Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My HiJack This Log

Started by louisethelibrarian , May 02 2005 08:23 AM

  • This topic is locked This topic is locked

#1
louisethelibrarian
Posted 02 May 2005 - 08:23 AM

louisethelibrarian

    Member

  • Member
  • PipPip
  • 13 posts
This is my hijack this logfile. I've installed and run AdAware, SpyBot S&D, my antivirus software, and rebooted. I was not able to install CW Shredder, perhaps due to the virus? It would get to a certain point and then say a certain file was not found and then stop. My computer is still very slow and shows a ton of processes running in the Task Manager that I am not allowed to close. I believe this started when a student, trying to be helpful, downloaded a program called Spy Killer.

Logfile of HijackThis v1.99.1
Scan saved at 10:31:51 AM, on 5/2/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
d:\Faircom\ctsrvr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\qttask.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\system32\RpcSs.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Profiles\Administrator\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\hpztsb06.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O13 - WWW. Prefix: http://
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = se.mediaone.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = se.mediaone.net
O23 - Service: FairCom Server - Unknown owner - d:\Faircom\ctsrvr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: PowerMon II (PM2SVC) - Unknown owner - C:\Program Files\PowerMon II\PM2SVC.EXE
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

Advertisements

#2
Daemon
Posted 02 May 2005 - 09:43 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Download and run Silent Runners.vbs from HERE

It generates a log, please post the information back in this thread
  • 0

#3
louisethelibrarian
Posted 02 May 2005 - 12:34 PM

louisethelibrarian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is my Silent Runners log; I'm very interested to see what comes next! :)

Louise

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows NT 4.0
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
EXECUTION UNLIKELY: "XPsys" = "C:\WINNT\XPsys.exe" [null data]
EXECUTION UNLIKELY: "Winhost" = "C:\WINNT\yahoo22.exe" [null data]
EXECUTION UNLIKELY: "Winhost1" = "C:\WINNT\yahoo22.exe" [null data]
EXECUTION UNLIKELY: "Winhost2" = "C:\WINNT\yahoo22.exe" [null data]
EXECUTION UNLIKELY: "Winhost3" = "C:\WINNT\yahoo22.exe" [null data]
EXECUTION UNLIKELY: "Winhost4" = "C:\WINNT\yahoo22.exe" [null data]
EXECUTION UNLIKELY: "Ibs314" = "C:\WINNT\ibs314.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"Norton Program Scheduler Event Checker" = "C:\PROGRA~1\Navnt\npscheck.exe" ["Symantec Corporation"]
"BrowserWebCheck" = "loadwc.exe" [MS]
"SchedulingAgent" = "mstinit.exe /logon" [MS]
"hpfsched" = "C:\WINNT\hpfsched.exe" [null data]
"QuickTime Task" = ""C:\WINNT\System32\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ADUserMon" = "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" ["Iomega Corporation"]
"Iomega Startup Options" = "C:\Program Files\Iomega\Common\ImgStart.exe" ["Iomega Corporation"]
"Iomega Drive Icons" = "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" ["Iomega"]
"Deskup" = "C:\Program Files\Iomega\DriveIcons\deskup.exe" ["Iomega"]
"HPDJ Taskbar Utility" = "C:\WINNT\System32\spool\drivers\w32x86\hpztsb06.exe" ["HP"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{c7745760-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Iomega\Shell\ImgMenu.dll" ["Iomega Corp."]
"{c7745761-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Iomega\Shell\ImgProp.dll" ["Iomega Corp."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = "URL Exec Hook" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "url.dll" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\System32\ssmarque.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINNT\Profiles\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
"Norton AntiVirus AutoProtect" -> shortcut to: "C:\Program Files\Navnt\navapw32.exe" ["Symantec Corporation"]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\msafd.dll [MS], 1 - 5


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
  • 0

#4
Daemon
Posted 02 May 2005 - 12:56 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
I need you to do one more scan. Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.
  • 0

#5
louisethelibrarian
Posted 02 May 2005 - 01:52 PM

louisethelibrarian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here's my MicroWorld Scan results:

File C:\WINNT\XPsys.exe infected by "Trojan-Downloader.Win32.Delf.ia" Virus. Action Taken: No Action Taken.
File C:\WINNT\ibs314.exe infected by "not-a-virus:[bleep]-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\WINNT\88535.exe infected by "not-a-virus:[bleep]-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\WINNT\drexinit.dll infected by "Trojan.Win32.Agent.co" Virus. Action Taken: No Action Taken.
File C:\WINNT\2319.exe infected by "not-a-virus:[bleep]-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\WINNT\59836.exe infected by "not-a-virus:[bleep]-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\WINNT\Profiles\Administrator\Desktop\ioware-w32-x86-311.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINNT\88535.exe infected by "not-a-virus:[bleep]-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\WINNT\drexinit.dll infected by "Trojan.Win32.Agent.co" Virus. Action Taken: No Action Taken.
File C:\WINNT\2319.exe infected by "not-a-virus:[bleep]-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\WINNT\59836.exe infected by "not-a-virus:[bleep]-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\DriveIcons\imghr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\0xf9.exe infected by "Trojan-Downloader.Win32.Apher.gen" Virus. Action Taken: No Action Taken.
File C:\all.exe infected by "Trojan-Downloader.Win32.Delf.ia" Virus. Action Taken: No Action Taken.
File C:\misb314.exe infected by "Trojan-Proxy.Win32.Sobit.e" Virus. Action Taken: No Action Taken.
  • 0

#6
Daemon
Posted 02 May 2005 - 02:00 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file to your desktop.

Start Killbox and click on Tools->Delete Temp Files. When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\0xf9.exe
C:\all.exe
C:\misb314.exe
C:\WINNT\2319.exe
C:\WINNT\59836.exe
C:\WINNT\88535.exe
C:\WINNT\drexinit.dll
C:\WINNT\ibs314.exe
C:\WINNT\XPsys.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

Make sure that you have no other browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O13 - WWW. Prefix: http://

Reboot when done. Rescan with HJT and post a new log.
  • 0

#7
louisethelibrarian
Posted 03 May 2005 - 07:35 AM

louisethelibrarian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
When I unzipped the Pocket Killbox file and tried to install it, I received this message: Run-time error '453'. Can't find DLL entry point Create Toolhelp32 Snapshot in kernel32."

Any ideas?
  • 0

#8
Daemon
Posted 03 May 2005 - 08:40 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
See if this helps, click here to download and run missingfilesetup.exe. Then try TheKillbox again.
  • 0

#9
louisethelibrarian
Posted 03 May 2005 - 08:54 AM

louisethelibrarian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I still get the same message:

Run-time error '453'. Can't find DLL entry point Create Toolhelp32 Snapshot in kernel32.

Louise
  • 0

#10
Daemon
Posted 03 May 2005 - 09:31 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK, we can try a different approach. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O13 - WWW. Prefix: http://

Click on Config then click on Misc Tools. At the new screen click on the 'Delete a file on reboot' button. You will be presented with a dialog asking you to pick a file. Copy and paste:

C:\0xf9.exe

into the file name field and press the open button. Hijackthis will prompt you to reboot, click 'No' and click the 'Delete a file on reboot button' again. In the box that appears copy and paste:

C:\all.exe

Again you will be prompted to reboot, click 'No' and repeat the sequence for all these files:

C:\misb314.exe
C:\WINNT\2319.exe
C:\WINNT\59836.exe
C:\WINNT\88535.exe
C:\WINNT\drexinit.dll
C:\WINNT\ibs314.exe
C:\WINNT\XPsys.exe

After the last file has been entered, when you are prompted to reboot, do so. Rescan with HJT and post a new log here.
  • 0

Advertisements

#11
louisethelibrarian
Posted 03 May 2005 - 11:02 AM

louisethelibrarian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here's my latest logfile of HJT; when I checked on the Task Manager after rebooting, the same files showed up :(

Logfile of HijackThis v1.99.1
Scan saved at 1:10:24 PM, on 5/3/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
d:\Faircom\ctsrvr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\nddeagnt.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\mstinit.exe
C:\WINNT\System32\qttask.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\system32\RpcSs.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\ddhelp.exe
C:\WINNT\Profiles\Administrator\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\hpztsb06.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...?affiliate=wtlv
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = se.mediaone.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = se.mediaone.net
O23 - Service: FairCom Server - Unknown owner - d:\Faircom\ctsrvr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: PowerMon II (PM2SVC) - Unknown owner - C:\Program Files\PowerMon II\PM2SVC.EXE
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#12
Daemon
Posted 03 May 2005 - 11:50 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Your log looks OK now. What exactly are you concerned about showing in Task Manager?
  • 0

#13
louisethelibrarian
Posted 03 May 2005 - 12:45 PM

louisethelibrarian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Not only were the same programs (lsass.exe, etc.) still running (and I can't end them), but now my computer turns on, gets to the blue screen, starts checking memory, and then the screen goes blank. I tried hooking up another screen, but the same thing happens. Now what do I do?

Louise

Edited by louisethelibrarian, 03 May 2005 - 01:13 PM.

  • 0

#14
Daemon
Posted 03 May 2005 - 01:13 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
What on earth are you doing? lsass.exe is a legitimate file, see here:

http://www.liutiliti...slibrary/lsass/

If you are shutting down legitimate OS files then I am not surprised you are getting blue screens. What you need to do is re-enable anything you have disabled in Task Manager and post a new HJT log.
  • 0

#15
louisethelibrarian
Posted 03 May 2005 - 01:16 PM

louisethelibrarian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Can't viruses hide in lsass.exe and even iexplore.exe? I don't get the blue screen of death, unfortunately, so I can't get into task manager. It shows the black background with the loading/scanning information, gets to memory, goes to 64 whatevers, and then starts checking . . . . . . . .

The computer keeps on running, but there is nothing but a black screen. I even tried adjusting the screen controls, but that wasn't the problem.

Suggestions?

Louise
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP