Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hackered [RESOLVED]


  • This topic is locked This topic is locked

#1
savorsea

savorsea

    Member

  • Member
  • PipPip
  • 12 posts
StartupList report, 6/30/2005, 2:09:16 AM
StartupList version: 1.52
Started from : C:\Program Files\HijackThis\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\igfxtray.exe
C:\Windows\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Windows\system32\PROMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Windows\MXOALDR.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Windows\system32\HPZipm12.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\Windows\system32\igfxtray.exe
HotKeysCmds = C:\Windows\system32\hkcmd.exe
Smapp = C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
DrvLsnr = C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
PROMon.exe = PROMon.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
MaxtorOneTouch = C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
MXO Auto Loader = C:\Windows\MXOALDR.EXE
RoxioEngineUtility = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
AWMON = "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....738&clcid=0x409

[Create & Print ActiveX Plug-in]
InProcServer32 = C:\Windows\system32\AxCtp.dll
CODEBASE = http://www.imgag.com...stall/AxCtp.cab

[{49232000-16E4-426C-A231-62846947304B}]
CODEBASE = http://ipgweb.cce.hp...ads/sysinfo.cab

[MUWebControl Class]
InProcServer32 = C:\Windows\system32\muweb.dll
CODEBASE = http://update.micros...b?1119147187343

[VaPgCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\VAPGDecoder.dll
CODEBASE = http://www.gwcoc.org...ms/h263ctrl.cab

[Creative Toolbox Plug-in]
InProcServer32 = C:\Windows\system32\Crusher.dll
CODEBASE = http://ak.imgag.com/...all/Crusher.cab

[Shockwave Flash Object]
InProcServer32 = C:\Windows\system32\macromed\flash\Flash.ocx
CODEBASE = https://download.mac...ash/swflash.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\popcaploader.dll
CODEBASE = http://playweb06.pog...aploader_v6.cab

[DigWebHelper Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\DigWebX2.dll
CODEBASE = http://photos.msn.co....cab?10,0,910,0

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\Windows\system32\SHELL32.dll
CDBurn: C:\Windows\system32\SHELL32.dll
WebCheck: C:\Windows\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,451 bytes
Report generated in 0.610 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

My browser will not change from Google. Cannot turn off machine without trying to reset to another time. Will not let me reset to another time. I have Lava-soft, Spybot S&D, Norton Anti-Virus, and PConpoint. All up to date, registrated, donated, and running. Thanks for looking.
  • 0

Advertisements


#2
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
ok you ran a startup list, while this is helpful I will need to see a Hijack This scan. please start Hijack this and choose Scan and save log, then please post that log in this thread
  • 0

#3
savorsea

savorsea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
System will not restore to an earlier date. (only way to reboot system, too) CWS, Panda, Norton, Ewido, Adaware SE+, Spybot S&S, PConpoint, and SpywareBlaster can find nothing wrong. Thank YOU for any time or attention on this matter.

Logfile of HijackThis v1.99.1
Scan saved at 10:00:21 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\igfxtray.exe
C:\Windows\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Windows\system32\PROMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Windows\MXOALDR.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Windows\system32\HPZipm12.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\My Sim Zips\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\Windows\MXOALDR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Animal Ark by pogo - http://playweb01.pog...l-ob-assets.cab
O16 - DPF: Armored Attack by pogo - http://game4.pogo.co...k-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: Canasta by pogo - http://canasta.pogo....a-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.c...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game6.pogo.co...r-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com...o-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.co...w-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.co...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.co...z-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.co...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.co...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.co...e-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.c...r-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game5.pogo.co...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pog...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121139809835
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1119147187343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.gwcoc.org...ms/h263ctrl.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/...all/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.co....cab?10,0,910,0
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
savorsea

savorsea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Efwis,
As per our conversation in chat, my logs are clean. I have uninstalled recent adaware programs narrowing it down to two which have been on my system since its beginning (and before the problems.)

My system continues to reset the browser to Google against my resettings even in Safe Mode. All my restore points will not restore to an earlier date as shown after each reboot. Restoring is the only way my computer will shut down.

I have found similar results on a Symantec site regarding a QHost Trojan as it mentions google quite often:
http://securityrespo...jan.qhosts.html

The above response is dated Oct, 2003. My updated Norton/Symantec antivirus program does not mention finding such, so I'm still in a quandry. Also, the mentioned solution of deleting and rewriting in the registry is beyond faith in my computer talents. Am i beyond help?
Respectfully,
savorsea
  • 0

#5
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts

The above response is dated Oct, 2003. My updated Norton/Symantec antivirus program does not mention finding such, so I'm still in a quandry. Also, the mentioned solution of deleting and rewriting in the registry is beyond faith in my computer talents. Am i beyond help?


On my shift your not beyond help :tazz:

Download: StartDreck from:http://www.niksoft.at/download/startdreck.htm] http://www.niksoft.a.../startdreck.htm[/url]
  • Extract the file into c:\startdreck.

  • Navigate to c:\startdreck and double-click on Startdreck.exe

  • When the program opens click on the Config button.

  • Then click on the unmark all button.

  • Put checkmarks in the following checkboxes:

  • Under Registry put a checkmark in the Run Keys checkbox.

  • Under System/Drivers put a check in the Running Proccess checkbox.

  • Press the OK button.

  • Press the Save button.

Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

Then post a copy of that log here for review.
  • 0

#6
savorsea

savorsea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
:tazz:

StartDreck (build 2.1.7 public stable) - 2005-07-14 @ 13:51:07 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Administrator at MISTYPA

舞egistry
舞un Keys
翟urrent User
舞un
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*IgfxTray=C:\Windows\system32\igfxtray.exe
*HotKeysCmds=C:\Windows\system32\hkcmd.exe
*Smapp=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
*DrvLsnr=C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
*PROMon.exe=PROMon.exe
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
*Advanced Tools Check=C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
*MaxtorOneTouch=C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
*MXO Auto Loader=C:\Windows\MXOALDR.EXE
*RoxioEngineUtility="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
*RoxioDragToDisc="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
*RoxioAudioCentral="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
*KernelFaultCheck=%systemroot%\system32\dumprep 0 -k
*AWMON="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+0=<idle>
+4=<system>
+424=\SystemRoot\System32\smss.exe
+472=\??\C:\Windows\system32\csrss.exe
+496=\??\C:\Windows\system32\winlogon.exe
+540=C:\Windows\system32\services.exe
+552=C:\Windows\system32\lsass.exe
+704=C:\Windows\system32\svchost.exe
+760=C:\Windows\system32\svchost.exe
+824=C:\Windows\System32\svchost.exe
+868=C:\Windows\System32\svchost.exe
+1040=C:\Windows\System32\svchost.exe
+1180=C:\Windows\Explorer.EXE
+1292=C:\Windows\system32\spoolsv.exe
+1320=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
+1540=C:\Windows\system32\igfxtray.exe
+1548=C:\Windows\system32\hkcmd.exe
+1556=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
+1564=C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
+1572=C:\Windows\system32\PROMon.exe
+1580=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
+1604=C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
+1612=C:\Windows\MXOALDR.EXE
+1628=C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
+1636=C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
+1652=C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
+1660=C:\Program Files\Messenger\msmsgs.exe
+1668=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
+1688=C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
+1952=C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
+360=C:\Program Files\Norton AntiVirus\navapsvc.exe
+392=C:\Windows\System32\NMSSvc.exe
+800=C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
+912=C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
+1052=C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
+1472=C:\Windows\System32\svchost.exe
+1488=C:\Windows\system32\wdfmgr.exe
+1452=C:\Windows\system32\MsPMSPSv.exe
+1516=C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
+2596=C:\Windows\System32\alg.exe
+3284=C:\Windows\system32\HPZipm12.exe
+3972=C:\Program Files\Internet Explorer\iexplore.exe
+468=C:\startdreck\StartDreck.exe
翠pplication specific
  • 0

#7
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
well that log is clean also, here is what to try, totally unistall spybot and then remove the folder also. there is a possibility that tea-timer is causing the issue.



You will also need to find and remove this folder.

C:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
to make sure we get it all.
  • 0

#8
savorsea

savorsea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Spybot is gone. TrayApp error window arises on startup, system wants a CD to reload TrayApp and is very persistent about reappearing when canceled. Google is still returning.... A search for TeaTimer returned:
TEATIMER.EXE - 1F57E47A.pf in C\WINDOWS\Prefetch

No problems arose when trying to restart through the Spybot uninstall process.
  • 0

#9
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
please do the following,

show hidden files & Folders, this can be done by looking at the instructions at This Webpage http://www.xtra.co.n...1916458,00.html


next navigate to and remove this file
C\WINDOWS\Prefetch\TEATIMER.EXE - 1F57E47A.pf

reboot, and then try and reset your home page, let us know what happens. it appears the problem may be that tea-timer is stuck.
  • 0

#10
savorsea

savorsea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Need any searches on Google?

Google returns and moaning is getting redundant....


note: DO NOT TAKE THIS PERSONALLY !!!
  • 0

Advertisements


#11
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
ok, so we know its nor spybot doing it, I need to have you try something. we think we may know th ecasue of htis issue, but won't know for sure until you do as followed.

first please uninstall ewido and remove the folder like you did for spybot.

next, is the hard one to swallow. there is a possibility that Norton is your issue. but to be sure is it the Norton Security Suite?? If it is plese check your permissions on it.

you should be able to do this in the program. If not then follow the following directions I have posted.

WARNING: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Modify only the keys specified. See the document How to back up the Windows registry before proceeding.

Note: When verifying permissions in Windows NT, verify that the Creator/Owner account has full rights to the registry keys listed. To propagate permissions to subkeys in Windows NT, place a check next to "Replace Permissions on Existing Subkeys."

To edit the registry

1. Click Start, and then click Run.
2. Type regedt32.exe in the Run box, and then click OK.
3. Navigate to the following subkeys:

HKEY_LOCAL_MACHINE\Software\Intel\
HKEY_LOCAL_MACHINE\Software\Symantec
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

For each of these keys, ensure that both System and Administrators have Full Control.


To check the rights on registry keys in regedt32

1. Select the desired key.
2. From the menu bar, click Security, and then click Permissions.
3. If the Administrator and System accounts do not have full control, add them. Ensure that Deny is not checked for any rights.
4. Click "Advanced."
5. Click "Reset permissions on all child objects and enable propagation of inheritable permissions", and click OK.
6. Click Apply, and then click OK.
7. Close the Registry Editor.

then let us know what happened.
  • 0

#12
savorsea

savorsea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Not finished with your last instructions yet, and being very careful not to get something wrong.

My system is WinXP 2P not WinNT as in your last post, ergo will running "regedit" in Run Mode rather than regedt32.exe suffice?

The backup program will not let me pick a destination, and chooses A: drive (floppy) for "Backup Media or File Name" (see attachment) and not sure this will backup my system as you direct.

Attached Thumbnails

  • backup.JPG

  • 0

#13
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
hi savorsea,

in reference to your system being Win xp, the commands listed are not program specific, if you type in regedt32 exactly as it shows, it will work. its just the way symantec has you going to the registry editor.

AS fo rthe system backup, it will choose the A: drive so that you would be able to merge it back to the registry should an error happen, if you accidently removed a necessary entry in the registry you would only be able to boot to "DOS" mode. so you would have to use the A: drive to repair the entry.
  • 0

#14
savorsea

savorsea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Just a tad overwhelmed here. Began the Registry Backup (only clicked on System State) System will not accept saving to a CD-RW but to a 3.5 floppy. With over 2000 files to save, this will take many floppys, as well over 5 hours to save everything by the info window. Any way to put this save on a CD? Is this why you say "hard to swallow?"
  • 0

#15
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
wow, thats a large registry.

No the hard to swallow part is that Norton may be causing your issues.

If your ok with it I have a link to a free Anti-virus program that is better then Norton by far. it updates daily and scans daily. It also uses 2/3 less resources then norton :tazz: as for a firewall I also have a free version of that I can link you too that once again is better then Norton.

Your choice, if you woul drather go that route let me know and I will get you the links. then all you have to do is uninstall norton, and not have to mess in the registry at all.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP