[m|sha]

Hey everyone! I'm a first time poster. Good to be here.. But I've got a problem

Whenever I try to open Regedit or CMD I'm pretty sure I see a Command Prompt window quickly appear and dissapear with the caption "Regedit.com" or "CMD.com"
I'm pretty sure it has to do with the following files but I'm uncertain:
SVCHOST
DLLHOST
SPOOLSV (Because there is no Printer on my computer)

Here's the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:48:27 PM, on 7/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\tcpsvcs.exe
E:\WINNT\System32\snmp.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\mspmspsv.exe
E:\Program Files\WMPCI54G WLAN Monitor\WLService.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
E:\WINNT\Explorer.EXE
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
E:\Program Files\winupdates\winupdates.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINNT\system32\wuauclt.exe
E:\Program Files\Time Sync\time.exe
E:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = google.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] E:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Time Sync] E:\Program Files\Time Sync\time.exe
O4 - HKLM\..\RunOnce: [SymantecCleanUp] E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SymClnUp.exe
O4 - HKCU\..\Run: [SPSTEALT] "E:\Documents and Settings\Administrator\My Documents\Software\HistoryErasor\HistoryEraser.exe" /stealt
O4 - HKCU\..\Run: [Spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CAMEDIA Master.lnk = E:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://ioc.jpn.ph:81/IPV6CAM.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://camera2.tiny.jp/kxhcm10.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://gvshop.cmauto...3/bl_camera.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O20 - Winlogon Notify: NavLogon - E:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - E:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: WMP54GSVC - Unknown owner - E:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)

Edited by m|sha, 29 July 2005 - 07:01 PM.

[Advertisements]

Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. OK, before we go on, I want you to take note of this first. This program will wipe out all files in your Temporary folders, any file extensions that have a tilde (~) in it, .bak files, .chk files, .tmp files and index.dat files. Most of you should be ok with this, but there may be some who need these files. If you are one of them, do not follow this step. Post back a reply telling us about this. So if that's ok, then download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Time Sync
winupdates

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [winupdates] E:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Time Sync] E:\Program Files\Time Sync\time.exe
O4 - HKLM\..\RunOncE: [SymantecCleanUp] E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SymClnUp.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

E:\Program Files\winupdates\
E:\Program Files\Time Sync\

Also, see if you can find and delete these:

C:\Program Files\MsConfigs\
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com

Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose No.

Restart and run a new HijackThis scan. Save the log file and post it here.

[greyknight17]

Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. OK, before we go on, I want you to take note of this first. This program will wipe out all files in your Temporary folders, any file extensions that have a tilde (~) in it, .bak files, .chk files, .tmp files and index.dat files. Most of you should be ok with this, but there may be some who need these files. If you are one of them, do not follow this step. Post back a reply telling us about this. So if that's ok, then download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Time Sync
winupdates

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [winupdates] E:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Time Sync] E:\Program Files\Time Sync\time.exe
O4 - HKLM\..\RunOncE: [SymantecCleanUp] E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SymClnUp.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

E:\Program Files\winupdates\
E:\Program Files\Time Sync\

Also, see if you can find and delete these:

C:\Program Files\MsConfigs\
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com

Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose No.

Restart and run a new HijackThis scan. Save the log file and post it here.

[m|sha]

Got it working! Thanks! I also found:

C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com

[greyknight17]

hehehe

OK, where's the new log?

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.