Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

dr watson debugger error is bugging me


  • This topic is locked This topic is locked

#16
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
yes please do, it isthe only way to make sure you computer is completely 100% clean
  • 0

Advertisements


#17
aullie

aullie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Sorry to bug you again so soon but on the last instructions can you please clarify where to reboot and what items should be done in SAFE mode, specifically dowloading Trojan Hunter and then the new Hijack this.

Sorry I'm such a pain.
  • 0

#18
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
download trojan hunter then boot into safe mode, sorry about that, should have posted that a different way
  • 0

#19
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
P.S. please your not a pain
  • 0

#20
aullie

aullie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Sherlock, I think Dr. Watson has left the building.
No, seriously I think it's gone. I only made one small error and that was forgetting to empty the recycle bin before doing the final scan so of course they showed up there. I'll run it again to confirm all is gone.

Here's the log file Let me know what you think. IN safe mode all those dll files I was referring to were gone. The R1 - R3 files you wanted me to delete did not show up. 016 one was there and all the rest that followed and I deleted them....


Logfile of HijackThis v1.99.1
Scan saved at 6:01:10 PM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Brents\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bourque.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...78336/enter.cab
O16 - DPF: {4E52618E-546D-11D5-90EE-00D0B7484CA6} (NPAgent Class) - https://client.manul...tAggregator.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Brents\Local Settings\Temporary Internet Files\Content.IE5\CDEZCPER\CWShredder[1].exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#21
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
Hi Aullie,

got one thing for ya to take care of, then your log should be completely clean, dunno if you missed it or what but could you please run Hijack this again, then making sure all windows, including this one, are closed check the following entries then select fix checked,

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u



No file deletions this time

Otherwise then that , you have a clean log :tazz: I knew you could do it! great job!

now then

For Future Protection
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see
So how did I get infected in the first place?

Edited by Efwis, 02 March 2005 - 08:11 PM.

  • 0

#22
aullie

aullie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thank you so very much. Dr. Watson is gone and I'm more comfortable with the PC although I still wouldn't tackle anything like this alone.


Efwis,

Just to let you know. ON the final instructions with Hijack This...only the second one of these files was there. NO R3.


R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u


Thanks for the tips on future protection. Exactly what I was going to ask for.

NOw, I already had Spybot S&R as well as Adaware on my system. All these others I have added such as Trojan Hunter , About Buster, CW Shredder, Cwsservice, HOster and HOusecall. Do I leave these on my system. I gather if I needed them again(NEVER!) I'd have to update them anyway.

And FINALLY, I have a router with a firewall in it and it's my understanding that I then can turn off the WindowsXP SEcurity Centre firewall. That's how it was set up and I'm wondering if that's correct and best for security.

Thanks again for all you do~! ;) :tazz:
  • 0

#23
aullie

aullie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
OOOPS Forgot to send the "final" HijackThis log. Here it is:

Logfile of HijackThis v1.99.0
Scan saved at 7:44:56 AM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Utils\HijackThis.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...78336/enter.cab
O16 - DPF: {4E52618E-546D-11D5-90EE-00D0B7484CA6} (NPAgent Class) - https://client.manul...tAggregator.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: CWShredder Service - Unknown - C:\Documents and Settings\Brents\Local Settings\Temporary Internet Files\Content.IE5\CDEZCPER\CWShredder[1].exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#24
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
first, yes if you have a router/firewall center on your system, you can disable Windows firewall.

Second, for all those programs you can delete them since your system is now clean.
keep spybot:S&D and Ad-aware as they are handy to use at least once a week to keep your system clean.

i also couldn't help but notice you are not running an antivirus program, one fo the most highly recommended programs out is free and called AVG. you can get it at http://www.grisoft.com and follow the links for AVG free edition. it updates daily and scans daily. andother good program, albeit not free, is NOD32 you can get this at http://nod32.name/nod/index.htm

Happy computing
  • 0

#25
aullie

aullie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I'm confused...You mentioned I don't have anti-virus. I have Symantec AntiVirus 8.1.0.825 and it scans every night.

I hope it's doing its job ?

Anyway thanks again for everything.
  • 0

Advertisements


#26
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
your right, I'm sorry, I missed a couple of lines that showed that to me, my fault. sorry to have concerned you
  • 0

#27
aullie

aullie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
no problem,, just glad to have a clean system again. :tazz:
  • 0

#28
sooners_ou2008

sooners_ou2008

    Member

  • Member
  • PipPip
  • 57 posts
[SIZE=7] yes i'm haveing the problem to and i read up on it and what yall where saying soo.... here are my logs...



Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUMENTS AND SETTINGS\MARVIN\DESKTOP\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tdtrr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tdtrr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tdtrr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tdtrr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tdtrr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tdtrr.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5B70C48-44FC-EE21-10FB-6B345BD9B634} - C:\WINDOWS\system32\msix.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [atlgu.exe] C:\WINDOWS\system32\atlgu.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [atlmg.exe] C:\WINDOWS\system32\atlmg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.50...a/cfsn31235.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100938860968
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Abel - Unknown owner - C:\Documents and Settings\SOONERS\Desktop\eyecon\Cain\Abel.exe (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\SOONERS\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\system32\mszz.exe
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
This topic has been resolved and is now closed. If the original poster has any problems and needs it to be reopened, please contact a staff member.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP