texas pete Posted November 18, 2005 Share Posted November 18, 2005 Logfile of HijackThis v1.99.1Scan saved at 03:32:36, on 18/11/2005Platform: Windows ME (Win9x 4.90.3000)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\MSTASK.EXEC:\WINDOWS\SYSTEM\SSDPSRV.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\WINDOWS\SYSTEM\IRMON.EXEC:\WINDOWS\SYSTEM\KHOOKER.EXEC:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXEC:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXEC:\PROGRAM FILES\COMMON FILES\KODAK\KODAK_DR\KODAKCCS.EXEC:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXEC:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXEC:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorunO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -sO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [irMon] irmon.exeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\SYSTEM\khooker.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [KodakCCS] C:\Program Files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "C:\Program Files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exeO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dllO15 - Trusted Zone: *.windupdates.com (HKLM)O15 - Trusted Zone: *.skoobidoo.com (HKLM)O15 - Trusted Zone: *.slotchbar.com (HKLM)O15 - Trusted Zone: *.iframedollars.biz (HKLM)O15 - Trusted IP range: 213.159.117.202 Quote Link to comment Share on other sites More sharing options...
Steve Posted November 18, 2005 Author Share Posted November 18, 2005 That's loads better! There's still a couple of things that need sorting though. Locate this file: - C:\WINDOWS\TASKMON.EXE Right click it and choose Copy, then right click on your desktop and choose Paste to make a copy of the file there. Go to this site: - http://virusscan.jotti.org/ Click the Browse button at the top and select the suspect file on your desktop, then hit the Submit button. It'll be scanned by several different virus scanners. Whatever happens with that file, you must fix these in HijackThis: - O15 - Trusted Zone: *.windupdates.com (HKLM)O15 - Trusted Zone: *.skoobidoo.com (HKLM)O15 - Trusted Zone: *.slotchbar.com (HKLM)O15 - Trusted Zone: *.iframedollars.biz (HKLM)O15 - Trusted IP range: 213.159.117.202 If the file you checked out comes back as being a virus, then also fix this: - O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe Then reboot and delete the taskmon.exe file (only if it's infected of course!). It's probably a legitimate Windows ME file, but there are viruses that have the same name. Once you've done that, download RegSeeker here: - http://www.snapfiles.com/get/regseeker.html Run it and choose "Clean the Registry" on the left. Make sure the box at the bottom left is checked to make a backup and that all the boxes on the right hand side are checked, then hit OK! Once the scan is complete, hit Select All at the bottom of the screen and Select All again from the little menu that appears. That highlights all the items. Right click any of them and choose "Delete selected items". Then reboot your PC. You need to get Sygate and Avast installed too or you'll be reinfected in no time! It's probably a good idea to post another log too, considering your last one wasn't fully clean. Quote Link to comment Share on other sites More sharing options...
texas pete Posted November 18, 2005 Share Posted November 18, 2005 cheers buddy... ill get on it tonight! Quote Link to comment Share on other sites More sharing options...
texas pete Posted November 18, 2005 Share Posted November 18, 2005 ive been trhough the hi jack this log again and checked off those files. after tring to scan taskmon it didnt finish scanning after about an hour so i left it. tried to download sygate but all the morrors are down so im still without firewall! also regcleaner wont download. the page keeps timing out on me! but that is probably cos of the gaylord opposite me stealing all the bandwidth downloading shitty tv programs that are on tv tonight!! Quote Link to comment Share on other sites More sharing options...
Steve Posted November 18, 2005 Author Share Posted November 18, 2005 If that taskmon file is only small, then email it to me and I'll scan it: - sigma@digitalvertigo.co.uk Have you fixed the other items I mentioned? You really need to get the firewall and antivirus programs installed ASAP or you'll end up getting infected again. Quote Link to comment Share on other sites More sharing options...
texas pete Posted November 18, 2005 Share Posted November 18, 2005 what the bally heck is 2erne332.dll? it keeps trying to connect to my system. is this a good thing or shall i keep blocking it?! oh and does anybody have rundll32.exe? its gone missing from my computer now nothing in the control pannel works!!! :s Quote Link to comment Share on other sites More sharing options...
