Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dr. Watson


  • This topic is locked This topic is locked

#1
fancydan

fancydan

    Member

  • Member
  • PipPip
  • 10 posts
Hello,

It seems that I am having the same problem as many of the other posters. I cannot access My Computer, after trying I get the Dr. Watson's error and the computer freezes until I close the drwatson process. Here is my HijackThis log, please help....Thanks, Thomas.


Logfile of HijackThis v1.99.1
Scan saved at 5:54:48 PM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\addxh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\javaex32.exe
C:\Program Files\aim\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EDF94985-0AA4-714B-4D3F-E2B133CFEEAD} - C:\WINDOWS\ieug.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [mfcpb.exe] C:\WINDOWS\system32\mfcpb.exe
O4 - HKLM\..\Run: [ipvc32.exe] C:\WINDOWS\system32\ipvc32.exe
O4 - HKLM\..\Run: [apitq.exe] C:\WINDOWS\system32\apitq.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [javaex32.exe] C:\WINDOWS\javaex32.exe
O4 - HKLM\..\RunOnce: [addxh.exe] C:\WINDOWS\system32\addxh.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Euchre by pogo - http://euchre.pogo.c...e-ob-assets.cab
O16 - DPF: Spades by pogo - http://spades.pogo.c...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
fancydan

fancydan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
PLEASE HELP!

I have followed all of the guidelines for posting. I have the same problem that a lot of others have, where I cannot access My Computer/My Docs/Recycle Bin, etc. without a Dr. Watson error freezing up my comp. I know I have a trojan as AVG has made all too clear but although it finds the virus it has done nothing to help it come back. I just want to be able to work on my computer for a solid hour without some problem. Any help is appreciated, here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:11:13 PM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\addxh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\javaex32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EDF94985-0AA4-714B-4D3F-E2B133CFEEAD} - C:\WINDOWS\ieug.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [mfcpb.exe] C:\WINDOWS\system32\mfcpb.exe
O4 - HKLM\..\Run: [ipvc32.exe] C:\WINDOWS\system32\ipvc32.exe
O4 - HKLM\..\Run: [apitq.exe] C:\WINDOWS\system32\apitq.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [javaex32.exe] C:\WINDOWS\javaex32.exe
O4 - HKLM\..\RunOnce: [addxh.exe] C:\WINDOWS\system32\addxh.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Euchre by pogo - http://euchre.pogo.c...e-ob-assets.cab
O16 - DPF: Spades by pogo - http://spades.pogo.c...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

:tazz:
  • 0

#3
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi fancydan and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log. Your main problem is called an A:B WXP/2K with running process type infection or a Dr Watson Debugger problem.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. I see that you are running 2 different antivirus softwares. This situation often causes conflicts within the system, something we don't need now. Please uninstall 1 of them and repost a fresh log.

Regards,

Trevuren

  • 0

#4
fancydan

fancydan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Okay,

Thank you so much for helping me. I think that I did everything that was asked, here is my new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 6:08:12 PM, on 3/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mfcwa32.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\MsiExec.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IDSinst.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {EDF94985-0AA4-714B-4D3F-E2B133CFEEAD} - C:\WINDOWS\ieug.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [mfcpb.exe] C:\WINDOWS\system32\mfcpb.exe
O4 - HKLM\..\Run: [ipvc32.exe] C:\WINDOWS\system32\ipvc32.exe
O4 - HKLM\..\Run: [apitq.exe] C:\WINDOWS\system32\apitq.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [mfcwa32.exe] C:\WINDOWS\system32\mfcwa32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Euchre by pogo - http://euchre.pogo.c...e-ob-assets.cab
O16 - DPF: Spades by pogo - http://spades.pogo.c...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#5
maaxx

maaxx

    New Member

  • Member
  • Pip
  • 1 posts
what i'd like to know though, is how to get rid of it...
maaxx

Hi maaxx and welcome,
Please see this Topic
Run through the outlined steps and please post a fresh HJT log to a new topic started by you please, Be patient and someone will be along to help you as well,
Posting in someone else's topic is a sure way to be overlooked for help,


Fancydan is the very capable hands of Trevuren, He will get him sorted out,

Thanks
Don

Edited by don77, 30 March 2005 - 06:11 PM.

  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - don't run them yet!!

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.


Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Download and unzip cwsserviceremove to your desktop. use either link below:
http://computercops....F...oad&id=3002[/url
http://www.mytechsup...rviceremove.zip


Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWSshtreder.exe://http://www.mytechsupport.ca/helpwit...CWSshtreder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigha...ds/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:




When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you dont find this service listed go ahead with the next steps.

2. Reboot into SafeMode.[/url <---MAKE SURE YOU KNOW HOW TO DO THIS!!

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

sysck.exe

If you find the files, click on them, and then click End Process => Exit the Task Manager.


