|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
11-13-2004, 09:33 AM
|
#1 (permalink) |
|
Registered User
Join Date: Sep 2004
Posts: 11
OS: winxp
|
Hijack this log
Could someone please help me with this hijack log.
I keep getting all sorts of error and my internet does not work most times. This particular error is really getting to me: 16 bit dos application c:\windows\ui\biosctl.exe c:\windows\systems32\autoexec.nt the system file is not suitable for running.... Thanks. Logfile of HijackThis v1.97.7 Scan saved at 9:29:43 AM, on 11/13/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\wruaclt.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\TBPanel.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\txucsrje.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\wdskctl.exe C:\WINDOWS\updatetc.exe C:\WINDOWS\system32\fierwall.exe C:\temp\salm.exe C:\Program Files\Windows AdControl\WinAdCtl.exe C:\Program Files\Windows AdTools\WinAdTools.exe C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe C:\Program Files\Windows AdControl\WinAdAlt.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Windows AdTools\WinRatchet.exe C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\Downloads\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing) O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - C:\Program Files\Games\tbGame.dll O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [hjlrtry] C:\WINDOWS\System32\txucsrje.exe O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [tpcupdater] C:\WINDOWS\updatetc.exe O4 - HKLM\..\Run: [Windows Compliant] ruzzom.exe O4 - HKLM\..\Run: [MSChoEx] suge.exe O4 - HKLM\..\Run: [Microsoft fierwall] fierwall.exe O4 - HKLM\..\Run: [salm] c:\temp\salm.exe O4 - HKLM\..\Run: [feh] C:\WINDOWS\feh.exe O4 - HKLM\..\Run: [*windows update] wruaclt.exe O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe O4 - HKLM\..\RunServices: [Windows Compliant] ruzzom.exe O4 - HKLM\..\RunServices: [MSChoEx] suge.exe O4 - HKLM\..\RunServices: [Microsoft fierwall] fierwall.exe O4 - HKLM\..\RunServices: [*windows update] wruaclt.exe O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKCU\..\Run: [Windows Compliant] ruzzom.exe O4 - HKCU\..\Run: [MSChoEx] suge.exe O4 - HKCU\..\Run: [*windows update] wruaclt.exe O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Image Transfer.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...271ab95b94951b O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll O16 - DPF: {55A548B3-AFA8-41E3-8057-FD24931C6388} (FXExec Control) - http://216.87.37.188/app/FXCtrl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...147.9590509259 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup145.cab Last edited by vdog : 11-13-2004 at 09:36 AM. Reason: additional error |
|
     
|
|
11-13-2004, 09:41 AM
|
#2 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Location: Independence, KY
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
  |
Hi vdog and welcome to TSF! You have LOTSA nasties running around there.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. You have an outdated version of HijackThis. Click here to get the latest version of HijackThis. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this site to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system32\wruaclt.exe C:\WINDOWS\System32\txucsrje.exe C:\WINDOWS\wdskctl.exe C:\WINDOWS\updatetc.exe C:\WINDOWS\system32\fierwall.exe C:\temp\salm.exe C:\Program Files\Windows AdControl\WinAdCtl.exe C:\Program Files\Windows AdTools\WinAdTools.exe C:\Program Files\Windows AdControl\WinAdAlt.exe C:\Program Files\Windows AdTools\WinRatchet.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Windows AdControl Windows AdTools TVMedia BullsEyeNetwork eZula WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy:8080 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing) O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing) O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [hjlrtry] C:\WINDOWS\System32\txucsrje.exe O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [tpcupdater] C:\WINDOWS\updatetc.exe O4 - HKLM\..\Run: [Windows Compliant] ruzzom.exe O4 - HKLM\..\Run: [MSChoEx] suge.exe O4 - HKLM\..\Run: [Microsoft fierwall] fierwall.exe O4 - HKLM\..\Run: [salm] c:\temp\salm.exe O4 - HKLM\..\Run: [feh] C:\WINDOWS\feh.exe O4 - HKLM\..\Run: [*windows update] wruaclt.exe O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe O4 - HKLM\..\RunServices: [Windows Compliant] ruzzom.exe O4 - HKLM\..\RunServices: [MSChoEx] suge.exe O4 - HKLM\..\RunServices: [Microsoft fierwall] fierwall.exe O4 - HKLM\..\RunServices: [*windows update] wruaclt.exe O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKCU\..\Run: [Windows Compliant] ruzzom.exe O4 - HKCU\..\Run: [MSChoEx] suge.exe O4 - HKCU\..\Run: [*windows update] wruaclt.exe O4 - Startup: PowerReg SchedulerV2.exe O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...71 ab95b94951b O16 - DPF: {55A548B3-AFA8-41E3-8057-FD24931C6388} (FXExec Control) - http://216.87.37.188/app/FXCtrl.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...abasetup145.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\wruaclt.exe C:\WINDOWS\System32\txucsrje.exe C:\WINDOWS\wdskctl.exe C:\WINDOWS\updatetc.exe C:\WINDOWS\system32\fierwall.exe C:\temp\salm.exe C:\Program Files\Windows AdControl\ C:\Program Files\Windows AdTools\ C:\WINDOWS\mxTarget.dll Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED. Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.