Steve Posted November 18, 2005 Author Share Posted November 18, 2005 The dll file sounds dodgy. I take it you get the firewall installed then? Post up a new HijackThis log, cos something isn't right. As for the missing file, have a look in the Windows folder and see if there's a file there called RUN32.EXE. If there is then you have the Sircam virus which has erased your RUNDLL32.EXE file. Quote Link to comment Share on other sites More sharing options...
texas pete Posted November 18, 2005 Share Posted November 18, 2005 Logfile of HijackThis v1.99.1Scan saved at 18:17:04, on 18/11/2005Platform: Windows ME (Win9x 4.90.3000)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\MSTASK.EXEC:\WINDOWS\SYSTEM\SSDPSRV.EXEC:\PROGRAM FILES\SYGATE\SPF\SMC.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\WINDOWS\SYSTEM\IRMON.EXEC:\WINDOWS\SYSTEM\KHOOKER.EXEC:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXEC:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXEC:\PROGRAM FILES\COMMON FILES\KODAK\KODAK_DR\KODAKCCS.EXEC:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXEC:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXEC:\WINDOWS\SYSTEM\PSTORES.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.digitalvertigo.co.uk/O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorunO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -sO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [irMon] irmon.exeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\SYSTEM\khooker.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [KodakCCS] C:\Program Files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "C:\Program Files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exeO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startguiO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exeO4 - HKLM\..\RunServices: [smcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXEO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dllO15 - Trusted IP range: 213.159.117.202 Quote Link to comment Share on other sites More sharing options...
Steve Posted November 18, 2005 Author Share Posted November 18, 2005 You need to fix this: - O15 - Trusted IP range: 213.159.117.202 Also, upload TASKMON.EXE and MSTASK.EXE to YouSendIt. Did you find the RUN32.EXE file? Run the Kaspersky online scanner: - http://www.kaspersky.com/virusscanner Quote Link to comment Share on other sites More sharing options...
texas pete Posted November 18, 2005 Share Posted November 18, 2005 (edited) *LINK REMOVED* taskmon Edited November 18, 2005 by Steve Quote Link to comment Share on other sites More sharing options...
texas pete Posted November 18, 2005 Share Posted November 18, 2005 (edited) *LINK REMOVED* mstask.exe Edited November 18, 2005 by Steve Quote Link to comment Share on other sites More sharing options...
Steve Posted November 18, 2005 Author Share Posted November 18, 2005 TASKMON is clean. Upload this one for me too: - WMIEXE.EXE It's in the Windows\System folder. *EDIT* MSTASK is clean too. Quote Link to comment Share on other sites More sharing options...
texas pete Posted November 18, 2005 Share Posted November 18, 2005 scanning it now on thatr kasperspy Quote Link to comment Share on other sites More sharing options...
texas pete Posted November 18, 2005 Share Posted November 18, 2005 its clean Quote Link to comment Share on other sites More sharing options...
Steve Posted November 18, 2005 Author Share Posted November 18, 2005 You need to scan your whole computer there. Quote Link to comment Share on other sites More sharing options...
texas pete Posted November 18, 2005 Share Posted November 18, 2005 lol! just ran adware and it scored 103 critical objects! Quote Link to comment Share on other sites More sharing options...
Kper Posted November 18, 2005 Share Posted November 18, 2005 ok here goes, steve if you can help me with this i will be very grateful. im gonna look up blue screens of death again in the meantime.... might be worth knowing the following too... for the last week/2 weeks the computers been throwing blue screens on a constant when turned on, it gets to the login screens and does a dump. the errors i've had include IRQL_NOT_FOUND and the one that starts with PAGE_NOT_FOUND. Also in the last 2 weeks i;ve installed a proper copy of Adode CS2 i got from work. started buggin shortly after so took it off and reinstalled only photoshop an in design which i need. then on saturday we cleaned it using spybot, XP tweak and the disk cleanup from windows. after that it seemed a bit better (we were low on free space) but then loads of shit started going wrong... windows media player needed reinstalling and microsoft office went tits up and wont work now unless i reinstall it/put the og cd in (which i dont have anymore). and errr i think thats pretty much it. i've tried a few things over the last few days, like this command to limit the amount of processes on start up but it doesnt seem to help. Logfile of HijackThis v1.99.1Scan saved at 19:53:05, on 18/11/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\cisvc.exeC:\-_PC-M~1\Symantec\DefWatch.exeC:\-_PC-M~1\Symantec\Rtvscan.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\awtray.exeC:\WINDOWS\System32\LXSUPMON.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Elouise\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.spinscience.org.ukR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - URLSearchHook: (no name) - - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [Audiowerk Multimedia] awtray.exeO4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUNO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\DRDOOM~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.comO16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058726uk.exeO16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.browserplugin.com/eroticAccess/...1764071_spw.cabO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132256717182O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cabO16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cabO20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: DefWatch - Symantec Corporation - C:\-_PC-M~1\Symantec\DefWatch.exeO23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\-=PC-MAINTENANCE=-\Kerio\Personal Firewall 4\kpf4ss.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\-_PC-M~1\Symantec\Rtvscan.exe Quote Link to comment Share on other sites More sharing options...
Kper Posted November 18, 2005 Share Posted November 18, 2005 ok well i've run kapersky online scanner in the meantime. the critical areas scan found this... ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Friday, November 18, 2005 20:32:25 Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 18/11/2005 Kaspersky Anti-Virus database records: 150860------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - Critical Areas: C:\WINDOWS C:\DOCUME~1\Elouise\LOCALS~1\Temp\ Scan Statistics: Total number of scanned objects: 17077 Number of viruses found: 6 Number of infected objects: 6 Number of suspicious objects: 0 Duration of the scan process: 1253 sec Infected Object Name - Virus NameC:\WINDOWS\system32\istinstall_mpb1126.exe Infected: Trojan-Downloader.Win32.IstBar.byC:\WINDOWS\Downloaded Program Files\MulDist.ocx Infected: Trojan-Downloader.Win32.Dyfuca.oC:\WINDOWS\Downloaded Program Files\058726uk.exe Infected: Trojan.Win32.Dialer.acC:\WINDOWS\wsem214.dll Infected: Trojan-Downloader.Win32.Dyfuca.drC:\WINDOWS\wsem215.dll Infected: Trojan-Downloader.Win32.Dyfuca.doC:\WINDOWS\wsem216.dll Infected: Trojan-Downloader.Win32.Dyfuca.z Scan process completed. doing a full computer scan now... I knew/thought we had some viruses on there, buti've only got a shit version of symantec's anti virus, that regularly tells me they are there but can never do anything about it. keeps saying they are quarantined tho. Quote Link to comment Share on other sites More sharing options...
Steve Posted November 18, 2005 Author Share Posted November 18, 2005 OK, download CCleaner from THIS site, install it, but don't run it just yet. Before you run HijackThis again, create a folder for it, because it creates undo files. Creating one on your desktop is fine as long as you move the hijackthis.exe file into it before you run it. Run HijackThis and check off the following. The top group definitely need to be fixed. The ones underneath are optional. I've explained each one as best I can: - Definitely check off all of these: - R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - URLSearchHook: (no name) - - (no file)O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.comO16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058726uk.exeO16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.browserplugin.com/eroticAccess/...1764071_spw.cabO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cabO16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cabO16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cab Optional items: - O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\DRDOOM~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" I've never seen this entry before. I see you're running the Corporate version of Norton, but have you ever used McAfee products in the past? If you've used some kind of online scan or antivirus tool, then reboot and see if this item still shows in your log. It's set to only run once, so if it constantly reappears, then I'd fix it. O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm These two items are related to Alexa that's present on all XP machines. Some people consider it to be an invasion of privacy, but if you use the "Show related links" option in Internet Explorer then these entries are required. If you don't use that option or you don't even know what it does, then fix these items. O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present This usually appears when spyware has hijacked your homepage. It's designed to stop people accessing Internet Options to change their browser settings. Unless you have specified this setting yourself, or it's been put there by Norton, then I'd fix this too. Once you've selected the items you want to fix, close all other windows and hit Fix Checked. Reboot the PC and run CCleaner to delete any temporary files. You'll lose all your cookies when you do this, so you'll have to log in again to any sites that require passwords next time you visit them. Next, start IE and hit Tools then Internet Options. Click on the Programs tab and hit the Reset Web Settings button. Hit the Security tab, Internet zone icon and if the security level has been set to low, hit the Default Level button. Click on the General tab and if necessary, re-enter your desired home page and then you must hit Apply, then OK. You should definitely consider installing Service Pack 2 for XP. You had a dialler, a trojan and some mild spyware, all of which downloaded automatically to your PC through weak browser settings. SP2 adds extra protection to stop this happening. Blue screens can be caused by all sorts of things. It could be faulty RAM. Your hard disc may have errors on it, or be on the way out. It might be a faulty device driver. If you can give me the complete message that appears on the blue screens, then that will help. It might be worth running chkdsk manually on the drive. To do that, reboot the PC and tap F8 as it's starting to bring up the boot menu. Choose "Safe Mode with Command Prompt" and log in as Administrator. When you reach a prompt, type the following commands, pressing Enter after each one: - cd\chkdsk /f /r Rather than run a simple disk check, that runs the full 5 stage version of chkdsk that will check for (and fix) file system errors and it will also check the structure of the disk for physical errors. Once it's complete, hit Control/Alt/Delete and from the screen that appears you can reboot back into regular Windows. Finally, as you've had a couple of infections you may want to clean and compact your registry. This is done in two stages: - 1. Download RegSeeker from THIS site. Install it, run it and choose the Clean the Registry option on the left. Make sure the box at the bottom left of the screen is checked to back up the registry and also make sure all of the boxes on the right hand side of the screen are checked (they should be by default), then hit OK! Once the scan is complete, hit Select All at the bottom of the screen, then Select All again from the little sub-menu that appears. That highlights all of the items. Right click any item and choose "Delete selected items". Once you've done that, exit the program and reboot the PC. 2. Download NTRegOpt from THIS site. Install it, run it and follow the prompts. Once it's done it's thing it will reboot your PC and you'll have a nice clean and compact registry. Try all of these steps and if you're still getting blue screens, come back and post up the full errors. Quote Link to comment Share on other sites More sharing options...
Kper Posted November 19, 2005 Share Posted November 19, 2005 okayyyy then. I've done everything:Hijack this clean upCCleanerKapersky instal and full checkRgseeker NTregOptInstalled Service Pack 2 the only thing i've not done yet is the chkdsk because when i went to do it it said the system/drive was already in use. so it gave me the option to do it when i restart but nothing happened... is there something im missing for that? Also SP2 has installed the windows security system on my computer. I've disabled the firewall on that as it crashes with Kerio. I've also not turned on auto updates for windows, cos i dont like the idea of microsoft installing what it wants on my machine... should i do it tho? or do it manually every once in a while? Kapersky is now running on the regular and i;ve got to say the comp seems much faster, no blue screens since i started cleaning, no problems booting or rebooting. So here's the new Hijack This log. Let me know about chkdsk. I can do this pm when i've not got anything to do. And again thanks a ton! Logfile of HijackThis v1.99.1Scan saved at 11:24:33, on 19/11/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\System32\msiexec.exeC:\WINDOWS\system32\awtray.exeC:\WINDOWS\System32\LXSUPMON.EXEC:\Documents and Settings\Elouise\Desktop\hijack this\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spinscience.org.uk/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO4 - HKLM\..\Run: [Audiowerk Multimedia] awtray.exeO4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUNO4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimizeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132256717182O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132350680474O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exeO23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\-=PC-MAINTENANCE=-\Kerio\Personal Firewall 4\kpf4ss.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE Quote Link to comment Share on other sites More sharing options...
Kper Posted November 19, 2005 Share Posted November 19, 2005 One more thing i forgot. after we cleaned the comp last week microsoft office stopped working. everytime you launch word or outlook it asks for the og install disk. still doing it. so should i just uninstall the thing and get a new one? Lo Quote Link to comment Share on other sites More sharing options...
Steve Posted November 19, 2005 Author Share Posted November 19, 2005 SP2 adds some new features to XP, such as the Security Center, but if you've got a good firewall and antivirus program installed then all it does is nag you. You can safely turn it off: - Hit Start, then Run and type "services.msc" without quotes and hit Enter. Scroll down to the Security Center service, left click it to highlight it, then right click it and choose Properties. On the General tab, there is a drop-down box that says "Startup type:". Change it so it says Disabled, then hit Apply then OK. While you're on that screen, you might want to disable these services too: - Indexing Service (Resource hog!) Messenger (Not required and can be the cause of pop ups) Windows Firewall/Internet Connection Service (ICS) (Not required unless you are sharing your Internet connection with 2 or more networked PCs and/or you're not using a proper third party firewall) You can also disable these two: - Automatic Updates Background Intelligent Transfer Service They are both related to automatic Windows Updates. If you update your PC manually by visiting the MS Windows Updates site, then you'll have to re-enable both of these temporarily for it to work. MS usually roll out updates about once a month, so it's worth visiting their site once in a while to get the latest critical updates. Whichever services you choose to disable, the changes take effect when you reboot. I'd definitely disable Security Center, Indexing Service and Messenger. The rest is up to you. There's a whole lot more you could disable too, but it depends on what you need to do with your PC. I have 41 services disabled. Your HijackThis log is clean and lean - just how it should be. There's one entry you can fix: - O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll That's a file left over by Norton. Regarding your problem with MS Office, go to Add or Remove Programs and select it. Instead of hitting Remove, hit Change. Select the Add or Remove Features option at the top and hit Next. On the screen that appears you can select any of the Office features and choose whether to have them run from your PC (no disc required), run from the CD, or not run at all. Select the parts that you want to run from your PC and hit Update. If that doesn't work, you can always try the Repair option or if worst comes to worst you could uninstall it and reinstall it. The chkdsk problem is odd. It's normal for it to say the drive is in use, but it should kick in once you reboot. Try this: - Open My ComputerRight click the C drive and choose PropertiesClick on the Tools tabClick the Check Now... buttonCheck both boxes at the top and hit Start Again, it should tell you that you need to reboot, but hopefully this time it will kick in. Post back if you have anymore trouble with that. Quote Link to comment Share on other sites More sharing options...
Kper Posted November 19, 2005 Share Posted November 19, 2005 man that's all dope! Office is fully buggered, so ive uninstalled it and gonna put it back on when i get teh cd from my mate. Gonna try the chkdsk thing now. THanks a lot for everything tho, its made a world of difference! Got a mail from F1 btw and cd is on its wya, so shoot me your address again so i can post it when it lands. Lo Quote Link to comment Share on other sites More sharing options...
Steve Posted November 19, 2005 Author Share Posted November 19, 2005 Cool mate. I'll PM you now. If you need a copy of Office XP (for backup purposes only of course ) then let me know. Quote Link to comment Share on other sites More sharing options...
Kper Posted November 20, 2005 Share Posted November 20, 2005 ok i had a feeling this was too good to be true.turned the comp on bu left it atthe login screen for like 10mins and when i turned around i had another blue screen. Error name IRQL_NOT_LESS_OR_EQUAL0x000000A (0xFFB9BF90 0X00000002 0X00000000 0X804F38C0) rebooted and got a pop up saying windows recovered form a major errorError log saidBCCode : a BCP1 : FFB9BF90 BCP2 : 00000002 BCP3 : 00000000 BCP4 : 804F38C0 OSVer : 5_1_2600 SP : 2_0 Product : 768_1 bahhhh! gonna do the show in 10 mins so may not be able to reply asap. if you could let me know if this has any meaning it would be dope. I;ve had it before and looked it up on the microsoft site and from what i understand it relates to hardware. not installed any hardware in time. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.