4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nblcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {EDF94985-0AA4-714B-4D3F-E2B133CFEEAD} - C:\WINDOWS\ieug.dll

O4 - HKLM\..\Run: [mfcpb.exe] C:\WINDOWS\system32\mfcpb.exe
O4 - HKLM\..\Run: [ipvc32.exe] C:\WINDOWS\system32\ipvc32.exe
O4 - HKLM\..\Run: [apitq.exe] C:\WINDOWS\system32\apitq.exe
O4 - HKLM\..\RunOnce: [mfcwa32.exe] C:\WINDOWS\system32\mfcwa32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE<<resource hog

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/://http://red.clientapps.yahoo.com/cus...ww.comcast.net/
(file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)


5. Delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\system32\sysck.exe
C:\WINDOWS\system32\mfcpb.exe
C:\WINDOWS\system32\ipvc32.exe
C:\WINDOWS\system32\apitq.exe
C:\WINDOWS\system32\mfcwa32.exe
C:\WINDOWS\system32\nblcj.dll


(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

9. Double click on the cwsserviceremove and when asked to merge say yes.

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

11. Reboot into normal mode.

12. Download the Hoster from here [url="http://members.aol.com/toadbee/hoster.zip"]http://members.aol.com/toadbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

13. Download and run this online virus scan:
[url="http://housecall.trendmicro.com/housecall/start_corp.asp"]http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you check "AutoClean"

then reboot and post a fresh Hijack This log to see how we did.
  • 0

#7
fancydan

fancydan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for the help. However there is a part of your post missing...you say "scroll down and find the service called:" but there is nothing listed...
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi fancydan,

Sorry for the mixup in postings. A colleague had to take over for me.

Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)

It may not contain all of the above elements but there will be enough for you to identify the proper one.


Regards,

Trevuren

  • 0

#9
fancydan

fancydan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Okay,

I've followed all of the steps and it seems that some things are back to normal (i.e. I can access My Computer from my desktop and my homepage doesn't reset to about:blank). However, AVG is still detecting Trojan's...here is my new HJT log as well as the AboutBuster report created earlier.

Logfile of HijackThis v1.99.1
Scan saved at 8:36:30 PM, on 4/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Euchre by pogo - http://euchre.pogo.c...e-ob-assets.cab
O16 - DPF: Spades by pogo - http://spades.pogo.c...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Scanned at: 7:44:57 PM on: 4/2/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\adddg.dll:bjiao
C:\WINDOWS\adddg.dll:bjiao
C:\WINDOWS\adddr.dll:pisbn
C:\WINDOWS\addqi32.dll:cnjau
C:\WINDOWS\addwi32.dll:bpbvs
C:\WINDOWS\ajtdq.dat:pynbx
C:\WINDOWS\appfj.dll:tuoyx
C:\WINDOWS\apppp.dll:pxucp
C:\WINDOWS\apptn32.dll:hnecb
C:\WINDOWS\atlgz.dll:ditfm
C:\WINDOWS\atlgz.dll:ditfm
C:\WINDOWS\atlsz32.dll:efqam
C:\WINDOWS\atlxy.dll:zzmyd
C:\WINDOWS\bkabu.dat:apqod
C:\WINDOWS\bootstat.dat:tqitx
C:\WINDOWS\bootstat.dat:tqitx
C:\WINDOWS\comsetup.log:hrelz
C:\WINDOWS\crap32.dll:uzpby
C:\WINDOWS\crfd32.dll:nshgs
C:\WINDOWS\crfd32.dll:nshgs
C:\WINDOWS\crfk32.dll:uejdh
C:\WINDOWS\crne32.dll:pzwkg
C:\WINDOWS\crrm.dll:qatro
C:\WINDOWS\cryo32.dll:tbwkl
C:\WINDOWS\d3ei.dll:pkuwa
C:\WINDOWS\desktop.ini:xqeys
C:\WINDOWS\FeatherTexture.bmp:mibvx
C:\WINDOWS\ghyhx.dat:yslsd
C:\WINDOWS\gmrwp.dat:jbnos
C:\WINDOWS\htwta.dat:zqhpy
C:\WINDOWS\iegw.dll:uiagh
C:\WINDOWS\iekl.dll:mjstb
C:\WINDOWS\iekl.dll:mjstb
C:\WINDOWS\iepp32.dll:qxzxk
C:\WINDOWS\ietb32.dll:bykce
C:\WINDOWS\ietb32.dll:bykce
C:\WINDOWS\ifbbp.dat:qkami
C:\WINDOWS\ipvw32.dll:xblsj
C:\WINDOWS\javacy.dll:glcql
C:\WINDOWS\javaot32.dll:qxsdj
C:\WINDOWS\javapx32.dll:afadf
C:\WINDOWS\javatj32.dll:tzobh
C:\WINDOWS\javawm32.dll:jxfwz
C:\WINDOWS\javazz.dll:blufq
C:\WINDOWS\KB883357.log:ufwcc
C:\WINDOWS\KB887742.log:gfprn
C:\WINDOWS\ljrkm.dat:bkerm
C:\WINDOWS\llcmn.dat:yrnto
C:\WINDOWS\msgv.dll:cydlt
C:\WINDOWS\mskg.dll:bhzfu
C:\WINDOWS\msli.dll:srefz
C:\WINDOWS\msmc32.dll:bwdkn
C:\WINDOWS\msvc.dll:ddice
C:\WINDOWS\mswp.dll:vvbqy
C:\WINDOWS\NeroDigital.ini:yjkss
C:\WINDOWS\net2fone.ini:hfrgu
C:\WINDOWS\netcp.dll:brpfi
C:\WINDOWS\netem.dll:mtape
C:\WINDOWS\netsu32.dll:thohr
C:\WINDOWS\netsu32.dll:thohr
C:\WINDOWS\netug.dll:izrvu
C:\WINDOWS\netug.dll:izrvu
C:\WINDOWS\netug32.dll:ffxoy
C:\WINDOWS\netug32.dll:ffxoy
C:\WINDOWS\nortonav.ico:qxsiv
C:\WINDOWS\nsgvh.dat:jxknp
C:\WINDOWS\nsw.log:mrqmo
C:\WINDOWS\nxhlb.dat:foejo
C:\WINDOWS\nyppi.dat:hlhgn
C:\WINDOWS\pgdyn.dat:nmult
C:\WINDOWS\pmwex.dat:ccbqo
C:\WINDOWS\rioyc.dat:bipth
C:\WINDOWS\setuplog.txt:jltpt
C:\WINDOWS\skhbw.dat:cduod
C:\WINDOWS\smscfg.ini:gatcb
C:\WINDOWS\Sti_Trace.log:ebfxd
C:\WINDOWS\sysis.dll:ypkyc
C:\WINDOWS\sysis.dll:ypkyc
C:\WINDOWS\system.ini:kudxl
C:\WINDOWS\sysyv32.dll:stabu
C:\WINDOWS\twunk_16.exe:ljzgq
C:\WINDOWS\twunk_32.exe:hrxjl
C:\WINDOWS\uzuhp.dat:plvdg
C:\WINDOWS\winamp.ini:tignu
C:\WINDOWS\WindowsUpdate.log:ykwah
C:\WINDOWS\winhl.dll:pvfbr
C:\WINDOWS\winnt.bmp:ejkyq
C:\WINDOWS\winog32.dll:zeetl
C:\WINDOWS\wyxhz.dat:lxqze
C:\WINDOWS\xvpmm.dat:orteu
C:\WINDOWS\zpjzp.dat:mtbpk


