pc can't access Internet

timmyt · 04-25-2005, 04:34 AM

i have jst one machine i need help with, the machine keps hanging up and when i try to turn system restore on, it encounters an error and asks me to restart the machine. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:29:59 AM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\eScan\TRAYCSER.EXE
C:\PROGRA~1\eScan\avpm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\eScan\TRAYICOC.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\eScan\ESCANIPC.EXE
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\eScan\AvpM.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Magic Keyboard\MagicKey.exe
C:\Program Files\Magic Keyboard\V3D.exe
C:\Program Files\Magic Keyboard\OSD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesotho.gov.ls/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://GLOBAL.ACER.COM/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers...meLeftPane.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ItMonitor] C:\WINDOWS\WASAY\MONITOR.EXE
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [ESCANIPC] C:\PROGRA~1\eScan\ESCANIPC.EXE
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int140522.exe -auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "F:\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{61952829-7EAC-49F7-8240-4627F056782A}: NameServer = 196.25.228.113,196.34.234.236
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: eScan Client-Updater (eScan-trayicoc) - Unknown owner - C:\PROGRA~1\eScan\TRAYCSER.EXE
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

greyknight17 · 04-25-2005, 04:11 PM

Please don't post two logs from different computers in the same thread. I have created a new one here.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe and run it. Click on mwtsp.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

ShopperReports
websx

SpywareStormer - it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int140522.exe -auto
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\ShopperReports\
mslaugh.exe
C:\Program Files\Spyware Stormer\
C:\Program Files\websx\

Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

timmyt · 04-26-2005, 07:38 AM

Hi,
the result.txt u asked for:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:01:18 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRA~1\eScan\TRAYCSER.EXE
C:\PROGRA~1\eScan\avpm.exe
C:\PROGRA~1\eScan\TRAYICOC.EXE
C:\PROGRA~1\eScan\ESCANIPC.EXE
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\PROGRA~1\eScan\AvpM.exe
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\Program Files\Magic Keyboard\MagicKey.exe
C:\Program Files\Magic Keyboard\OSD.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesotho.gov.ls/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://GLOBAL.ACER.COM/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [ItMonitor] C:\WINDOWS\WASAY\MONITOR.EXE
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [ESCANIPC] C:\PROGRA~1\eScan\ESCANIPC.EXE
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{61952829-7EAC-49F7-8240-4627F056782A}: NameServer = 196.25.228.113,196.34.234.236
O23 - Service: eScan Client-Updater (eScan-trayicoc) - Unknown owner - C:\PROGRA~1\eScan\TRAYCSER.EXE
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe

End of KRC HijackThis Analyzer Log.
====================================================================

**POADB** · 04-26-2005, 11:05 AM

Your log is clean.

Please clear your System Restore Points by doing the following:

To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

Now create a new Restore Point:

To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

timmyt · 04-27-2005, 07:44 AM

Thats where my problem lies, the system restore is already turned off and when i try to turn it on, it encounters an error and asks me to restart my machine and try again but after restart, i still get the same error message.

**POADB** · 04-27-2005, 07:56 AM

Download this virus checker and tool from eScan Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here along with a new hijackthis log.

timmyt · 04-29-2005, 05:04 AM

hi,
i'm sorry about a late reply, mwav.exe found one file infected and it deleted the file coz i'm alredy using escan as my anti-virus.
here is the new HJT log, still i cannot enable system restore;

Logfile of HijackThis v1.99.1
Scan saved at 11:50:48 AM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\eScan\TRAYCSER.EXE
C:\PROGRA~1\eScan\avpm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\eScan\TRAYICOC.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\eScan\ESCANIPC.EXE
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\eScan\AvpM.exe
C:\Program Files\Magic Keyboard\MagicKey.exe
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Magic Keyboard\V3D.exe
C:\Program Files\Magic Keyboard\OSD.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesotho.gov.ls/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://GLOBAL.ACER.COM/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ItMonitor] C:\WINDOWS\WASAY\MONITOR.EXE
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [ESCANIPC] C:\PROGRA~1\eScan\ESCANIPC.EXE
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{61952829-7EAC-49F7-8240-4627F056782A}: NameServer = 196.25.228.113,196.34.234.236
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: eScan Client-Updater (eScan-trayicoc) - Unknown owner - C:\PROGRA~1\eScan\TRAYCSER.EXE
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Ried · 04-30-2005, 09:39 AM

Hi timmyt,

Try running the System File Checker: Click Start>Run and type in sfc /scannow (there is a space between sfc and /).

timmyt · 05-03-2005, 07:05 AM

hi,
sorry for a late reply. I ran system file checker but still cannot turn on system restore, i tried checking for errors on all my drives but could only run the tool on drive d not drive c.
any ideas will be welcome, i'll try everything i can and then get back to u after two days.

