm (http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.l@mm.html) although in the case of the trojan, there are others that add registry.exe so it may not be Zazil.

Registry = C:\WINDOWS\SYSTEM\registry.exe
WinServices = C:\WINDOWS\SYSTEM\WinServices.exe

I have grave misgivings about the below executable too. It is not a windows file. Try rightclicking on it and selecting Properties. Post back all the information.

Belowjze = C:\WINDOWS\SYSTEM\belowjze.exe

Also, what can you tell us about these programs?

SQUpdatesChecker = C:\Program Files\Sqwire\uc.exe
SQConfigChecker = C:\Program Files\Sqwire\cc.exe

*EDIT* You could always humour me and run the W32.Yaha Removal Tool (http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.removal.tool.html) anyways :D

I searched belowjze.exe, registry.exe, winservices.exe - no files were found.

Well, we can see what's the foundation of all your problems. It would have been better all around if you'd told us all this up front.

I won't pretend to speak for anyone else here, but I personally can't in good faith help you anymore. You'll have to take it to the shop. I don't approve of Napster type practices, which gives fuel to the RIAA and the MPAA, which is nowadays actively seeking special hacker status.
:curse: :curse: :curse: :curse:

Oh....so my comp's been hacked by someone? :curse::curse::flame: I should buy a firewall then :mad:


-correct?

You downloaded Norton using Kazaa. I'd say you hacked yourself.

No.....my comp was in same way it worked without norton.

This thread is locked.

We don't assist or condone software piracy.