Removed 2 Random Key Entries
Removed! : C:\WINDOWS\aashw.dat
Removed! : C:\WINDOWS\addzj32.exe
Removed! : C:\WINDOWS\agshu.dat
Removed! : C:\WINDOWS\ahszx.dat
Removed! : C:\WINDOWS\ajppz.dat
Removed! : C:\WINDOWS\ajtdq.dat
Removed! : C:\WINDOWS\amcdj.dat
Removed! : C:\WINDOWS\apiqf.dat
Removed! : C:\WINDOWS\asfkq.dat
Removed! : C:\WINDOWS\atlcj32.exe
Removed! : C:\WINDOWS\avyxo.dat
Removed! : C:\WINDOWS\awbil.dat
Removed! : C:\WINDOWS\awpjt.dat
Removed! : C:\WINDOWS\axiey.dat
Removed! : C:\WINDOWS\axqmn.dat
Removed! : C:\WINDOWS\beeeq.dat
Removed! : C:\WINDOWS\bflgr.dat
Removed! : C:\WINDOWS\blzlu.dat
Removed! : C:\WINDOWS\bwkpi.dat
Removed! : C:\WINDOWS\cdqce.dat
Removed! : C:\WINDOWS\ciiun.dat
Removed! : C:\WINDOWS\cnuaf.dat
Removed! : C:\WINDOWS\cqvti.dat
Removed! : C:\WINDOWS\dcjun.dat
Removed! : C:\WINDOWS\eaexr.dat
Removed! : C:\WINDOWS\efdaq.dat
Removed! : C:\WINDOWS\egwxk.dat
Removed! : C:\WINDOWS\ehcjb.dat
Removed! : C:\WINDOWS\ejmaq.dat
Removed! : C:\WINDOWS\encxo.dat
Removed! : C:\WINDOWS\eojuf.dat
Removed! : C:\WINDOWS\eujyy.dat
Removed! : C:\WINDOWS\evjkz.dat
Removed! : C:\WINDOWS\exlpr.dat
Removed! : C:\WINDOWS\eybxj.dat
Removed! : C:\WINDOWS\fjkka.dat
Removed! : C:\WINDOWS\ftnes.dat
Removed! : C:\WINDOWS\fzaob.dat
Removed! : C:\WINDOWS\gcjvx.dat
Removed! : C:\WINDOWS\gcwad.dat
Removed! : C:\WINDOWS\gfmcq.dat
Removed! : C:\WINDOWS\gggxl.dat
Removed! : C:\WINDOWS\ghyhx.dat
Removed! : C:\WINDOWS\gmgfk.dat
Removed! : C:\WINDOWS\gmrwp.dat
Removed! : C:\WINDOWS\gpkjb.dat
Removed! : C:\WINDOWS\gtazq.dat
Removed! : C:\WINDOWS\gvkcu.dat
Removed! : C:\WINDOWS\hcplj.dat
Removed! : C:\WINDOWS\hczic.dat
Removed! : C:\WINDOWS\hdnjz.dat
Removed! : C:\WINDOWS\hdsuh.dat
Removed! : C:\WINDOWS\hgflf.dat
Removed! : C:\WINDOWS\hhjes.dat
Removed! : C:\WINDOWS\hhtiy.dat
Removed! : C:\WINDOWS\hkert.dat
Removed! : C:\WINDOWS\htqdj.dat
Removed! : C:\WINDOWS\htwta.dat
Removed! : C:\WINDOWS\iayeh.dat
Removed! : C:\WINDOWS\igxic.dat
Removed! : C:\WINDOWS\iidob.dat
Removed! : C:\WINDOWS\iiqay.dat
Removed! : C:\WINDOWS\ijmqn.dat
Removed! : C:\WINDOWS\iozxa.dat
Removed! : C:\WINDOWS\iqeqk.dat
Removed! : C:\WINDOWS\ismjc.dat
Removed! : C:\WINDOWS\ittgt.dat
Removed! : C:\WINDOWS\javlk.dat
Removed! : C:\WINDOWS\jdlhf.dat
Removed! : C:\WINDOWS\jeaqi.dat
Removed! : C:\WINDOWS\jhqqw.dat
Removed! : C:\WINDOWS\jicdf.dat
Removed! : C:\WINDOWS\jmwmr.dat
Removed! : C:\WINDOWS\jnzbb.dat
Removed! : C:\WINDOWS\jvabh.dat
Removed! : C:\WINDOWS\jwgmu.dat
Removed! : C:\WINDOWS\jypto.dat
Removed! : C:\WINDOWS\kghwx.dat
Removed! : C:\WINDOWS\kgkil.dat
Removed! : C:\WINDOWS\kqlwf.dat
Removed! : C:\WINDOWS\lccpu.dat
Removed! : C:\WINDOWS\leuhq.dat
Removed! : C:\WINDOWS\lipty.dat
Removed! : C:\WINDOWS\ljrkm.dat
Removed! : C:\WINDOWS\llcmn.dat
Removed! : C:\WINDOWS\lyttu.dat
Removed! : C:\WINDOWS\mesep.dat
Removed! : C:\WINDOWS\mmhrg.dat
Removed! : C:\WINDOWS\mmira.dat
Removed! : C:\WINDOWS\momey.dat
Removed! : C:\WINDOWS\mqeds.dat
Removed! : C:\WINDOWS\mraqi.dat
Removed! : C:\WINDOWS\mrars.dat
Removed! : C:\WINDOWS\ncwik.dat
Removed! : C:\WINDOWS\ninpy.dat
Removed! : C:\WINDOWS\noann.dat
Removed! : C:\WINDOWS\noces.dat
Removed! : C:\WINDOWS\nqeaq.dat
Removed! : C:\WINDOWS\nsgvh.dat
Removed! : C:\WINDOWS\nvdir.dat
Removed! : C:\WINDOWS\nxhlb.dat
Removed! : C:\WINDOWS\nyppi.dat
Removed! : C:\WINDOWS\nyqyk.dat
Removed! : C:\WINDOWS\oagpe.dat
Removed! : C:\WINDOWS\oervx.dat
Removed! : C:\WINDOWS\ofkjp.dat
Removed! : C:\WINDOWS\onodm.dat
Removed! : C:\WINDOWS\ouwao.dat
Removed! : C:\WINDOWS\pccoc.dat
Removed! : C:\WINDOWS\pcszx.dat
Removed! : C:\WINDOWS\pgdyn.dat
Removed! : C:\WINDOWS\pkzwt.dat
Removed! : C:\WINDOWS\pmwex.dat
Removed! : C:\WINDOWS\pqysf.dat
Removed! : C:\WINDOWS\prsor.dat
Removed! : C:\WINDOWS\pvkce.dat
Removed! : C:\WINDOWS\pyofm.dat
Removed! : C:\WINDOWS\qadux.dat
Removed! : C:\WINDOWS\qawrt.dat
Removed! : C:\WINDOWS\qjjad.dat
Removed! : C:\WINDOWS\qmioe.dat
Removed! : C:\WINDOWS\qpmyo.dat
Removed! : C:\WINDOWS\rdhfe.dat
Removed! : C:\WINDOWS\rioyc.dat
Removed! : C:\WINDOWS\rmrxr.dat
Removed! : C:\WINDOWS\roqqp.dat
Removed! : C:\WINDOWS\rptsr.dat
Removed! : C:\WINDOWS\rzlsh.dat
Removed! : C:\WINDOWS\sizag.dat
Removed! : C:\WINDOWS\skhbw.dat
Removed! : C:\WINDOWS\slmws.dat
Removed! : C:\WINDOWS\sqtwp.dat
Removed! : C:\WINDOWS\srjig.dat
Removed! : C:\WINDOWS\svorx.dat
Removed! : C:\WINDOWS\swedw.dat
Removed! : C:\WINDOWS\tbrql.dat
Removed! : C:\WINDOWS\tcswa.dat
Removed! : C:\WINDOWS\tgzek.dat
Removed! : C:\WINDOWS\tjxvg.dat
Removed! : C:\WINDOWS\ubfvo.dat
Removed! : C:\WINDOWS\ubxjd.dat
Removed! : C:\WINDOWS\ubzvc.dat
Removed! : C:\WINDOWS\uehws.dat
Removed! : C:\WINDOWS\ughcs.dat
Removed! : C:\WINDOWS\uhbjt.dat
Removed! : C:\WINDOWS\urzcd.dat
Removed! : C:\WINDOWS\uzuhp.dat
Removed! : C:\WINDOWS\vaqhm.dat
Removed! : C:\WINDOWS\vbkxf.dat
Removed! : C:\WINDOWS\vfbfq.dat
Removed! : C:\WINDOWS\vlsym.dat
Removed! : C:\WINDOWS\vsttn.dat
Removed! : C:\WINDOWS\vvpzm.dat
Removed! : C:\WINDOWS\vwxwy.dat
Removed! : C:\WINDOWS\vxfrv.dat
Removed! : C:\WINDOWS\whkgt.dat
Removed! : C:\WINDOWS\wjmax.dat
Removed! : C:\WINDOWS\wovqf.dat
Removed! : C:\WINDOWS\woyik.dat
Removed! : C:\WINDOWS\wyxhz.dat
Removed! : C:\WINDOWS\xbneb.dat
Removed! : C:\WINDOWS\xijkv.dat
Removed! : C:\WINDOWS\xljdn.dat
Removed! : C:\WINDOWS\xlxie.dat
Removed! : C:\WINDOWS\xmzdb.dat
Removed! : C:\WINDOWS\xvpmm.dat
Removed! : C:\WINDOWS\xxmib.dat
Removed! : C:\WINDOWS\ycfjy.dat
Removed! : C:\WINDOWS\ylsvq.dat
Removed! : C:\WINDOWS\ynwmu.dat
Removed! : C:\WINDOWS\zdjlb.dat
Removed! : C:\WINDOWS\zmtwr.dat
Removed! : C:\WINDOWS\zpjzp.dat
Removed! : C:\WINDOWS\zsban.dat
Removed! : C:\WINDOWS\zwpui.dat
Removed! : C:\WINDOWS\system32\agusn.dat
Removed! : C:\WINDOWS\system32\asshg.dat
Removed! : C:\WINDOWS\system32\astrc.dat
Removed! : C:\WINDOWS\system32\avkla.dat
Removed! : C:\WINDOWS\system32\awojl.dat
Removed! : C:\WINDOWS\system32\azwxa.dat
Removed! : C:\WINDOWS\system32\bfedm.dat
Removed! : C:\WINDOWS\system32\bflma.dat
Removed! : C:\WINDOWS\system32\bmamv.dat
Removed! : C:\WINDOWS\system32\bmbmc.dat
Removed! : C:\WINDOWS\system32\boobi.dat
Removed! : C:\WINDOWS\system32\bsfcm.dat
Removed! : C:\WINDOWS\system32\bsthn.dat
Removed! : C:\WINDOWS\system32\caixp.dat