Ried · 05-03-2005, 06:17 PM

Hi timmyt,

By any chance has the StateMgr 'been 'unchecked' in msconfig? To check this, Start>Run>type in msconfig Click StartUp tab and look for that entry--make sure there is a 'check' in the box.

If that doesn't work:
Read the discussion and try the suggestions here: http://forums.wugnet.com/-enable-Res...ict226318.html.

Let us know if this helps.

timmyt · 05-12-2005, 08:23 AM

i tried running msconfig but couldnt find the entry statemgr!
i'll try the suggestions offered at the link you provided.
thanx

Ried · 05-12-2005, 08:29 AM

Hi,
Also download and run the Mwav Virus checker that POADB suggested earlier and post that here - it'll show us if there's something deeper in your system.

timmyt · 05-18-2005, 08:18 AM

Man, this thing is cracking my head!
i can't find the StateMgr in MsConfig, stmgr.exe is also not running! if only i was able to find StateMgr, then it would have been simple to tell if it is checked or not.
tried all suggestions from the links u provided but nothing is working.
the fight is still on.

Ried · 05-18-2005, 08:33 AM

Ok timmyt,

Please run the Mwav and post that here (scroll up this thread to find link and instructions given by POADB)

timmyt · 05-23-2005, 07:35 AM

hi, i did run mwav but it didnt find anything! i hav the latest HJT log, i'll wait for you to analyze it and if its clean then definitely its a problem of the machine itself. These Acer veriton 7600G's r a real pain. here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 2

15 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\eScan\TRAYCSER.EXE
C:\PROGRA~1\eScan\avpm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\eScan\TRAYICOC.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\eScan\ESCANIPC.EXE
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\eScan\AvpM.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Magic Keyboard\MagicKey.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
C:\Program Files\Magic Keyboard\V3D.exe
C:\Program Files\Magic Keyboard\OSD.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://GLOBAL.ACER.COM/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ItMonitor] C:\WINDOWS\WASAY\MONITOR.EXE
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [ESCANIPC] C:\PROGRA~1\eScan\ESCANIPC.EXE
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{61952829-7EAC-49F7-8240-4627F056782A}: NameServer = 196.25.228.113,196.34.234.236
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: eScan Client-Updater (eScan-trayicoc) - Unknown owner - C:\PROGRA~1\eScan\TRAYCSER.EXE
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Ried · 05-23-2005, 08:12 AM

Your log is still clean. Try this:

To verify that System Restore services are running from Control Panel:

Click Start, Control Panel, then Performance and Maintenance
Click Administrative Tools, Computer Management, then Services and Applications.
Click Services, and then click System Restore Services. Ensure the service is set to Automatic and the status is Started

04-25-2005, 04:34 AM	#1 (permalink)
timmyt Registered User Join Date: Mar 2005 Posts: 55 OS: WINDOWS 2000	4sg i have jst one machine i need help with, the machine keps hanging up and when i try to turn system restore on, it encounters an error and asks me to restart the machine. Here is the HJT log: Logfile of HijackThis v1.99.1 Scan saved at 8:29:59 AM, on 4/25/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\eScan\TRAYCSER.EXE C:\PROGRA~1\eScan\avpm.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\eScan\TRAYICOC.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\PROGRA~1\eScan\ESCANIPC.EXE C:\PROGRA~1\eScan\MAILDISP.EXE C:\PROGRA~1\eScan\AVPMWrap.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\eScan\AvpM.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\eScan\SPOOLER.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\Program Files\Magic Keyboard\MagicKey.exe C:\Program Files\Magic Keyboard\V3D.exe C:\Program Files\Magic Keyboard\OSD.EXE C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesotho.gov.ls/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://GLOBAL.ACER.COM/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers...meLeftPane.htm O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ItMonitor] C:\WINDOWS\WASAY\MONITOR.EXE O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE" O4 - HKLM\..\Run: [ESCANIPC] C:\PROGRA~1\eScan\ESCANIPC.EXE O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int140522.exe -auto O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Spyware Doctor] "F:\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/ O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{61952829-7EAC-49F7-8240-4627F056782A}: NameServer = 196.25.228.113,196.34.234.236 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: eScan Client-Updater (eScan-trayicoc) - Unknown owner - C:\PROGRA~1\eScan\TRAYCSER.EXE O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

04-25-2005, 04:11 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Please don't post two logs from different computers in the same thread. I have created a new one here. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe and run it. Click on mwtsp.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: ShopperReports websx SpywareStormer - it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int140522.exe -auto O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Program Files\ShopperReports\ mslaugh.exe C:\Program Files\Spyware Stormer\ C:\Program Files\websx\ Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-26-2005, 07:38 AM	#3 (permalink)
timmyt Registered User Join Date: Mar 2005 Posts: 55 OS: WINDOWS 2000	feedback Hi, the result.txt u asked for: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 2:01:18 PM, on 4/26/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\PROGRA~1\eScan\TRAYCSER.EXE C:\PROGRA~1\eScan\avpm.exe C:\PROGRA~1\eScan\TRAYICOC.EXE C:\PROGRA~1\eScan\ESCANIPC.EXE C:\PROGRA~1\eScan\AVPMWrap.EXE C:\PROGRA~1\eScan\AvpM.exe C:\PROGRA~1\eScan\MAILDISP.EXE C:\Program Files\Magic Keyboard\MagicKey.exe C:\Program Files\Magic Keyboard\OSD.EXE C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\PROGRA~1\eScan\SPOOLER.EXE C:\PROGRA~1\WINZIP\wzqkpick.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesotho.gov.ls/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://GLOBAL.ACER.COM/ O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O4 - HKLM\..\Run: [ItMonitor] C:\WINDOWS\WASAY\MONITOR.EXE O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE" O4 - HKLM\..\Run: [ESCANIPC] C:\PROGRA~1\eScan\ESCANIPC.EXE O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/ O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{61952829-7EAC-49F7-8240-4627F056782A}: NameServer = 196.25.228.113,196.34.234.236 O23 - Service: eScan Client-Updater (eScan-trayicoc) - Unknown owner - C:\PROGRA~1\eScan\TRAYCSER.EXE O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe End of KRC HijackThis Analyzer Log. ====================================================================

04-26-2005, 11:05 AM	#4 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	Your log is clean. Please clear your System Restore Points by doing the following: To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK. Reboot your System. Now create a new Restore Point: To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Are there any problems now? If not, you should be set to go. __________________

04-27-2005, 07:44 AM	#5 (permalink)
timmyt Registered User Join Date: Mar 2005 Posts: 55 OS: WINDOWS 2000	feedback Thats where my problem lies, the system restore is already turned off and when i try to turn it on, it encounters an error and asks me to restart my machine and try again but after restart, i still get the same error message.

04-27-2005, 07:56 AM	#6 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	Download this virus checker and tool from eScan Mwav.exe (Use Link 3) 1. Save it to a folder. 2. Reboot into safe mode 3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything) 4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file Note If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything..but to ID the bad guys. Once you copy that to a notepad file...highlight the text and copy it here along with a new hijackthis log. __________________

04-29-2005, 05:04 AM	#7 (permalink)
timmyt Registered User Join Date: Mar 2005 Posts: 55 OS: WINDOWS 2000	feedback hi, i'm sorry about a late reply, mwav.exe found one file infected and it deleted the file coz i'm alredy using escan as my anti-virus. here is the new HJT log, still i cannot enable system restore; Logfile of HijackThis v1.99.1 Scan saved at 11:50:48 AM, on 4/29/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\eScan\TRAYCSER.EXE C:\PROGRA~1\eScan\avpm.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\eScan\TRAYICOC.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\PROGRA~1\eScan\ESCANIPC.EXE C:\PROGRA~1\eScan\AVPMWrap.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRA~1\eScan\MAILDISP.EXE C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\eScan\AvpM.exe C:\Program Files\Magic Keyboard\MagicKey.exe C:\PROGRA~1\eScan\SPOOLER.EXE C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Magic Keyboard\V3D.exe C:\Program Files\Magic Keyboard\OSD.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesotho.gov.ls/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://GLOBAL.ACER.COM/ O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ItMonitor] C:\WINDOWS\WASAY\MONITOR.EXE O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE" O4 - HKLM\..\Run: [ESCANIPC] C:\PROGRA~1\eScan\ESCANIPC.EXE O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/ O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{61952829-7EAC-49F7-8240-4627F056782A}: NameServer = 196.25.228.113,196.34.234.236 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: eScan Client-Updater (eScan-trayicoc) - Unknown owner - C:\PROGRA~1\eScan\TRAYCSER.EXE O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

