|
Windows XP Problem solving for the Windows XP Operating System |
|
Topic Tools |
#1
|
|||
|
|||
windows task manager closing itself?
lately, when i press ctl alt delete, it brings itself up and closes it after a second or two. i scanned for viruses but it continues to happen; i think it may have something to do with one of those aim viruses my little brother installed that I can't get rid of :|
its the new one that automatically puts it in your away messages saying "check it out" and giving a link... anyone have any ideas? its really pissing me off |
#2
|
|||
|
|||
First thing to do is make sure you have all the critical updates for XP.
|
#3
|
|||
|
|||
Same happens for me. It's very off-pissing. I'll try to fix it and come back with my results. That and the login screen started messing up (or not doing what I wanted) after I updated.
|
#4
|
|||
|
|||
download HijackThis from:
http://mjc1.com/mirror/hjt/ Please download HijackThis to a new folder, not a TEMP folder. Unzip, and open up the program. Click on the "Scan" button. It will change into a "Save Log" button. Click "Save Log" and save to the new folder you downloaded to. Do not make any changes to the list. Copy and paste the log to this thread, please. Cheers |
#5
|
|||
|
|||
Here's the results..
Logfile of HijackThis v1.97.7 Scan saved at 7:41:06 PM, on 3/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\svchost.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common files\updater\wupdater.exe C:\WINDOWS\System32\WINAMPA.EXE C:\Program Files\CursorXP\CursorXP.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Coolmon\CoolMon.exe C:\unzipped\yz_dck0083\YzDock.exe C:\Program Files\Trillian\trillian.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe C:\Program Files\MYIE2\MyIE.exe C:\Documents and Settings\Ben\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\system32\blank.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\system32\blank.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e-plus.cc/search.php?aff_id=46&keyword=%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;http://localhost; R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file) O2 - BHO: (no name) - {ED0ADADD-0AE4-BDF5-250F-AA67C824E6F8} - C:\WINDOWS\system32\vtmmofzu.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [UserSystem] C:\Windows\system\internet.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<html> O4 - HKLM\..\Run: [<head></h] c:\WINDOWS\System32\<head></head> O4 - HKLM\..\Run: [<body bgcolor="#FFFF] c:\WINDOWS\System32\<body bgcolor="#FFFFFF"> O4 - HKLM\..\Run: [<cen] c:\WINDOWS\System32\<center> O4 - HKLM\..\Run: [<img src="file:///C:/Program Files/Net Nanny/BlockPage/nnbp.j] c:\WINDOWS\System32\<img src="file:///C:/Program Files/Net Nanny/BlockPage/nnbp.jpg"> O4 - HKLM\..\Run: [</cen] c:\WINDOWS\System32\</center> O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body> O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [Winampa Agent] WINAMPA.EXE O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe O4 - HKLM\..\RunServices: [UserSystem] C:\Windows\system\internet.exe O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\RunOnce: [Winampa Agent] WINAMPA.EXE O4 - Startup: CoolMon.lnk = C:\Program Files\Coolmon\CoolMon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Real.com (HKLM) O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab? O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {359F7E49-1EA0-4671-92E9-61E32FE25C5E} - http://69.0.137.190/version3/Netster.dll O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/p...im/install.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Instal...sinstaller.cab Thanks for your help so far, I was about to reformat and decided to check the thread one last time :P |
#6
|
|||
|
|||
Hi,
I`m off to lunch. Give us 30 mins and we should clean up so you are good to go. In the meanntime : Please download CWShredder from: www.zerosrealm.com/downloads/CWShredder.zip Unzip, Open CWShredder and click on the Fix button to find and fix any problems. How to stop CWS infection...read the information when you click "Next" at the end of running CWShredder. Then post back a new HJT log to finish cleaning up. Cheers |
#7
|
|||
|
|||
Okay, did that it removed a few things but I'm still getting the same problems heres the new HJT log...
Logfile of HijackThis v1.97.7 Scan saved at 8:49:10 PM, on 3/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common files\updater\wupdater.exe C:\WINDOWS\System32\WINAMPA.EXE C:\Program Files\CursorXP\CursorXP.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Coolmon\CoolMon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\System32\HPZipm12.exe C:\unzipped\yz_dck0083\YzDock.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\MYIE2\MyIE.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Documents and Settings\Ben\Desktop\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;http://localhost; O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file) O2 - BHO: (no name) - {ED0ADADD-0AE4-BDF5-250F-AA67C824E6F8} - C:\WINDOWS\system32\vtmmofzu.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<html> O4 - HKLM\..\Run: [<head></h] c:\WINDOWS\System32\<head></head> O4 - HKLM\..\Run: [<body bgcolor="#FFFF] c:\WINDOWS\System32\<body bgcolor="#FFFFFF"> O4 - HKLM\..\Run: [<cen] c:\WINDOWS\System32\<center> O4 - HKLM\..\Run: [<img src="file:///C:/Program Files/Net Nanny/BlockPage/nnbp.j] c:\WINDOWS\System32\<img src="file:///C:/Program Files/Net Nanny/BlockPage/nnbp.jpg"> O4 - HKLM\..\Run: [</cen] c:\WINDOWS\System32\</center> O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body> O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [Winampa Agent] WINAMPA.EXE O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\RunOnce: [Winampa Agent] WINAMPA.EXE O4 - Startup: CoolMon.lnk = C:\Program Files\Coolmon\CoolMon.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Real.com (HKLM) O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab? O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {359F7E49-1EA0-4671-92E9-61E32FE25C5E} - http://69.0.137.190/version3/Netster.dll O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/p...im/install.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Instal...sinstaller.cab |
#8
|
|||
|
|||
Hi,
Close ALL browser Windows and Windows Explorer windows, only have HijackThis running. In HiJackThis, Check the boxes beside the below entries, then click on "Fix checked" . O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file) O2 - BHO: (no name) - {ED0ADADD-0AE4-BDF5-250F-AA67C824E6F8} - C:\WINDOWS\system32\vtmmofzu.dll O4 - HKLM\..\Run: [UserSystem] C:\Windows\system\internet.exe O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<html> O4 - HKLM\..\Run: [<head></h] c:\WINDOWS\System32\<head></head> O4 - HKLM\..\Run: [<body bgcolor="#FFFF] c:\WINDOWS\System32\<body bgcolor="#FFFFFF"> O4 - HKLM\..\Run: [<cen] c:\WINDOWS\System32\<center> O4 - HKLM\..\Run: [<img src="file:///C:/Program Files/Net Nanny/BlockPage/nnbp.j] c:\WINDOWS\System32\<img src="file:///C:/Program Files/Net Nanny/BlockPage/nnbp.jpg"> O4 - HKLM\..\Run: [</cen] c:\WINDOWS\System32\</center> O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body> O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [Winampa Agent] WINAMPA.EXE O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe O4 - HKLM\..\RunServices: [UserSystem] C:\Windows\system\internet.exe O4 - HKCU\..\RunOnce: [Winampa Agent] WINAMPA.EXE O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab O16 - DPF: {359F7E49-1EA0-4671-92E9-61E32FE25C5E} - http://69.0.137.190/version3/Netster.dll O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Insta...rsinstaller.cab Reboot into Safe Mode.....( tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......, then press the "Enter" key) Make sure you can see Hidden files and Folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html Then delete the below files and Folders: You may need to navigate to each file/folder in Windows Explorer....do not rely on a "Search" C:\Windows\system\zzb.exe ......( delete zzb.exe file) C:\Program Files\Srng ......( delete Srng folder) c:\WINDOWS\System32\zzb.exe ......( delete zzb.exe file) C:\Program Files\Common files\updater ......( delete updater folder) WINAMPA.EXE ...... do a "Search" and find and ......( delete WINAMPA.EXE file) C:\WINDOWS\Belt.exe ......( delete Belt.exe file) Reboot computer, and post back a new HJT log to this thread, please. May be some other things to clean up after "Trojan.Search.A" Cheers. ANd shoot off to Mocrosoft Update and download all critical patches. EDIT: The Winampa.exe file to delete will be in the "System32" folder. C:\WINDOWS\System32\WINAMPA.EXE Last edited by mike; March 12th, 2004 at 03:39 AM. |
#9
|
|||
|
|||
Woot, did that and everything is fine now ^_^
Logfile of HijackThis v1.97.7 Scan saved at 3:06:26 PM, on 3/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\CursorXP\CursorXP.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Coolmon\CoolMon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Trillian\trillian.exe C:\unzipped\yz_dck0083\YzDock.exe C:\Documents and Settings\Ben\Desktop\fix\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;http://localhost; O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Winampa Agent] WINAMPA.EXE O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: CoolMon.lnk = C:\Program Files\Coolmon\CoolMon.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Real.com (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab? O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/p...im/install.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab There's the log after I deleted the files and such, thanks for all your help =] Downloaded the patches now as well, thanks again Last edited by Garadium; March 12th, 2004 at 09:10 PM. |
#10
|
|||
|
|||
Quote:
|
#11
|
|||
|
|||
Hi Garadium,
A couple of things to fix in HJT. Close ALL browser Windows and Windows Explorer windows, only have HijackThis running. In HiJackThis, Check the boxes beside the below entries, then click on "Fix checked" . O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file) O4 - HKLM\..\Run: [Winampa Agent] WINAMPA.EXE Reboot into Safe Mode.....( tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......, then press the "Enter" key) Make sure you can see Hidden files and Folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html Then delete the below file: You may need to navigate to each file/folder in Windows Explorer....do not rely on a "Search" C:\WINDOWS\System32\WINAMPA.EXE Reboot computer and post back a new HJT log to this thread, please. Cheers. |
#12
|
|||
|
|||
Quote:
What didn`t work. You haven`t posted a HJT log, so how could it work for you. Don`t post a HJT log here though, start your own topic. |
#13
|
|||
|
|||
Hello again, sorry about the delayed response. I'm out of town until about 7 pm est tonight, I'll post the results then
|
#14
|
|||
|
|||
Quote:
|
#15
|
|||
|
|||
hi,
im having the same sort of problems, it shuts down norton antivirus instead of windows task manager. i was wondering if you guys can help. here is a save log that i got with hijackthis Logfile of HijackThis v1.97.7 Scan saved at 1:04:20 AM, on 3/16/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\sysmon32.exe C:\WINDOWS\System32\drivers\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\winampa.exe C:\Documents and Settings\Edwin\Desktop\hijackthis\HijackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [System Monitor] sysmon32.exe O4 - HKLM\..\Run: [Generic Service Process] regsvc32.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\RunServices: [System Monitor] sysmon32.exe O4 - HKLM\..\RunServices: [Generic Service Process] regsvc32.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM (HKLM) i also ran cwshredder thanks |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Windows Vista Mail Task Box not closing | windy | Windows Vista | 2 | November 10th, 2009 08:26 AM |
Task manager and other useful software keeps closing | mr_hell | Malware Removal | 1 | April 18th, 2008 06:40 AM |
Windows Task Manager Keeps Closing too | alicia_t | Malware Removal | 1 | November 10th, 2005 07:04 AM |
Windows Task Manager Keeps Closing.. | gigomeister | Malware Removal | 19 | November 9th, 2005 08:25 PM |
Task manager closing itself.... | refanatic | Windows XP | 1 | April 11th, 2004 03:04 AM |
All times are GMT +1. The time now is 11:31 PM.