Removed! : C:\WINDOWS\system32\cbchu.dat
Removed! : C:\WINDOWS\system32\cczyv.dat
Removed! : C:\WINDOWS\system32\cgcmx.dat
Removed! : C:\WINDOWS\system32\cnjni.dat
Removed! : C:\WINDOWS\system32\cupuy.dat
Removed! : C:\WINDOWS\system32\cvsmr.dat
Removed! : C:\WINDOWS\system32\deqkx.dat
Removed! : C:\WINDOWS\system32\djdvg.dat
Removed! : C:\WINDOWS\system32\dlibn.dat
Removed! : C:\WINDOWS\system32\drfnt.dat
Removed! : C:\WINDOWS\system32\drxni.dat
Removed! : C:\WINDOWS\system32\dzjqu.dat
Removed! : C:\WINDOWS\system32\eakxe.dat
Removed! : C:\WINDOWS\system32\eatpi.dat
Removed! : C:\WINDOWS\system32\ecaxi.dat
Removed! : C:\WINDOWS\system32\efdyy.dat
Removed! : C:\WINDOWS\system32\efzul.dat
Removed! : C:\WINDOWS\system32\ejnzt.dat
Removed! : C:\WINDOWS\system32\emjzs.dat
Removed! : C:\WINDOWS\system32\evyvd.dat
Removed! : C:\WINDOWS\system32\eymmb.dat
Removed! : C:\WINDOWS\system32\faqpg.dat
Removed! : C:\WINDOWS\system32\fdkte.dat
Removed! : C:\WINDOWS\system32\fjifg.dat
Removed! : C:\WINDOWS\system32\frfia.dat
Removed! : C:\WINDOWS\system32\fuhgk.dat
Removed! : C:\WINDOWS\system32\fuhvy.dat
Removed! : C:\WINDOWS\system32\fxbjk.dat
Removed! : C:\WINDOWS\system32\fxhgy.dat
Removed! : C:\WINDOWS\system32\gcmuy.dat
Removed! : C:\WINDOWS\system32\gexaf.dat
Removed! : C:\WINDOWS\system32\gfzzy.dat
Removed! : C:\WINDOWS\system32\ggpdk.dat
Removed! : C:\WINDOWS\system32\ggven.dat
Removed! : C:\WINDOWS\system32\gjeig.dat
Removed! : C:\WINDOWS\system32\gsdrq.dat
Removed! : C:\WINDOWS\system32\gsetz.dat
Removed! : C:\WINDOWS\system32\gsxpo.dat
Removed! : C:\WINDOWS\system32\hfnca.dat
Removed! : C:\WINDOWS\system32\hhios.dat
Removed! : C:\WINDOWS\system32\hktnp.dat
Removed! : C:\WINDOWS\system32\hozar.dat
Removed! : C:\WINDOWS\system32\huzoc.dat
Removed! : C:\WINDOWS\system32\hwzai.dat
Removed! : C:\WINDOWS\system32\hznuz.dat
Removed! : C:\WINDOWS\system32\iaecb.dat
Removed! : C:\WINDOWS\system32\iere.exe
Removed! : C:\WINDOWS\system32\ifgvw.dat
Removed! : C:\WINDOWS\system32\imfov.dat
Removed! : C:\WINDOWS\system32\ivzfp.dat
Removed! : C:\WINDOWS\system32\izxcz.dat
Removed! : C:\WINDOWS\system32\jctpq.dat
Removed! : C:\WINDOWS\system32\jelzm.dat
Removed! : C:\WINDOWS\system32\jhidv.dat
Removed! : C:\WINDOWS\system32\jmkoz.dat
Removed! : C:\WINDOWS\system32\jpmwe.dat
Removed! : C:\WINDOWS\system32\jqslg.dat
Removed! : C:\WINDOWS\system32\jrecv.dat
Removed! : C:\WINDOWS\system32\jwspz.dat
Removed! : C:\WINDOWS\system32\jxwuz.dat
Removed! : C:\WINDOWS\system32\jybou.dat
Removed! : C:\WINDOWS\system32\jynnz.dat
Removed! : C:\WINDOWS\system32\kaavo.dat
Removed! : C:\WINDOWS\system32\kuova.dat
Removed! : C:\WINDOWS\system32\kzlpu.dat
Removed! : C:\WINDOWS\system32\lixbc.dat
Removed! : C:\WINDOWS\system32\lkvev.dat
Removed! : C:\WINDOWS\system32\lpvpz.dat
Removed! : C:\WINDOWS\system32\mambu.dat
Removed! : C:\WINDOWS\system32\mapww.dat
Removed! : C:\WINDOWS\system32\mfvti.dat
Removed! : C:\WINDOWS\system32\mhtxt.dat
Removed! : C:\WINDOWS\system32\mldcl.dat
Removed! : C:\WINDOWS\system32\mmcxk.dat
Removed! : C:\WINDOWS\system32\mqtum.dat
Removed! : C:\WINDOWS\system32\mqwlr.dat