04-30-2005, 09:39 AM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Hi timmyt, Try running the System File Checker: Click Start>Run and type in sfc /scannow (there is a space between sfc and /). __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-03-2005, 07:05 AM	#9 (permalink)
timmyt Registered User Join Date: Mar 2005 Posts: 55 OS: WINDOWS 2000	feedback hi, sorry for a late reply. I ran system file checker but still cannot turn on system restore, i tried checking for errors on all my drives but could only run the tool on drive d not drive c. any ideas will be welcome, i'll try everything i can and then get back to u after two days.

05-03-2005, 06:17 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Hi timmyt, By any chance has the StateMgr 'been 'unchecked' in msconfig? To check this, Start>Run>type in msconfig Click StartUp tab and look for that entry--make sure there is a 'check' in the box. If that doesn't work: Read the discussion and try the suggestions here: http://forums.wugnet.com/-enable-Res...ict226318.html. Let us know if this helps. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 05-03-2005 at 06:36 PM.

05-12-2005, 08:23 AM	#11 (permalink)
timmyt Registered User Join Date: Mar 2005 Posts: 55 OS: WINDOWS 2000	feedback i tried running msconfig but couldnt find the entry statemgr! i'll try the suggestions offered at the link you provided. thanx

05-12-2005, 08:29 AM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Hi, Also download and run the Mwav Virus checker that POADB suggested earlier and post that here - it'll show us if there's something deeper in your system. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-18-2005, 08:18 AM	#13 (permalink)
timmyt Registered User Join Date: Mar 2005 Posts: 55 OS: WINDOWS 2000	feedback Man, this thing is cracking my head! i can't find the StateMgr in MsConfig, stmgr.exe is also not running! if only i was able to find StateMgr, then it would have been simple to tell if it is checked or not. tried all suggestions from the links u provided but nothing is working. the fight is still on.

05-18-2005, 08:33 AM	#14 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Ok timmyt, Please run the Mwav and post that here (scroll up this thread to find link and instructions given by POADB) __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-23-2005, 07:35 AM	#15 (permalink)
timmyt Registered User Join Date: Mar 2005 Posts: 55 OS: WINDOWS 2000	feedback hi, i did run mwav but it didnt find anything! i hav the latest HJT log, i'll wait for you to analyze it and if its clean then definitely its a problem of the machine itself. These Acer veriton 7600G's r a real pain. here is the log. Logfile of HijackThis v1.99.1 Scan saved at 215 PM, on 5/23/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\eScan\TRAYCSER.EXE C:\PROGRA~1\eScan\avpm.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\eScan\TRAYICOC.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\PROGRA~1\eScan\ESCANIPC.EXE C:\PROGRA~1\eScan\AVPMWrap.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\eScan\MAILDISP.EXE C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\eScan\AvpM.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Magic Keyboard\MagicKey.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\PROGRA~1\eScan\SPOOLER.EXE C:\Program Files\Corel\Graphics9\Register\Remind32.exe C:\Program Files\Magic Keyboard\V3D.exe C:\Program Files\Magic Keyboard\OSD.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://GLOBAL.ACER.COM/ O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ItMonitor] C:\WINDOWS\WASAY\MONITOR.EXE O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE" O4 - HKLM\..\Run: [ESCANIPC] C:\PROGRA~1\eScan\ESCANIPC.EXE O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/ O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{61952829-7EAC-49F7-8240-4627F056782A}: NameServer = 196.25.228.113,196.34.234.236 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: eScan Client-Updater (eScan-trayicoc) - Unknown owner - C:\PROGRA~1\eScan\TRAYCSER.EXE O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

05-23-2005, 08:12 AM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Your log is still clean. Try this: To verify that System Restore services are running from Control Panel: Click Start, Control Panel, then Performance and Maintenance Click Administrative Tools, Computer Management, then Services and Applications. Click Services, and then click System Restore Services. Ensure the service is set to Automatic and the status is Started __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."