__________________
 GO BIG BLUE!! |
|
|
|
|
11-13-2004, 12:27 PM
|
#3 (permalink) |
|
Registered User
Join Date: Sep 2004
Posts: 11
OS: winxp
|
new hijack log
Thanks for your help so far!
Here is the new log. Still getting biosctl.exe error at startup and internet still does not work. Logfile of HijackThis v1.98.2 Scan saved at 12:25:06 PM, on 11/13/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wruaclt.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\TBPanel.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Downloads\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - C:\Program Files\Games\tbGame.dll O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [*windows update] wruaclt.exe O4 - HKLM\..\RunServices: [*windows update] wruaclt.exe O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Windows Compliant] ruzzom.exe O4 - HKCU\..\Run: [MSChoEx] suge.exe O4 - HKCU\..\Run: [*windows update] wruaclt.exe O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Image Transfer.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab |
|
|
|
|
11-13-2004, 12:50 PM
|
#4 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Location: Independence, KY
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Getting MUCH closer.....you're doing well.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Download WinsockFix and unzip it. Then double-click on it to run it. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system32\wruaclt.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy:8080 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKLM\..\Run: [*windows update] wruaclt.exe O4 - HKLM\..\RunServices: [*windows update] wruaclt.exe O4 - HKCU\..\Run: [Windows Compliant] ruzzom.exe O4 - HKCU\..\Run: [MSChoEx] suge.exe O4 - HKCU\..\Run: [*windows update] wruaclt.exe O4 - Startup: PowerReg SchedulerV2.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\wruaclt.exe ruzzom.exe suge.exe PowerReg SchedulerV2.exe Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.
__________________
GO BIG BLUE!! |
|
|
|
|
11-13-2004, 02:12 PM
|
#5 (permalink) |
|
Registered User
Join Date: Sep 2004
Posts: 11
OS: winxp
|
Hi, I sure appreciate your help BUT it all just keeps coming back. When I go into safe mode, most of the suspect items are not in the hijack log. But when I run hijackthis in normal mode, they are present. I delete them but then they come back on reboot.
??? What now? |
|
|
|
|
11-13-2004, 02:19 PM
|
#6 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Location: Independence, KY
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Try a slightly different tack Start in Normal Mode.
Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): wruaclt.exe ruzzom.exe suge.exe wruaclt.exe PowerReg SchedulerV2.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy:8080 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKLM\..\Run: [*windows update] wruaclt.exe O4 - HKLM\..\RunServices: [*windows update] wruaclt.exe O4 - HKCU\..\Run: [Windows Compliant] ruzzom.exe O4 - HKCU\..\Run: [MSChoEx] suge.exe O4 - HKCU\..\Run: [*windows update] wruaclt.exe O4 - Startup: PowerReg SchedulerV2.exe Reboot into Safe Mode (hit F8 key until menu shows up). Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\wruaclt.exe ruzzom.exe suge.exe PowerReg SchedulerV2.exe
__________________
GO BIG BLUE!! |
|
|
|
|
11-13-2004, 02:30 PM
|
#7 (permalink) |
|
Registered User
Join Date: Sep 2004
Posts: 11
OS: winxp
|
I just tried that.
The wruaclt.exe stuff keeps coming back. I tried msconfig and unchecked the wruaclt item in the startup folder but it still is showing up in the hijack log. UGH!!! I also still get the biosctl.exe error I'm just trying to manually remove it from the registy in the "RUN" section (which it appears to still be there). |
|
|
|
|
11-13-2004, 02:45 PM
|
#8 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Location: Independence, KY
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
OK. Download KillBox and unzip it to a folder. Run KillBox and copy and paste each of the following (one by one and hit Kill File):
C:\WINDOWS\system32\wruaclt.exe C:\WINDOWS\system32\ruzzom.exe C:\WINDOWS\system32\suge.exe C:\WINDOWS\system32\PowerReg SchedulerV2.exe Click on the Exit button (restart).
__________________
GO BIG BLUE!! Last edited by CTSNKY : 11-13-2004 at 02:46 PM. |
|
|
|
|
11-13-2004, 03:55 PM
|
#9 (permalink) |
|
Registered User
Join Date: Sep 2004
Posts: 11
OS: winxp
|
OK, internet seems to be working temporarily but still getting biosctl.exe error on startup and you will also see the wruactl.exe in the hijack log.
wruactl.exe does not seem to be in the current task list though??? as it was before. Logfile of HijackThis v1.98.2 Scan saved at 3:49:41 PM, on 11/13/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\TBPanel.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\Program Files\Messenger\msmsgs.exe C:\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - C:\Program Files\Games\tbGame.dll O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [*windows update] wruaclt.exe O4 - HKLM\..\RunServices: [*windows update] wruaclt.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [*windows update] wruaclt.exe O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Image Transfer.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab |
|
|
|
|
11-13-2004, 07:02 PM
|
#10 (permalink) |
|
Registered User
Join Date: Sep 2004
Posts: 11
OS: winxp
|
I have been checking thoroughly and deleting every instance of wruactl.exe. I have deleted it manually in the registry, using hijack this and also removing it from the list of startup items.
I've rerun adaware and spybot numerous times. Adaware comes up clean and spybot comes up with a V2 variant that it cannot get rid of (this is the thing that might be causing the problem but how do you get rid of it?) I've also done the housecall from trendmicro (came up clean). IT STILL KEEPS COMING BACK!!!! I am a tad frustrated right now.... Not sure if all of this has to do with the biosctl.exe error that is coming up? |
|
|
|
|
11-13-2004, 07:57 PM
|
#11 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Location: Independence, KY
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Another shot:
You should clear out the files in the Prefetch folder. Download prefetch.bat and double click on it to run it. Boot to Safe Mode and delete that immortal sucker. While you're there, check entire Registry for links to that file name (without the .exe) and delete. You appear to know your way around regedit. Failing that: This one is giving us trouble. I will ask you to run another program. Follow the instructions below. Round One Download VX2Finder (http://www.greyknight17.com/spy/VX2FinderNT.exe). 1: Shut off all open programs including printer and anything in the System Tray (virus scan, popup blocker, etc.). 2: Double click the VX2FinderNT.exe to launch the utility. 3: Click on Find VX2.BetterInternet button. The utility will display the bugs if they’re there. 4. Click on make log and post that log in your reply. Round Two Run VX2FinderNT.exe again and click the Click to Find VX2.BetterInternet button again. Place checkmarks next to each file and click the Delete these Files button. Click OK to each confirmation message. In this case, you might get a message that 1 or 2 cannot be deleted. Click the Open regedit button. Look for a Guardian... line in the left column. If it is there, then highlight the Guardian... line in the left column, right click it and choose Security/permissions. You'll get another window with advanced. Uncheck the lower box with inheritable permissions. Click Ok and then choose remove on the following security prompt. Restart computer. After a restart, double click VX2FinderNT.exe again, click the Click to Find Vx2.BetterInternet button again. Place a checkmark next to the remaining file(s) and click the Delete these Files button. Then click the User Agent$ button to remove the registry entry. Click the Open regedit button again. Highlight the Guardian... line in the left column, right click it and choose Security/permissions. You'll get another window with advanced. Place a checkmark in the lower box with inheritable permissions. Close the registry editor.+vbcrlf+vbcrlfClick the Guardian.reg key and Yes to the confirmation. This deletes that Guardian Key in the registry. Click the 'Click to Find Vx2.BetterInternet' button again and you should get a clean log of blank values. If it looks different than this, then click the Make Log button and post the contents: A clean log looks like this: Files Found--- Guardian Key--- is called: User Agent String--- Then click the Restore Policy button to restore the Debug policy altered in the look2Me installation. Reboot your computer when prompted to. Finally, post a fresh HijackThis log to make sure you’re all cleaned up.
__________________
GO BIG BLUE!! |
|
|
|
|
| Thread Tools | |
|
|