Removed! : C:\WINDOWS\system32\mrqug.dat
Removed! : C:\WINDOWS\system32\msanz.dat
Removed! : C:\WINDOWS\system32\mupgc.dat
Removed! : C:\WINDOWS\system32\ncxkq.dat
Removed! : C:\WINDOWS\system32\ndmts.dat
Removed! : C:\WINDOWS\system32\nfxrt.dat
Removed! : C:\WINDOWS\system32\ngayz.dat
Removed! : C:\WINDOWS\system32\nkcxu.dat
Removed! : C:\WINDOWS\system32\nkwwu.dat
Removed! : C:\WINDOWS\system32\nlned.dat
Removed! : C:\WINDOWS\system32\nmyas.dat
Removed! : C:\WINDOWS\system32\nomte.dat
Removed! : C:\WINDOWS\system32\noxkc.dat
Removed! : C:\WINDOWS\system32\nprjq.dat
Removed! : C:\WINDOWS\system32\ntac32.exe
Removed! : C:\WINDOWS\system32\nvfph.dat
Removed! : C:\WINDOWS\system32\nvzpe.dat
Removed! : C:\WINDOWS\system32\nzrzq.dat
Removed! : C:\WINDOWS\system32\oemqb.dat
Removed! : C:\WINDOWS\system32\oenfl.dat
Removed! : C:\WINDOWS\system32\omlrh.dat
Removed! : C:\WINDOWS\system32\oobqn.dat
Removed! : C:\WINDOWS\system32\ouqdz.dat
Removed! : C:\WINDOWS\system32\oynxj.dat
Removed! : C:\WINDOWS\system32\pbgff.dat
Removed! : C:\WINDOWS\system32\pdaht.dat
Removed! : C:\WINDOWS\system32\penyi.dat
Removed! : C:\WINDOWS\system32\pjcjs.dat
Removed! : C:\WINDOWS\system32\pltsu.dat
Removed! : C:\WINDOWS\system32\pmtnl.dat
Removed! : C:\WINDOWS\system32\pqagv.dat
Removed! : C:\WINDOWS\system32\pxwxf.dat
Removed! : C:\WINDOWS\system32\qejdj.dat
Removed! : C:\WINDOWS\system32\qjdyc.dat
Removed! : C:\WINDOWS\system32\qmgeg.dat
Removed! : C:\WINDOWS\system32\qrsgo.dat
Removed! : C:\WINDOWS\system32\qvnxp.dat
Removed! : C:\WINDOWS\system32\rhxbv.dat
Removed! : C:\WINDOWS\system32\rkwny.dat
Removed! : C:\WINDOWS\system32\rnhnx.dat
Removed! : C:\WINDOWS\system32\rqdzj.dat
Removed! : C:\WINDOWS\system32\rypml.dat
Removed! : C:\WINDOWS\system32\sbqjk.dat
Removed! : C:\WINDOWS\system32\shfor.dat
Removed! : C:\WINDOWS\system32\slmvg.dat
Removed! : C:\WINDOWS\system32\srwop.dat
Removed! : C:\WINDOWS\system32\stqmq.dat
Removed! : C:\WINDOWS\system32\tdpfc.dat
Removed! : C:\WINDOWS\system32\tktwz.dat
Removed! : C:\WINDOWS\system32\tqfrx.dat
Removed! : C:\WINDOWS\system32\tyxbl.dat
Removed! : C:\WINDOWS\system32\tzecu.dat
Removed! : C:\WINDOWS\system32\uldwb.dat
Removed! : C:\WINDOWS\system32\uzbju.dat
Removed! : C:\WINDOWS\system32\uzequ.dat
Removed! : C:\WINDOWS\system32\vhwhr.dat
Removed! : C:\WINDOWS\system32\vimla.dat
Removed! : C:\WINDOWS\system32\vlbje.dat
Removed! : C:\WINDOWS\system32\vzdtc.dat
Removed! : C:\WINDOWS\system32\vzzzo.dat
Removed! : C:\WINDOWS\system32\wejvy.dat
Removed! : C:\WINDOWS\system32\wgdxv.dat
Removed! : C:\WINDOWS\system32\wmnxt.dat
Removed! : C:\WINDOWS\system32\woaec.dat
Removed! : C:\WINDOWS\system32\wqpku.dat
Removed! : C:\WINDOWS\system32\ximoi.dat
Removed! : C:\WINDOWS\system32\xnigp.dat
Removed! : C:\WINDOWS\system32\xoevt.dat
Removed! : C:\WINDOWS\system32\xqfyr.dat
Removed! : C:\WINDOWS\system32\xtnih.dat
Removed! : C:\WINDOWS\system32\xyqzn.dat
Removed! : C:\WINDOWS\system32\ylfcy.dat
Removed! : C:\WINDOWS\system32\ynwnx.dat
Removed! : C:\WINDOWS\system32\yrxaf.dat
Removed! : C:\WINDOWS\system32\ysmkg.dat
Removed! : C:\WINDOWS\system32\ywsod.dat
