Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cant even post a log or scan, help please![RESOLVED]


  • This topic is locked This topic is locked

#16
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Done, booted up normally.
Tried to run MSAS and the computer became totally unresponsive.
Had to reboot, go into safe mode. Took a log in safe mode here it is :

Logfile of HijackThis v1.99.1
Scan saved at 10:47:29 PM, on 7/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Bruno\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {177CDD5E-8C7C-0B4D-8EDC-927A1BCC153B} - C:\WINDOWS\ntlr.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ntlr.exe] C:\WINDOWS\ntlr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ipqg.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE

And task manager is still disabled.
  • 0

Advertisements


#17
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Ah new exciting stuff showing up.

In safe mode start Killbox.
First Select Standard File Kill and put a checkmark in End Explorer Shell while deleting file.
Use that on:
C:\WINDOWS\ntlr.dll

Then choose Delete on reboot and use it on:
C:\WINDOWS\system32\ipqg.exe

Let the Reboot go into safe mode.
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: Class - {177CDD5E-8C7C-0B4D-8EDC-927A1BCC153B} - C:\WINDOWS\ntlr.dll

O4 - HKLM\..\Run: [ntlr.exe] C:\WINDOWS\ntlr.exe

O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ipqg.exe

Click Start > Run type services.msc > OK
In the list of services find:
Network Security Service (NSS)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: NSS

Then boot back to normal mode and just run HijackThis and post the log.
I'd like to see one made in normal mode if at all possible.

Regards,
  • 0

#18
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I'll go and try this now, ill be back in 15-25 mins.
If I try and use HJT in normal mode it just does nothing and I cant click on anything etc. Sorry, ill try it again after I do the new steps.
  • 0

#19
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
I'll be around for a few more hours, so no rush. :tazz:
  • 0

#20
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ok, I double clicked hjt.exe to start it up and it pretty much locked up (well, couldnt clikc anything, start menu wont come up, not a full lock up)

Heres a log from safe mode (only way available) :


Logfile of HijackThis v1.99.1
Scan saved at 11:24:08 PM, on 7/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Bruno\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE

Task Manager is still disabled.
  • 0

#21
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Can you do a Find Files for taskmgr.*
and let me know what files are found and where?

Regards,
  • 0

#22
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
here you go :
http://img286.echo.c...2/sceeny9yy.jpg
  • 0

#23
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
That never stopped me before. :tazz:

Copy the part in bold below into notepad and save it as taskmgr.reg

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000


Doubleclick it and confirm you want to merge it with the registry.

That should give you that power back.
Unfortunately that doesn't give us much of a clue as to what disabled it.

Can you use Norman or MSAS in safe mode or not?

Regards,
  • 0

#24
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I can, but not MSAS. Just gives me unknown error.
  • 0

#25
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
You can run Norman?

How long ago was it updated last?

Anyway, do a full sytem scan and let me know what it found. That might give us some clues.

Regards,
  • 0

Advertisements


#26
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Latest updates, ran a full scan same things came up. Doesn't seem to be getting rid of em. Going to bed now, ive been on this since 5:30PM and its 1:10AM now. Ouch...
  • 0

#27
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
For tomorrow, since you will be up way earlier then I will.

Download TDS-3 from http://tds.diamondcs...p?page=download
and update it following the instructions here:
http://tds.diamondcs...php?page=update
Then click System Testing > Full System scan.
Have it remove everything it gives you a positive identification of.

Regards,
  • 0

#28
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
That did the trick, scanning with Xoft, MSAS, and ad-aware. Picked up [bleep] of a lot, but I cant get rid of the 3 "search optimizer" etc things in the Add/Remove programs list.
  • 0

#29
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Those are easy (once you know :tazz: )

Copy the part in bold below into notepad and save it as cwsuninst.reg

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Doubleclick the file and confirm you want to merge it with the registry.
That should do it.

Regards,
  • 0

#30
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Computer is working perfectly now, no problems. Thanks for your help!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP