Whole system seems corrupted

**emjayh** · 05-18-2005, 05:38 PM

My system appears to please itself what it does.

Here's some histiory -

Winsock2 done - no problem
Clean-up done - no problem
Ad-aware SE personal - downloaded - but won't run
CW shredder - done - no problem
Spybot 13 - installed - but stalls when it gets to Xuron 55- comes up-
Error during check - Xuron55(Datei C:\WINDOWS\win.ini.kann nicht geoff

Panda Active scan will not download
McAfee Virus Scan ( my normal scanner) will not operate - tells me I have components missing and need to reinstall - when I try to reinstall - tells me my security settings will not allow ActiveX controls. Have checked settings they are as instructed.

Trend Micro Housecall- will not load
AVG- downloaded no problem

TDS-3 downloaded no problem - but will not scan anything or even open

All windows updates done.

Symptoms-

Takes forever to boot up
Crashes or stalls on regular basis
My iHateSpam does not work
Several programs just simply don't work
Internet connection erratic - can't handle more than 1 or 2 windows open
& will not connect to many websites - just stalls.

Can anybody help ????

**Terrister** · 05-18-2005, 06:26 PM

Can you download and run Stinger? http://vil.nai.com/vil/stinger/

**jgvernonco** · 05-18-2005, 06:29 PM

Howdy!

We can certainly try. Please follow the directions below. Meanwhile, I will move your thread to the appropriate forum so you'll be helped a bit sooner.

Please download HijackThis http://www.greyknight17.com/spy/HijackThis.exe - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

**emjayh** · 05-18-2005, 11:05 PM

Hi,

Thanks for the quick response. Could not connect to the link so I typed in the link.

Downloaded HiJackThis - no problem - exe file and scan log now sat in C:\HJT

Unable to connect to KRC...9620Analyser.zip - link doesn't work and if I type it in, it tells me KRC page not found.

Next step please - do I post my HJT log??

Thanks

greyknight17 · 05-19-2005, 10:07 AM

Skip KRC analyzer. Give us the hijackthis.log file now. Copy and paste the whole log here.

**emjayh** · 05-19-2005, 01:21 PM

Hi, here goes - tell me if it's terminal, I can take bad news.

Logfile of HijackThis v1.99.1
Scan saved at 5:11:13 p.m., on 19/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
C:\PROGRAM FILES\PC MIGHTYMAX\PCMM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HISTORYKILL\HISTKILL.EXE
C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [PCMMRealtime] C:\PROGRAM FILES\PC MIGHTYMAX\pcmm.exe /R
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\RunServices: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab

Many thanks

**jgvernonco** · 05-20-2005, 12:33 AM

Greetings, and welcome to TSF!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Web Related

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Post back a new log, and let us know how everything goes.

**emjayh** · 05-20-2005, 06:15 AM

Next HiJack This Log file:-

Logfile of HijackThis v1.99.1
Scan saved at 12:01:46 a.m., on 21/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
C:\PROGRAM FILES\PC MIGHTYMAX\PCMM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HISTORYKILL\HISTKILL.EXE
C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [PCMMRealtime] C:\PROGRAM FILES\PC MIGHTYMAX\pcmm.exe /R
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\RunServices: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com

I'll see how things are over the next twelve hours, AVG seems to be working better than Mcafee ever did, as McAfee says I have components missing should I try to uninstall it ?? I'll update you in the morning our time.

Thank you

**POADB** · 05-20-2005, 08:34 AM

Uninstall BestPopUpKiller from Add/Remove.

Run HJT and fix the following:

O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\RunServices: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup

And delete this folder:

C:\Program Files\BestPopUpKiller\

Run a new HJT scan and report back with an update to how things are.

**emjayh** · 05-20-2005, 03:35 PM

OK - a few variations on your request.

Could not find Best PopUpKiller in Add/Remove.

It is actually part of the same program as History killer- so from the desk top I uninstalled History killer which automatically removes Best Pop up killer.

Ran HJT -

Fixed - 04- HKCU\..\Run:[BestPopUpKiller] C:\Program etc etc

Could not find - 04 - HKCU\..\RunServices:[Best PopUpKiller] etc - must have cleared with uninstall ?

As I uninstalled History Killer I have also 'fixed' the following in HJT -

04 - HKCU\..\Run:[HistoryKill] C:\ProgramFiles\HistoryKill\HistKill.exe/startup.

Deleted folder - c:\Program Files\BestPopUpKiller\

OK - now for an update

Ad-aware SE personal - still will not run (same German messages as before)

Links from emails or websites still not working - there are pages even on this website
I can't get to - system just stalls when I click on them.

Still getting error messages for ActiveX- telling me security settings prohibit ActiveX controls.

TDS-3 still not working - should I uninstall and install ? same goes for Ad-aware

Problems still with browser - if two windows open, closing second window closes both windows and shuts Internet Explorer

Possibly a bit quicker booting up- but then again I must have fewer programs trying to run on start up.

Thanks for the help hers's the Log File

Logfile of HijackThis v1.99.1
Scan saved at 9:09:55 a.m., on 21/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
C:\PROGRAM FILES\PC MIGHTYMAX\PCMM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [PCMMRealtime] C:\PROGRAM FILES\PC MIGHTYMAX\pcmm.exe /R
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com

Ried · 05-20-2005, 09:30 PM

Hello emjayh,

There have been issues with Microsoft's KB891711 Update on some 98 and ME systems. Try disabling this entry from StartUp and see if it helps.

Reboot into Safe Mode (tapping F5 or F8)

Run a scan in HijackThis and check the following entry, then click 'Fix Checked'

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

Reboot into Normal Mode. Is there any improvement?

**emjayh** · 05-21-2005, 04:08 PM

Seems no improvement-

Removed items as requested in safe mode.

All same symptoms still exist - there is also a lot of activity from the hard drive as though it's trying to read a floppy or a disc that's not there. This isn't a new symptom but one I've not previously mentioned. Maybe it's some protective virus scanning activity ?

Ried · 05-21-2005, 04:27 PM

See if you can get this program to run for you. Since it's not actually installed, I think you may have a chance.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

**emjayh** · 05-22-2005, 06:20 AM

mwav log - quite interesting

Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B738B059-B74F-11D1-AA87-0000B43695BE}" refers to invalid object "C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FRCOM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B738B05B-B74F-11D1-AA87-0000B43695BE}" refers to invalid object "C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FRCOM.DLL". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\BackWeb.5.5" refers to invalid object "{53FCF358-5323-11D0-A864-0000B43699FC}". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\GCAOCGHI infected by "Type_Win32" Virus! Action Taken: No Action Taken.

I was under the impression that the Alexa spyware was cleaned out by spy-bot a few days ago.

**POADB** · 05-22-2005, 07:17 AM

C:\WINDOWS\SYSTEM\GCAOCGHI

Delete the above file and report back

TheShape · 05-22-2005, 07:38 AM

Could you HJT guys please look at this thread?Super hijacked comp (HJT Log inside.)

**emjayh** · 05-22-2005, 02:46 PM

Update-

c:\WINDOWS\SYSTEM\GCAOCGHI- deleted no problem

Thought I would revisit Ad aware - Yes! it runs, did full scan picked up on the Alexa spyware, on other and 12 minor .- deleted.

The going was good - so I tried TDS-3 Yes! it works - did full scan -no problems recognised.

Generally there appears to be an improvement in operating speed - but

McAfee still will not work- tells me some components missing - reinstall, but when I try to reinstall tells me security settings prohibit ActiveX controls.
Should I delete McAfee as AVG seems good and cheaper.

Occasionally my homepage (Xtra Home) tells me ActiveX controls needed to show the page fully and will sometimes just stall at this point.

Links from web-sites or emails still erratic. Downloads to Media Player a definite no-no, just stalls for 2 minutes or crashes - blue screen - error in etc .

My last McAfee scan showed PWS-Fivsec Keylogger - but said it was write-protected and unable to delete/quarantine. I don't know if this is still present as McAfee won't run.

Is it time to run Spy-bot again and then a HJT Log ?

Thanks for your help guys, I appreciate it isn't straight forward, and I will be making a donation, it's gonna be cheaper than the several spyware/antivirus/malware software programs I was goaded into buying over the years.

Ried · 05-22-2005, 11:07 PM

Hi emjayh,

It really is up to you which anti-virus you want to use. I can say that I've been using AVG for the past 6-8 months and have been very satisfied with it.

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

**emjayh** · 05-23-2005, 12:13 AM

Silentrunner Log -

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Taskbar Display Controls" = "RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"Keyboard Manager" = "C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"HPScanPatch" = "C:\WINDOWS\SYSTEM\HPScanFix.exe" ["Hewlett-Packard Company"]
"MMTray" = (no data)
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"Delay" = "C:\WINDOWS\delayrun.exe" [null data]
"mgavrtclexe" = "C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe" ["McAfee.com"]
"MCUpdateExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE" ["McAfee, Inc"]
"piiserviceOE" = (no data)
"MCAgentExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe" ["McAfee, Inc"]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"mgavrtclexe" = "C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe" ["McAfee.com"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\My Pictures\DSC00419.JPG"

WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\MYPICT~1.SCR" (My Pictures Screen Saver.scr) [MS]

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"McAfee.com Scan for Viruses - My Computer tsid_04102005094333" -> launches: "C:\PROGRAM FILES\MCAFEE.COM\VSO\mcmnhdlr.exe /runtask:0" ["McAfee, Inc."]
"McAfee.com Update Check 04232005161201" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" ["McAfee, Inc"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\msafd.dll [MS], 1 - 3
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 4 - 5

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Cheers guys, how you make any sense all of this lot is beyond me, but thanks

Ried · 05-23-2005, 05:35 AM

Hi,

Unfortunately, that report didn't show me anything. Are you able to get into McAfee's quaratine logs and get me the location of PWS-Fivsec Keylogger? Try doing a search for McAfee in 'All Files and Folders'. It will list anything McAfee and perhaps you'll be able to find the quarantined files that way--it should be there whether McAfee's running or not.

05-18-2005, 05:38 PM	#1 (permalink)
emjayh I helped the forums. Join Date: May 2005 Location: New Zealand Posts: 41 OS: Windows XP	Whole system seems corrupted My system appears to please itself what it does. Here's some histiory - Winsock2 done - no problem Clean-up done - no problem Ad-aware SE personal - downloaded - but won't run CW shredder - done - no problem Spybot 13 - installed - but stalls when it gets to Xuron 55- comes up- Error during check - Xuron55(Datei C:\WINDOWS\win.ini.kann nicht geoff Panda Active scan will not download McAfee Virus Scan ( my normal scanner) will not operate - tells me I have components missing and need to reinstall - when I try to reinstall - tells me my security settings will not allow ActiveX controls. Have checked settings they are as instructed. Trend Micro Housecall- will not load AVG- downloaded no problem TDS-3 downloaded no problem - but will not scan anything or even open All windows updates done. Symptoms- Takes forever to boot up Crashes or stalls on regular basis My iHateSpam does not work Several programs just simply don't work Internet connection erratic - can't handle more than 1 or 2 windows open & will not connect to many websites - just stalls. Can anybody help ????

05-18-2005, 06:26 PM	#2 (permalink)
Terrister Moderator Hardware Forum Join Date: Apr 2005 Location: West Georgia, USA Posts: 7,098 OS: Xp	Can you download and run Stinger? http://vil.nai.com/vil/stinger/ __________________

05-18-2005, 06:29 PM	#3 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	Howdy! We can certainly try. Please follow the directions below. Meanwhile, I will move your thread to the appropriate forum so you'll be helped a bit sooner. Please download HijackThis http://www.greyknight17.com/spy/HijackThis.exe - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

05-19-2005, 10:07 AM	#5 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Skip KRC analyzer. Give us the hijackthis.log file now. Copy and paste the whole log here. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

05-20-2005, 12:33 AM	#7 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	Greetings, and welcome to TSF! Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download, unzip to your desktop CWShredder and run it, then: 1. Click "*Check For Update" (If an update isn't available, skip to step #4.) 2. Click "Click here to Download the upate". 3. When the new version has been downloaded, click "Save". 4. Click "Fix ->" =============== Go to Add/Remove programs* and remove(uninstall) the following, if present: Web Related The above could appear anywhere within the entry. Be careful not to remove any personal or system software. =============== Run HiJackThis and click "*Scan", then check(tick) the following, if present: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =* R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts: 64.91.255.87 www.dcsresearch.com O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab Now, with all windows closed except HiJackThis, click "*Fix checked*". =============== Post back a new log, and let us know how everything goes. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

05-18-2005, 11:05 PM	#4 (permalink)
emjayh I helped the forums. Join Date: May 2005 Location: New Zealand Posts: 41 OS: Windows XP	Hi, Thanks for the quick response. Could not connect to the link so I typed in the link. Downloaded HiJackThis - no problem - exe file and scan log now sat in C:\HJT Unable to connect to KRC...9620Analyser.zip - link doesn't work and if I type it in, it tells me KRC page not found. Next step please - do I post my HJT log?? Thanks

05-19-2005, 01:21 PM	#6 (permalink)
emjayh I helped the forums. Join Date: May 2005 Location: New Zealand Posts: 41 OS: Windows XP	Hi, here goes - tell me if it's terminal, I can take bad news. Logfile of HijackThis v1.99.1 Scan saved at 5:11:13 p.m., on 19/05/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE C:\WINDOWS\SYSTEM\HPSYSDRV.EXE C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE C:\PROGRAM FILES\PC MIGHTYMAX\PCMM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\HISTORYKILL\HISTKILL.EXE C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe O4 - HKLM\..\Run: [PCMMRealtime] C:\PROGRAM FILES\PC MIGHTYMAX\pcmm.exe /R O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\RunServices: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup O4 - HKCU\..\RunServices: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab Many thanks

05-20-2005, 06:15 AM	#8 (permalink)
emjayh I helped the forums. Join Date: May 2005 Location: New Zealand Posts: 41 OS: Windows XP	Next HiJack This Log file:- Logfile of HijackThis v1.99.1 Scan saved at 12:01:46 a.m., on 21/05/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE C:\WINDOWS\SYSTEM\HPSYSDRV.EXE C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE C:\PROGRAM FILES\PC MIGHTYMAX\PCMM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\HISTORYKILL\HISTKILL.EXE C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [PCMMRealtime] C:\PROGRAM FILES\PC MIGHTYMAX\pcmm.exe /R O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\RunServices: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup O4 - HKCU\..\RunServices: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com I'll see how things are over the next twelve hours, AVG seems to be working better than Mcafee ever did, as McAfee says I have components missing should I try to uninstall it ?? I'll update you in the morning our time. Thank you

05-20-2005, 08:34 AM	#9 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	Uninstall BestPopUpKiller from Add/Remove. Run HJT and fix the following: O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - HKCU\..\RunServices: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup And delete this folder: C:\Program Files\BestPopUpKiller\ Run a new HJT scan and report back with an update to how things are. __________________

05-20-2005, 03:35 PM	#10 (permalink)
emjayh I helped the forums. Join Date: May 2005 Location: New Zealand Posts: 41 OS: Windows XP	OK - a few variations on your request. Could not find Best PopUpKiller in Add/Remove. It is actually part of the same program as History killer- so from the desk top I uninstalled History killer which automatically removes Best Pop up killer. Ran HJT - Fixed - 04- HKCU\..\Run:[BestPopUpKiller] C:\Program etc etc Could not find - 04 - HKCU\..\RunServices:[Best PopUpKiller] etc - must have cleared with uninstall ? As I uninstalled History Killer I have also 'fixed' the following in HJT - 04 - HKCU\..\Run:[HistoryKill] C:\ProgramFiles\HistoryKill\HistKill.exe/startup. Deleted folder - c:\Program Files\BestPopUpKiller\ OK - now for an update Ad-aware SE personal - still will not run (same German messages as before) Links from emails or websites still not working - there are pages even on this website I can't get to - system just stalls when I click on them. Still getting error messages for ActiveX- telling me security settings prohibit ActiveX controls. TDS-3 still not working - should I uninstall and install ? same goes for Ad-aware Problems still with browser - if two windows open, closing second window closes both windows and shuts Internet Explorer Possibly a bit quicker booting up- but then again I must have fewer programs trying to run on start up. Thanks for the help hers's the Log File Logfile of HijackThis v1.99.1 Scan saved at 9:09:55 a.m., on 21/05/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE C:\WINDOWS\SYSTEM\HPSYSDRV.EXE C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE C:\PROGRAM FILES\PC MIGHTYMAX\PCMM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [PCMMRealtime] C:\PROGRAM FILES\PC MIGHTYMAX\pcmm.exe /R O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com

05-20-2005, 09:30 PM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,059 OS: WinXP and Vista	Hello emjayh, There have been issues with Microsoft's KB891711 Update on some 98 and ME systems. Try disabling this entry from StartUp and see if it helps. Reboot into Safe Mode (tapping F5 or F8) Run a scan in HijackThis and check the following entry, then click 'Fix Checked' O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE Reboot into Normal Mode. Is there any improvement? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-21-2005, 04:08 PM	#12 (permalink)
emjayh I helped the forums. Join Date: May 2005 Location: New Zealand Posts: 41 OS: Windows XP	Seems no improvement- Removed items as requested in safe mode. All same symptoms still exist - there is also a lot of activity from the hard drive as though it's trying to read a floppy or a disc that's not there. This isn't a new symptom but one I've not previously mentioned. Maybe it's some protective virus scanning activity ? Last edited by emjayh; 05-21-2005 at 04:09 PM.

05-21-2005, 04:27 PM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,059 OS: WinXP and Vista	See if you can get this program to run for you. Since it's not actually installed, I think you may have a chance. Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool. Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3) 1. Save it to a folder. 2. Reboot into Safe Mode. 3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything. 4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file *Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files. Once you copy that to a Notepad file...highlight the text and copy it here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-22-2005, 06:20 AM	#14 (permalink)
emjayh I helped the forums. Join Date: May 2005 Location: New Zealand Posts: 41 OS: Windows XP	mwav log - quite interesting Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken. Entry "HKCR\CLSID\{B738B059-B74F-11D1-AA87-0000B43695BE}" refers to invalid object "C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FRCOM.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B738B05B-B74F-11D1-AA87-0000B43695BE}" refers to invalid object "C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FRCOM.DLL". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\BackWeb.5.5" refers to invalid object "{53FCF358-5323-11D0-A864-0000B43699FC}". Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\GCAOCGHI infected by "Type_Win32" Virus! Action Taken: No Action Taken. I was under the impression that the Alexa spyware was cleaned out by spy-bot a few days ago.

05-22-2005, 07:17 AM	#15 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	C:\WINDOWS\SYSTEM\GCAOCGHI Delete the above file and report back __________________

05-22-2005, 07:38 AM	#16 (permalink)
TheShape Member Join Date: May 2005 Posts: 37 OS: Windows XP Home	Could you HJT guys please look at this thread?Super hijacked comp (HJT Log inside.) __________________ GigaByte GA-81P775 Series Mobo eVGA Graphics card (AGP) Intel P4 w/ HT Technology 3.0 GHz LGA775 CPU Im just running and getting nowhere

05-22-2005, 02:46 PM	#17 (permalink)
emjayh I helped the forums. Join Date: May 2005 Location: New Zealand Posts: 41 OS: Windows XP	Update- c:\WINDOWS\SYSTEM\GCAOCGHI- deleted no problem Thought I would revisit Ad aware - Yes! it runs, did full scan picked up on the Alexa spyware, on other and 12 minor .- deleted. The going was good - so I tried TDS-3 Yes! it works - did full scan -no problems recognised. Generally there appears to be an improvement in operating speed - but McAfee still will not work- tells me some components missing - reinstall, but when I try to reinstall tells me security settings prohibit ActiveX controls. Should I delete McAfee as AVG seems good and cheaper. Occasionally my homepage (Xtra Home) tells me ActiveX controls needed to show the page fully and will sometimes just stall at this point. Links from web-sites or emails still erratic. Downloads to Media Player a definite no-no, just stalls for 2 minutes or crashes - blue screen - error in etc . My last McAfee scan showed PWS-Fivsec Keylogger - but said it was write-protected and unable to delete/quarantine. I don't know if this is still present as McAfee won't run. Is it time to run Spy-bot again and then a HJT Log ? Thanks for your help guys, I appreciate it isn't straight forward, and I will be making a donation, it's gonna be cheaper than the several spyware/antivirus/malware software programs I was goaded into buying over the years. Last edited by emjayh; 05-22-2005 at 02:54 PM.

05-22-2005, 11:07 PM	#18 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,059 OS: WinXP and Vista	Hi emjayh, It really is up to you which anti-virus you want to use. I can say that I've been using AVG for the past 6-8 months and have been very satisfied with it. Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-23-2005, 12:13 AM	#19 (permalink)
emjayh I helped the forums. Join Date: May 2005 Location: New Zealand Posts: 41 OS: Windows XP	Silentrunner Log - "Silent Runners.vbs", revision 37, http://www.silentrunners.org/ Operating System: Windows Me (Millennium Edition) Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Taskbar Display Controls" = "RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS] "TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS] "PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS] "SystemTray" = "SysTray.Exe" [MS] "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "Keyboard Manager" = "C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."] "HPScanPatch" = "C:\WINDOWS\SYSTEM\HPScanFix.exe" ["Hewlett-Packard Company"] "MMTray" = (no data) "hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"] "Delay" = "C:\WINDOWS\delayrun.exe" [null data] "mgavrtclexe" = "C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe" ["McAfee.com"] "MCUpdateExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE" ["McAfee, Inc"] "piiserviceOE" = (no data) "MCAgentExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe" ["McAfee, Inc"] "AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."] "AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."] "AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "SchedulingAgent" = "mstask.exe" [MS] "SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS] "StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS] "mgavrtclexe" = "C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe" ["McAfee.com"] HKLM\Software\Microsoft\Active Setup\Installed Components\ PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Enabled Active Desktop and Wallpaper: ------------------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\My Documents\My Pictures\DSC00419.JPG" WIN.INI & SYSTEM.INI launch points: ----------------------------------- SYSTEM.INI [boot] "SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\MYPICT~1.SCR" (My Pictures Screen Saver.scr) [MS] Startup items in "Startup" & "All Users...Startup" folders: ----------------------------------------------------------- C:\WINDOWS\Start Menu\Programs\StartUp "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [MS] "PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS] "McAfee.com Scan for Viruses - My Computer tsid_04102005094333" -> launches: "C:\PROGRAM FILES\MCAFEE.COM\VSO\mcmnhdlr.exe /runtask:0" ["McAfee, Inc."] "McAfee.com Update Check 04232005161201" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" ["McAfee, Inc"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS\SYSTEM\msafd.dll [MS], 1 - 3 C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 4 - 5 ---------- This report excludes default entries except where indicated. To see everywhere* the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- Cheers guys, how you make any sense all of this lot is beyond me, but thanks

05-23-2005, 05:35 AM	#20 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,059 OS: WinXP and Vista	Hi, Unfortunately, that report didn't show me anything. Are you able to get into McAfee's quaratine logs and get me the location of PWS-Fivsec Keylogger? Try doing a search for McAfee in 'All Files and Folders'. It will list anything McAfee and perhaps you'll be able to find the quarantined files that way--it should be there whether McAfee's running or not. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."