Currently I am running norton internet security and the firewall is on blocking everything unless I give it permission. This alerted me to the open32.exe file which I thought I deleted from my machine but according to the hijack-this-log is still there. I am running the beta version of microsoft antispyware and it is blocking mszx32.exe from installing a start up value:
secboot:C:\Windows\system32\mszx.32.exe to my start up registry at this location:
HKEY_Local_Machine\software\microsoft\windows\CurrentVersion\Run
I found some instructions for removing this at castlecops.com and http://forums.maddoktor2.com
They both give differnt methods but the one at http://forums.maddoktor2.com appears to be more complete I have posted the removal instructions below.
Instructions :
1 remove the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16
2 rebot the pc from the windows xp install cd into "repair mode". Rebooting into failsafe mode will still keep files open and you will be unable to move files into quarantine.
3 With DOS like command interpreter change directory to windows system folder
(CD C:\WINDOWS\SYSTEM32)
4 create a directory called quarantine (MD quarantine)
5 Copy files mszx.exe, drct16.dll, p2.ini, klo5.sys, vdnt32.sys, klogini.dll, i.a3d, fltr.a3d, redir.a3d to the quarantine directory (Copy <filename> quarantine)
6 Delete the above mentioned files from the SYSTEM32 folder (DEL <filename>)
7 eject the windows cd-rom type exite and pres enter to boot from hard disk.l
system should now be clean.
Hijack this log
Logfile of HijackThis v1.98.2
Scan saved at 10:56:18 PM, on 2/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\NORTON~1\Cfgwiz.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\PROGRA~1\NORTON~1\Navapw32.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack-this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WIN Tools - {4E7BD74F-2B8D-469E-D0EA-F878F4D5FA7D} - C:\WINDOWS\DOWNLO~1\tgtb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: WIN Tools - {4E7BD74F-2B8D-469E-D0EA-F878F4D5FA7D} - C:\WINDOWS\DOWNLO~1\tgtb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: outlook express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0EA-F878F4D5FA7D} (WIN Tools) - http://www.searchfor...eeting/tgtb.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tosinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tosinc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tosinc.com
Questions:
1 What is Windows "repair mode" how is it different from "Safe mode"?
2 What commands will I need to complete the directions or are they listed correctly within parenthesis?
3 What do I need to do to rid my machine of open32.exe?