Removed! : C:\WINDOWS\system32\yzmxc.dat
Removed! : C:\WINDOWS\system32\zdvjg.dat
Removed! : C:\WINDOWS\system32\zeyvd.dat
Removed! : C:\WINDOWS\system32\zgylf.dat
Removed! : C:\WINDOWS\system32\zmuyi.dat
Removed! : C:\WINDOWS\system32\zqxbm.dat
Removed! : C:\WINDOWS\system32\zszfc.dat
Removed! : C:\WINDOWS\system32\zwkzd.dat
Removed! : C:\WINDOWS\system32\zxgkr.dat
Removed! : C:\WINDOWS\system32\zxszb.dat
Removed! : C:\WINDOWS\system32\zzawg.dat
Removed! : C:\WINDOWS\system32\zzvbv.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\adddg.dll:bjiao
C:\WINDOWS\adddg.dll:bjiao
C:\WINDOWS\adddr.dll:pisbn
C:\WINDOWS\addqi32.dll:cnjau
C:\WINDOWS\addwi32.dll:bpbvs
C:\WINDOWS\ajtdq.dat:pynbx
C:\WINDOWS\appfj.dll:tuoyx
C:\WINDOWS\apppp.dll:pxucp
C:\WINDOWS\apptn32.dll:hnecb
C:\WINDOWS\atlgz.dll:ditfm
C:\WINDOWS\atlgz.dll:ditfm
C:\WINDOWS\atlsz32.dll:efqam
C:\WINDOWS\atlxy.dll:zzmyd
C:\WINDOWS\bkabu.dat:apqod
C:\WINDOWS\bootstat.dat:tqitx
C:\WINDOWS\bootstat.dat:tqitx
C:\WINDOWS\comsetup.log:hrelz
C:\WINDOWS\crap32.dll:uzpby
C:\WINDOWS\crfd32.dll:nshgs
C:\WINDOWS\crfd32.dll:nshgs
C:\WINDOWS\crfk32.dll:uejdh
C:\WINDOWS\crne32.dll:pzwkg
C:\WINDOWS\crrm.dll:qatro
C:\WINDOWS\cryo32.dll:tbwkl
C:\WINDOWS\d3ei.dll:pkuwa
C:\WINDOWS\desktop.ini:xqeys
C:\WINDOWS\FeatherTexture.bmp:mibvx
C:\WINDOWS\ghyhx.dat:yslsd
C:\WINDOWS\gmrwp.dat:jbnos
C:\WINDOWS\htwta.dat:zqhpy
C:\WINDOWS\iegw.dll:uiagh
C:\WINDOWS\iekl.dll:mjstb
C:\WINDOWS\iekl.dll:mjstb
C:\WINDOWS\iepp32.dll:qxzxk
C:\WINDOWS\ietb32.dll:bykce
C:\WINDOWS\ietb32.dll:bykce
C:\WINDOWS\ifbbp.dat:qkami
C:\WINDOWS\ipvw32.dll:xblsj
C:\WINDOWS\javacy.dll:glcql
C:\WINDOWS\javaot32.dll:qxsdj
C:\WINDOWS\javapx32.dll:afadf
C:\WINDOWS\javatj32.dll:tzobh
C:\WINDOWS\javawm32.dll:jxfwz
C:\WINDOWS\javazz.dll:blufq
C:\WINDOWS\KB883357.log:ufwcc
C:\WINDOWS\KB887742.log:gfprn
C:\WINDOWS\ljrkm.dat:bkerm
C:\WINDOWS\llcmn.dat:yrnto
C:\WINDOWS\msgv.dll:cydlt
C:\WINDOWS\mskg.dll:bhzfu
C:\WINDOWS\msli.dll:srefz
C:\WINDOWS\msmc32.dll:bwdkn
C:\WINDOWS\msvc.dll:ddice
C:\WINDOWS\mswp.dll:vvbqy
C:\WINDOWS\NeroDigital.ini:yjkss
C:\WINDOWS\net2fone.ini:hfrgu
C:\WINDOWS\netcp.dll:brpfi
C:\WINDOWS\netem.dll:mtape
C:\WINDOWS\netsu32.dll:thohr
C:\WINDOWS\netsu32.dll:thohr
C:\WINDOWS\netug.dll:izrvu
C:\WINDOWS\netug.dll:izrvu
C:\WINDOWS\netug32.dll:ffxoy
C:\WINDOWS\netug32.dll:ffxoy
C:\WINDOWS\nortonav.ico:qxsiv
C:\WINDOWS\nsgvh.dat:jxknp
C:\WINDOWS\nsw.log:mrqmo
C:\WINDOWS\nxhlb.dat:foejo
C:\WINDOWS\nyppi.dat:hlhgn
C:\WINDOWS\pgdyn.dat:nmult
C:\WINDOWS\pmwex.dat:ccbqo
C:\WINDOWS\rioyc.dat:bipth
C:\WINDOWS\setuplog.txt:jltpt
C:\WINDOWS\skhbw.dat:cduod
C:\WINDOWS\smscfg.ini:gatcb
C:\WINDOWS\Sti_Trace.log:ebfxd
C:\WINDOWS\sysis.dll:ypkyc
C:\WINDOWS\sysis.dll:ypkyc
C:\WINDOWS\system.ini:kudxl
C:\WINDOWS\sysyv32.dll:stabu
C:\WINDOWS\twunk_16.exe:ljzgq
C:\WINDOWS\twunk_32.exe:hrxjl
C:\WINDOWS\uzuhp.dat:plvdg
C:\WINDOWS\winamp.ini:tignu
C:\WINDOWS\WindowsUpdate.log:ykwah
C:\WINDOWS\winhl.dll:pvfbr
C:\WINDOWS\winnt.bmp:ejkyq
C:\WINDOWS\winog32.dll:zeetl
C:\WINDOWS\wyxhz.dat:lxqze
C:\WINDOWS\xvpmm.dat:orteu
C:\WINDOWS\zpjzp.dat:mtbpk


Attempted Clean Of Temp folder.
Pages Reset... Done!
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi fancydan,

Can you imagine this is my second reply. I deleted the first by mistake instead of posting it. I am still kicking myself.
Did you see all the stuff that was removed by the programs that ran? Enough to choke a horse.

However that pesky 023 HJT entry is still there so we will try a slightly different approach.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1) Download "service Filter" from : HERE to your Desktop so you can find it easily later. Do not use it now.

2) Open HijackThis, run a SCAN, Scroll down the list of entries until you reach the 023 entries. Here I need you to find the following entry:

O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)

Write down all the information on a piece of paper for future reference.

Close HijackThis.
---------------------------------
3. Now open Service Filter by clicking on its icon.
. Then click OK and OK again when prompted.
. A Wordpad text will appear on your desktop. Scroll down the list of services until you find the service containing the name you wrote down during the preceding procedure.
. For each 023 involved, carefully write down the name that appears beside the label "Service Name". This name will be required in the next step.
. Close the program when finished.
----------------------------
4. Now we need to work from the Command Prompt

Go Start>>Programs>>Accessories>>Command Prompt

. A black box will appear with a flashing cursor. At the cursor, type cd.. then cd.. again and repeat the procedure until the writing preceeding the cursor says C:\>

. Now carefully type the following: sc delete servicename, where the word servicename is replaced by the real service name that you have found in the previous procedure. Press ENTER.

.Close the Command Prompt box.
------------------------------------------
Now to stuff we are more familiar with:

Now let's do some work on your log:

Run HJT with all windows closed except for HijackThis and click SCAN
Place a check mark beside the following item:

O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)

Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System.
Finally,RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

I would also like you to download and run a free trial version of an anti-trojan program called Trojan Hunter: Trojan Hunter . Let it scan your whole system and remove anything it finds.


REBOOT
your system.

Regards,

Trevuren

  • 0

Advertisements


#11
fancydan

fancydan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hello,

It seems that

O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)

is still showing in my HJT log...I'm pretty sure I followed all of the instructions from your last post, however, Service Filter did not bring up any services. I'm not sure if this is a problem or not. Here is my HJT log just in case.

Logfile of HijackThis v1.99.1
Scan saved at 11:14:15 AM, on 4/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Euchre by pogo - http://euchre.pogo.c...e-ob-assets.cab
O16 - DPF: Spades by pogo - http://spades.pogo.c...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi fancydan,

Service Filter should have brought up several services, all good but one.

Please run the whole procedure again.
Post back a fresh log and any comments.

Thanks,

Trevuren

  • 0

#13
fancydan

fancydan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sorry for the long break between posts.

Service Filter is still not pulling up anything...this is all that it says:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Apr 8, 2005 7:22:58 PM

  • 0

#14
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi fancydan,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Try this:

Now we need to work from the Command Prompt

1. Go Start>>Programs>>Accessories>>Command Prompt

. A black box will appear with a flashing cursor. At the cursor, type cd.. then cd.. again and repeat the procedure until the writing preceeding the cursor says C:\>

2. Now carefully type the following: sc delete RPC.

3. Press ENTER.

4. Close the Command Prompt box.
------------------------------------------
5. Run HJT, with all windows closed, click SCAN.

Place a check mark beside each one of the following item:

O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysck.exe (file missing)

Now with the item selected, delete it by clicking the FIX checked button. Close the HijackThis window and Reboot Your System

Finally,RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren

  • 0

#15
fancydan

fancydan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
"The specified service does not exist as an installed service."
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP