[Deb227]

Hi, Me again. I am starting a new post because the other one was going on and on. I'm also not sure if this is a new problem or not so I wanted to start fresh. I still cannot use my Internet Explorer. I'm on awhile and then a message comes on that says you have chosen a nonresponsive program. Internet Explorer. Then another message comes on that says Dr Watson Postmortum Debugger has encountered a problem and needs to close. We are sorry for the inconvience. Then the screen goes back to my icon screen. This also happened when I wanted to use Windows Update.

Another item is that I am not going to purchase The Cleaner so I want to uninstall it and it will not let me. It tells me : UNINSTALL:

File "C/DOCUME-HERNAN-1/lLOCALS-1/Temp_u14D2N.dat does not exist"

Here is my Hijack Log also: Please let me know. THANKS!!!

Logfile of HijackThis v1.98.2
Scan saved at 1:18:49 PM, on 10/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CCPDPSRV.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\WINDOWS\system32\pctspk.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\assembly\expip.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Compaq 1400P Inkjet Printer\CPQ1400P.EXE
C:\Program Files\CallWave\IAM.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\WINDOWS\system32\bkinst.exe
C:\Documents and Settings\Hernandez\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bhawk.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bhawk.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bhawk.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BlackHawk Internet
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {870B70D4-F6DA-47AE-9158-D146440A0A4D} - C:\DOCUME~1\HERNAN~1\LOCALS~1\Temp\pipxe.dat
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CCPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CCPDPSRV.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [*mcutil] C:\WINDOWS\system\mcutil.exe
O4 - HKLM\..\Run: [*expip] C:\WINDOWS\assembly\expip.exe
O4 - HKLM\..\RunOnce: [*expip] C:\WINDOWS\assembly\expip.exe rerun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\system32\bkinst.exe ren time:1099006750
O4 - Global Startup: CPQ1400P.lnk = C:\Program Files\Compaq 1400P Inkjet Printer\CPQ1400P.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Personal Coach.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab

[Advertisements]

Try downloading and installing it again and then uninstall it.

-=jonnyrotten=-

[-=jonnyrotten=-]

Try downloading and installing it again and then uninstall it.

-=jonnyrotten=-

[Deb227]

Tried that and it didn't work. the same uninstall message comes up. What now? Will it go away when it is through with the free trial? I have 10 days left from when you had me install it before? Also any ideas about the Debugger?

[-=jonnyrotten=-]

Put the xp disc in the drive and click Start, Run and type "sfc.exe /scannow" without the quotes and let it fix. Maybe that will work, for the debugging. Reboot and let me know.

-=jonnyrotten=-

[Deb227]

I have a compaq 5302RSH computer bought 2 years ago. I don't know what xp disc you are talking about. My computer was ready to go when I bought it. I just installed other software like, works, britannica, roxio etc. I don't remember there being an xp disc.

[Deb227]

Hello, I'm not sure if this is related to all of my problems, but today I was trying to run my Adaware and it said WARNING file reference not found or corrupt? Tried to get updates and it said file not found. What does this mean? Thanks in advance.

[theboss]

You could download tune-up utilities from
Tune-up Utilities

and run the cleanups disc and registry
i had a similar problem with a programe that was partialy removed and tune-up removed the remainder.

[Yarnouth]

Hi deb. As i suspected, and due the nature of spyware your infected with Malware. More tricky to fix, but i think you know the routine now with the instuctions. we'll make them as simlple as possible.

These are the lines that have changed:
O4 - HKLM\..\Run: [*expip] C:\WINDOWS\assembly\expip.exe
O4 - HKLM\..\RunOnce: [*expip] C:\WINDOWS\assembly\expip.exe rerun

Remeber they were :
O4 - HKLM\..\Run: [*fontsvc] C:\WINDOWS\fontsvc.exe
O4 - HKLM\..\RunOnce: [*fontsvc] C:\WINDOWS\fontsvc.exe rerun

But when you rebooted they would have altered thier id. Next time your on post a new log, and try to stay on for as long as you can for the fix.

[theboss]

Hello Deb,

Please ensure system restore is disabled before you implement the fixes in hijack this.

To turn off Windows XP System Restore
Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box


Click Apply.

As noted in the message, this will delete all existing restore points. Click Yes to do this.
Click OK.
Proceed with what you need to do. For example, removing viruses. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore
Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
Click Apply, and then click OK.

[Deb227]

Yarnouth, Hi. I keep trying to fix them and they won't go away. any suggestions. I hijacked, scan, checked them off, fixed checked, rebooted in safe mode, looked for hidden files and there were none then logged off and rebooted and ready to hijack so I could copy to send you and they were still there. What to do. Why is the boss here and do I follow that advice?

[Yarnouth]

Hi deb, i've no idea who the boss is

Click Here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINDOWS\assembly\expip.exe
C:\WINDOWS\assembly\expip.exe rerun

Click 'Exit' when done.

Note: If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacools...ngfilesetup.exe. Then try TheKillbox again.

Next please post a new log. Thanks

[Deb227]

Hello, I did as you asked and here is what happened. When I copied and pasted one by one then clicked Kill file the following happened:

I clicked and it said confirm the deletion of the following file: I clicked OK then it said

This file cannot be deleted for C:/windows/assembly/expip.exe

And for the C:/windows/assembly/expip.exe rerun it said File does not exit

Now what should I do????

[Deb227]

Also when I downloaded the missingfilesetup-1exe. it said that it is an executable file and may contain viruses. Use caution. Are you sure you want to launch this file> Do I have to launch this for the Kill file to work?

[Yarnouth]

What's happened is since your last post, you have rebooted your machine. This is a tricky bit of malware we are trying to remove here. and it changes it's name. What you need to do is next time your on post a new log and stay online for as long as possible, and somebody will tell you the two newly named filed you need to kill. If it does'nt work get the missing file settup. It is your Windows software that informs you of the problems caused with downloading .exe files. Any instructions from staff here will be tried and tested

So we can only wait now to see the new names in a new log.

[Deb227]

Hi, Yarnouth, Here is my log: let me know what to do????