Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help me please..... [resolved]


  • This topic is locked This topic is locked

#16
lenlerts

lenlerts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Again, after I selected delete and reboot, it says "PendingFileRenameOperations Registry Data has been removed by External Process!" and I can't click no, because the only choice is to click ok, after which nothing happens
  • 0

Advertisements


#17
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Let's see what you have on the computer:
Open HijackThis.
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press 'save list'
Post the content of that file here in your answer.
  • 0

#18
lenlerts

lenlerts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Here...

Access ThinkPad
Ad-Aware SE Personal
Adobe Acrobat 5.0
Agere Systems AC'97 Modem
Alcohol 120%
All To MP3 Converter 1.55
Alyssa Milano Screen Saver
Angelina Jolie Screen Saver
Anna Kournikova Screen Saver
ATI Display Driver
AVG Free Edition
Britney Spears Screen Saver
Burn4Free CD & DVD 1.0.4.0
Cameron Diaz Screen Saver
Caprice Bourett Screen Saver
CoolStreaming
Covers of Ralph ScreenSaver
DAEMON Tools
DivX Codec 3.1alpha release
EA SPORTS online 2004
ffdshow (remove only)
Football Manager 2005
Girls of Ralph ScreenSaver
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp deskjet 3420 series (Remove only)
IBM Access Connections
IBM DLA
IBM RecordNow
IBM ThinkPad Access Support
IBM TrackPoint Accessibility Features
IBM TrackPoint Support
IBM Update Connector
Intel® PRO Ethernet Adapter and Software
Internet Connection Update and HomeP KB234087
iTunes
Jennifer Lopez Screen Saver
Macromedia Extension Manager
Macromedia Flash MX 2004
Medal of Honor Allied Assault
Microsoft Office XP Professional with FrontPage
MP3PowerEncoder
MSN Messenger 7.0
My Search Bar
Need for Speed Underground 2
OpenMG Jukebox
OpenMG Secure Module 3.0.03
Pam Anderson Screen Saver
QuickTime
RealPlayer
Search Assistant - My Search
Sony Net MD Help
Sony USB Driver
Sung Hi Lee Screen Saver
ThinkPad Configuration
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
Uninstall PC-Doctor
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823980
Windows XP Hotfix (SP1) Q815021
WinRAR archiver
XoftSpy
XviD MPEG-4 Codec
ZyAIR G-220 Utility



What do you think the problem is here? I think that this "info32.exe" just simply doesn't exist....neither do the "xcimzy.exe" or the "avserve.exe" Do you think this "info32.exe" is what causes the problem??

What does "PendingFileRenameOperations Registry Data has been removed by External Process!" mean anyway? I think its an error message, as there is a red circle with a white X in it.... and as I told you earlier, I can only choose OK
  • 0

#19
lenlerts

lenlerts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I've done online scans and scans with Adaware, nothing was found by any software... with the killbox, I found that if I do it in safe mode, I get the error message I posted earlier, but if I do it in normal boot mode, it seems to work and delete the files, so I did that.....but I still see no difference... I thought the files weren't there at the start anyway...

However, everytime I log on, I still get these shortcut things after I deleted them earlier. These didn't come back until I rebooted, even though the website "specialgoods.info" doesn't exist anymore, (or at least something happened to my computer in the healing process that stopped me from getting onto this site". The red circle with an X at the bottom right corner of the screen in the taskbar still exists however, and it still tries to get me onto this site, even if I have no internet connection and I can't access the site anyway, and still gives me warning messages. I also still can't change my homepage....

But at least its looking better, and I hope I'm not bothering you too much. Hope you could help me find the solution soon..... Thanks again...

Heres my final log before I go to bed.......its getting really late in Australia now....so I hope by the time I wake up tomorrow, somebody would've replied and I would be able to fix this problem....


Logfile of HijackThis v1.99.1
Scan saved at 1:34:20 AM, on 22/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ZyXEL Technology Corporation\ZyAIR G-220 Utility\ZDWlan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Len Lertsumitkul\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad0179/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://scotsnet.tsc.nsw.edu.au/student
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w2ksrvproxy.tsc.nsw.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tsc.nsw.edu.au
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZDWlan.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: OzEmail - {E071235E-7EDB-4A22-A08C-E391ACF74BB2} - http://www.hn.ozemail.com.au (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Edited by lenlerts, 21 April 2005 - 09:36 AM.

  • 0

#20
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Can you remove the screensaver (along with the girls, sorry). Save it to a disk if you want to re-install them later. But first get them of the computer.

Then remove Xostspy unless you paid for it.

Reboot the computer en post back another log.

The pending message is Killbox's way of letting you know the file is not there, I guess it was removed by previously taken steps.

Can you check to see if any of these folders are on your computer:
Security IGuard
Virtual Maid
Search Maid

Edited by g2i2r4, 21 April 2005 - 10:01 AM.

  • 0

#21
lenlerts

lenlerts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts

Can you check to see if any of these folders are on your computer:
Security IGuard
Virtual Maid
Search Maid

View Post



How can I search? Just use Search in Start or what? I dont think I have any of them anyway...
  • 0

#22
lenlerts

lenlerts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
OK, done all that...... and I think I dont have the 3 folders you posted earlier...... OK, then, I am really going to bed now..... its nearly 2.30 in the morning here in Australia... I will leave my other computer on, so it'll probably say that I'm online, but I am actually asleep...

Please direct me what to do next....the same problems still exist....shortcuts remain and the red box with an"X" still in the taskbar....trying to get me to go to the site, even though it can't be accessed anymore....

I hope all this can be solved by tomorrow....as I dont have that much time, after Sunday, I will be back at school (I am a boarder).

New programs list with all the girls screensavers gone..

Access ThinkPad
Ad-Aware SE Personal
Adobe Acrobat 5.0
Agere Systems AC'97 Modem
Alcohol 120%
All To MP3 Converter 1.55
ATI Display Driver
AVG Free Edition
Burn4Free CD & DVD 1.0.4.0
CoolStreaming
DAEMON Tools
DivX Codec 3.1alpha release
EA SPORTS online 2004
ffdshow (remove only)
Football Manager 2005
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp deskjet 3420 series (Remove only)
IBM Access Connections
IBM DLA
IBM RecordNow
IBM ThinkPad Access Support
IBM TrackPoint Accessibility Features
IBM TrackPoint Support
IBM Update Connector
Intel® PRO Ethernet Adapter and Software
Internet Connection Update and HomeP KB234087
iTunes
Macromedia Extension Manager
Macromedia Flash MX 2004
Medal of Honor Allied Assault
Microsoft Office XP Professional with FrontPage
MP3PowerEncoder
MSN Messenger 7.0
My Search Bar
Need for Speed Underground 2
OpenMG Jukebox
OpenMG Secure Module 3.0.03
QuickTime
RealPlayer
Search Assistant - My Search
Sony Net MD Help
Sony USB Driver
ThinkPad Configuration
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
Uninstall PC-Doctor
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823980
Windows XP Hotfix (SP1) Q815021
WinRAR archiver
XviD MPEG-4 Codec
ZyAIR G-220 Utility


And new log

Logfile of HijackThis v1.99.1
Scan saved at 2:21:46 AM, on 22/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ZyXEL Technology Corporation\ZyAIR G-220 Utility\ZDWlan.exe
C:\Documents and Settings\Len Lertsumitkul\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad0179/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://scotsnet.tsc.nsw.edu.au/student
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w2ksrvproxy.tsc.nsw.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tsc.nsw.edu.au
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZDWlan.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: OzEmail - {E071235E-7EDB-4A22-A08C-E391ACF74BB2} - http://www.hn.ozemail.com.au (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe



Cheers, and thanks again (so far)

Len
  • 0

#23
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Put a check in the boxes next to the button ‘generate start up log’
Then press the button itself. It will open a notepad file.
Copy and past the content of that file here in your answer.
It must be somewhere to find..
  • 0

#24
lenlerts

lenlerts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Here... I'm up.....Its 9 in Australia

StartupList report, 22/04/2005, 8:41:59 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Len Lertsumitkul\Desktop\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ZyXEL Technology Corporation\ZyAIR G-220 Utility\ZDWlan.exe
C:\Documents and Settings\Len Lertsumitkul\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
ZDWlan.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AGRSMMSG = AGRSMMSG.exe
TrackPointSrv = tp4serv.exe
TPTRAY = C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
BMMGAG = RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
QCTRAY = C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
TP4EX = tp4ex.exe
TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
UC_SMB =
NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
DAEMON Tools-1033 = "C:\Program Files\D-Tools\daemon.exe" -lang 1033
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

BMMTask.job

--------------------------------------------------

Enumerating Download Program Files:

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[{6CB5E471-C305-11D3-99A8-000086395495}]
CODEBASE = http://toolbar.googl...g/GoogleNav.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...nt.cab28578.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn...pDownloader.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zon...wn.cab28578.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
drvnddm: system32\drivers\drvnddm.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IBM PM Service: %SystemRoot%\System32\ibmpmsvc.exe (autostart)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
PMEM: \??\C:\WINDOWS\system32\drivers\PMEMNT.SYS (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QCONSVC: System32\QCONSVC.EXE (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 12,557 bytes
Report generated in 0.842 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#25
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Go here and download AntiSpyware.

Have it scan your computer and remove what it can find.

Reboot and let me know how things are now.
  • 0

Advertisements


#26
lenlerts

lenlerts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I'm currently scanning with Antispyware, MY problem seems to be that I can't delete:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad0179/

from my HJT log.. everytime I tried, It'll come back again...

Does my log look clean other than that? What about my startup log?

What do you think is the problem, causing this red X in the taskbar??

Edited by lenlerts, 21 April 2005 - 05:22 PM.

  • 0

#27
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I don't know what's causing it.

Could you try this:
Open Killbox
choose kill on reboot
paste in:
C:\WINDOWS\System32\systr.dll
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After reboot, open HijackThis again.
Put a check to the R0 entries and press Fix checked.
Reboot again.

Did this help? (I'll stay up for another half hour max...)
  • 0

#28
lenlerts

lenlerts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts

Did this help? (I'll stay up for another half hour max...)

View Post



Thanks for this...... I really appreciate it

This is what Antispyware found.... total items detected 22

eZula.Top Text (Adware)
InstaFinder (Browser Modifier)
Incredifind (Adware)
Cool Web Search (Browser Modifier)
VX2.Transponder (Browser Plug in)
AT Games (Adware)
Twain Tech (Adware)
eZula.Weboffer (Adware)
AdDestroyer (Adware)
KeenValue PerfectNav (Browser Modifier)
Virtual Bouncer (Adware)
Unclassified Spyware 47 (Spyware)
EUniverse Updater (Browser Modifier)
Kazaa (Under Investigation)
NavExcel Search Toolbar (Browser Modifier)
IST.SideFind (Adware)
CoolWebSearch.StartPage (Browser Modifier)
RXToolbar (Adware)
DownloadWare (Adware)
Altnet (Browser Plug-in)
IST.SlotchBar (Toolbar)
TMKSoft.Xplugin (Trojan Downloader)

A lot of these are rated Severe, High and elevated in threat..... I removed all the ones rated with these three.....


Meanwhile, I'll try the killbox again... Thanks for staying up...:tazz:

Edited by lenlerts, 21 April 2005 - 05:38 PM.

  • 0

#29
lenlerts

lenlerts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I can't use killbox to delete C:\WINDOWS\System32\systr.dll

It gave me "PendingFileRenameOperations Registry Data has been removed by External Process!" again...and I checked in that folder and can't find that file...

What to do next?
  • 0

#30
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts

Thanks for this...... I really appreciate it. Thanks for staying up...:tazz:

View Post

I don't know what infection is on your computer. I hate that. Still, need to take a nap.

Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.

I'll check back later, don't know if I'll make your deadline though.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP