Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows Taskbar Problems


  • Please log in to reply

#1
Sonicobob

Sonicobob

    Member

  • Member
  • PipPip
  • 19 posts
Hey everyone this is my first post

i have used all of the spyware scanners and virus scanners reccommended before posting

i have recently upgraded my pc from a WIndows ME to a windows XP proffesional system, i had a few problems with hardware conflicts but i sorted those out.

The first problem i noticed was that i had no access to task manager or shutdown on the start menu, supposedly it was disabled by the administrator(me). with the use of your spyware scanners it fixed itself.

the problem which i need your help on now is the taskbar,
When i boot up windows it takes forever to login but once thats done and the desktop loads i have all my desktop icons as normal and they all work but my taskbar is not responding. When i mean not responding i mean when i move the mouse over it i get the sand timer thing and i can press no buttons. I found the only way to get the taskbar back was to end one of three SVCHOST.EXE in task manager. This fixed the taskbar and i now have control of start menu, quick launch and clock.
The problem is i do not have any windows visible, for example if i clicke internet explorer now i would expect internet explorer to open and a box appear in the taskbar. This box in the taskbar does not appear but i can access the explorer page fine.
Also i have found that i cannot copy and paste while in Iexplorer or "open in new window". Some links do not respond either, to get some of the spyware scanners i could not click the link because nothing would happen i had to add the link to my favourites then access my favourites and select that page, it then opened fine???

i am at a loose end i don't know whether closing svchost is causing the problems with the taskbar or not.

I have a current hijack this log and adaware log if is required

Thanks in advance if any one can help me im really stuck with this problem
Drew
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Sonicobob and Welcome!!

Please do post the HijackThis log!

Also,Are you Right Click and Left Click Functions on the mouse reversed by any chance?
  • 0

#3
Sonicobob

Sonicobob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
thanks so much for helping i have no problem with my mouse buttons at the moment so no swapped buttons sorry

heres the hijack this log for you

this is after i have closed the first svchost which then allows me to use the limited taskbar functions, let me know if you require the log before then

thanks again
Sonicbob


Logfile of HijackThis v1.99.1
Scan saved at 11:40:47, on 24/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Admin\My Documents\My files\Appz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Vrdt Microsoft Config] wncnmrtd.exe
O4 - Startup: PowerReg Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Ok,I need to see a sample of a file but I am unsure of its location!

wncnmrtd.exe

If you find it,Right Click and Select "Send To" then Select Compressed(Zipped)Folder

Email the Zipped Folder here>> filesubmit@charter.net

If located and Submitted,Delete the Zip folder and original file and remove the Instance in HijackThis!
O4 - HKLM\..\RunServices: [Vrdt Microsoft Config] wncnmrtd.exe


I need to see a log from Normal Mode with everything enabled in MSconfig if you can pull that off!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

As I am unsure of the capabilities of the PC while on Normal load,just do the best you can and we will see what we can see in the next post!
  • 0

#5
Sonicobob

Sonicobob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok first off i cant find WNCNMRTD.EXE i have searched in windows and it cannot find it even when i include hidden and system files, there is no info on the net about it either so i cannot find it.

secondly i have done a hijack this log from normal mode in msconfig but it took a few weeks to boot up. i have also noticed i have no access to certain websites, scarily hotmail is not accessible. and pages have started saying my browser settings prevent me from redirecting to a new url but they seem fine to me???

and i also noticed that on my tsk manager i have three copies of svchost running but this log only shows one is that correct???

anyway thanks again for your help log is below

Logfile of HijackThis v1.99.1
Scan saved at 10:39:54, on 25/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\gbxsnw.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Admin\My Documents\My files\Appz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Vrdt Microsoft Config] wncnmrtd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ibin] C:\WINDOWS\System32\gbxsnw.exe
O4 - HKLM\..\RunServices: [Vrdt Microsoft Config] wncnmrtd.exe
O4 - Startup: PowerReg Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
No problem!

Try sending me this file in the same fashion

C:\WINDOWS\System32\gbxsnw.exe

If you find it,Right Click and Select "Send To" then Select Compressed(Zipped)Folder

Email the Zipped Folder here>> filesubmit@charter.net

If located and Submitted,Delete the Zip folder

If that log is from Normal Mode then thats the fewest instances of svchost I have ever seen in processes but that doesnt make it bad!

Lets get you cleaned up now!

Go to Add\Remove Programs and remove

DAP(Download Accelrator Plus)

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net...wnload/updates/

Download and Install CleanUp! 4.0
http://downloads.ste...p/CleanUp40.exe

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...torial=62#winxp

Run CleanUp!

Click "Cleanup" and it will Scan and Remove all available Temp files>Click "Close">Click "No" to Logoff!

Scan with Ewido>when prompted>Select to clean and place a check by the box to use this action for all infections!

Once it completes,Click the tab to Save the report and Save it to your Desktop for easy access!

Locate and Delete

C:\WINDOWS\System32\gbxsnw.exe<< File

C:\PROGRAM FILES\DAP<< Folder

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [Vrdt Microsoft Config] wncnmrtd.exe

O4 - HKLM\..\Run: [ibin] C:\WINDOWS\System32\gbxsnw.exe

O4 - HKLM\..\RunServices: [Vrdt Microsoft Config] wncnmrtd.exe

O4 - Startup: PowerReg Scheduler.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with a fresh HijackThis log and the reports from Ewido and Panda
  • 0

#7
Sonicobob

Sonicobob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Ok everything went smoothly exept for the last part. everything worked and ive posted the hijack this log and ewido log below.

the only problem is that i am unable to be redirected to new links on the internet. i tried it on the symantec site and i was forwarded to windows update site to download scripten an update to my script which would fix it but it gave me an error upon installation.

That means i can get to the panda site but when i click the button to scan nothing happens.

sorry everythin else went dandy tho!

Logfile of HijackThis v1.99.1
Scan saved at 18:08:07, on 25/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Admin\My Documents\My files\Appz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

and ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:39:23, 25/06/2005
+ Report-Checksum: F4E4BC3A

+ Date of database: 25/06/2005
+ Version of scan engine: v3.0

+ Duration: 65 min
+ Scanned Files: 42169
+ Speed: 10.70 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
No infected files found!


::Report End
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Well that looks just peachy to me!!

Lets see about getting some Windows Updates Installed!

First we have to fix some settings it would appear!

Please Download the MVPS HOSTS file
http://www.mvps.org/...p2002/hosts.htm

Here is a link to help you if you need it
http://www.mvps.org/...2002/hosts2.htm

Open up Internet Explorer and Click Tools and Click "Reset Web Settings" if that option is available!

Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC

Double Check all the IE Security Settings by this link
http://www.jfitz.com...ity_config.html

Now try to get Windows Updated,In IE just Click Tools and Click Windows Update!

Post back and let me know how it goes!
  • 0

#9
Sonicobob

Sonicobob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok Hosts file was fine downloaded and extracted.

i do not have a sytem restore option tab in my computer, properties, but i am logged on as administrator. i even booted in safe mode to try and logon as the aministrator and i still was not presented with that option. When ever i go into system restore in the start menu it says it "system restore is not able to protect your computer, please restart and try system restore again"

internet security settings adjusted fine

tryed to access win update and still iexplorer says done but nothing has loaded
exactly the same for hotmail!!!

so all in all half worked half didnt.

thanks again
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,bear with me,I am having to research some of this as we go!

Click Start>> Run>> Type in Services.msc and Click OK!

Scroll down the list to System Restore Service

Right Click and Select Properties,then be sure its Started and make sure the Startup Type is set to "Automatic"

Close out the Services Page and if any changes were made,Restart and Try to access System Restore again!

Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by these 3:

Search System Folders
Search hidden files and folders
Search Subfolders

Now under All Files and Folders,enter this into the text box:

wncnmrtd.exe

If you find any exact Matches,please Zip it up by right clicking and select "SendTo" then select Compressed(Zipped)Folder

Email the Zipped Folder here>>filesubmit@charter.net

After that Delete the Zip folder and any exact matches of that file name!

Download and Run Grinlers PFind
http://www.bleepingc...files/pfind.php

UNZIP the contents to a permanent folder and Extract all Files!
So make sure all those files remain in the same folder.

Doubleclick pfind.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes.

Post the contents of C:\pfind.txt in your next reply!

Edited by Cretemonster, 27 June 2005 - 06:06 AM.

  • 0

Advertisements


#11
Sonicobob

Sonicobob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Still no joy with system restore on trying to start the service i get
error 1068 the dependancy group or service failed to start.

Ok no file can be found under the name wncnmrtd.exe. Also i was unable to open start>search i had to open up my computer then in the left pane search for files and folders?????

pfind worked fine i shal post the results below

ta

Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\WINDOWS folder
C:\WINDOWS\flashax.exe: .aspack
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\Tsc.exe: UPX!
C:\WINDOWS\daemount.exe: UPX!
C:\WINDOWS\daemon.dll: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder
C:\WINDOWS\SYSTEM32\DVDVideo.ax: UPX!
C:\WINDOWS\SYSTEM32\eunsh.exe: .aspack
C:\WINDOWS\SYSTEM32\winhlpp32.exe: UPX!


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 ad-behavior.com
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 u.ad-behavior.com #[Trojan-Downloader.Win32.Qoologic.i]
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 www.ad-behavior.com
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 qoologic.com #[server down?]
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 www.qoologic.com
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 urllogic.com
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 s.urllogic.com
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 u.urllogic.com #[Win32/TrojanDownloader.Qoologic]
C:\WINDOWS\SYSTEM32\Drivers\etc\HOSTS: 127.0.0.1 www.urllogic.com


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\All Users\Application Data folder



Checking the C:\Documents and Settings\Admin\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\Admin\Application Data folder

Edited by Sonicobob, 27 June 2005 - 06:15 AM.

  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,I need to know if you have any file sharing programs installed on the PC??

I am trying to determine why any daemon files are on this PC!

May be related to Fire Daemon and PC Games but also can be used for malicious reasons!

Please let me know as much as you can about these 2

C:\WINDOWS\daemount.exe

C:\WINDOWS\daemon.dll

Next I need you to Email me a copy of 2 files

C:\WINDOWS\SYSTEM32\eunsh.exe

C:\WINDOWS\SYSTEM32\winhlpp32.exe

Right Click the Desktop and Select Compressed(Zipped)Folder,place a copy of each of those files in it and email it here>>filesubmit@charter.net

Now download and Run the Tool from Symantec
http://securityrespo...er/FxGaobot.exe

Close all the running programs before running the tool.

If you are on a network or you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

Double-click the FxGaobot.exe file to start the removal tool.

Click Start to begin the process, and then allow the tool to run.

Now Completely Shut the PC down and Wait about a Minute,then Start it up in Safe Mode!

Run the Symantec Tool once more!

Restart Normal and Download "The Hoster" from here
http://www.funkytoad...load/hoster.zip

Press "Restore Original Hosts" and press "OK".

Exit Program.

Scan the PC with PFind again and Post those Results!

Let me know if the tool made a positive Identification of any Infection!
  • 0

#13
Sonicobob

Sonicobob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok i used to have win mx but that was deleted bout 3 months ago, i still have bit torrent but thats all

daemon was used for cd mounting it was a mounting tool called daemount but you had to install daemon tools aswell

i have found the files you need and will send them to you this afternoon

fx gaobot scanners found nothing on both attempt

original hosts restored

(still no change getting into hotmail tho)

pfind is below

ta

Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\WINDOWS folder
C:\WINDOWS\flashax.exe: .aspack
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\Tsc.exe: UPX!
C:\WINDOWS\daemount.exe: UPX!
C:\WINDOWS\daemon.dll: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder
C:\WINDOWS\SYSTEM32\DVDVideo.ax: UPX!
C:\WINDOWS\SYSTEM32\eunsh.exe: .aspack
C:\WINDOWS\SYSTEM32\winhlpp32.exe: UPX!


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\All Users\Application Data folder



Checking the C:\Documents and Settings\Admin\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\Admin\Application Data folder
  • 0

#14
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go ahead Scan these 2 files

C:\WINDOWS\SYSTEM32\eunsh.exe

C:\WINDOWS\SYSTEM32\winhlpp32.exe

Here

Save the results so we can see them,upon any Positive Identification of Infection,Delete the file immediatlty please

Post back with the Results!
  • 0

#15
Sonicobob

Sonicobob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok the logs are below winhlpp32 seemed fine but gnush had one suspicious entry.
i also scanned an older file you told me to send a few days ago wich showed up not very good. im struggling to copy and paste the logs cus theyre not in notepad so ill attach the three logs as attachments


scan 1 is eunsh.exe
scan 2 is winhlpp32.exe
scan 3 is gbxsnw.exe

ta

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP