I've got this trojan virus or something on a friend's computer that I can not narrow down. Here is what I have done. At first nothing would work. Kept getting the windows can not locate the program. I ran the Exe file association fix. from http://www.dougknox.com. Got that corrected. Now I know there is something activated because task manager will not work along with Norton Anti-Virus. I checked for the following trojans... Backdoor.OptixPro.10 or Backdoor.OptixPro.12 Doesn't seem to be them. I did run 'Hijack This!' and found a program running named "Winkjhn.exe" in the \windows\system32 folder and when I deleted that most of the toolbar icons came back. Still task manager will not run in normal mode just safe mode. If it will help I will post the HACKTHIS log.... Any hints on what this is?

Well I spoke too soon! I believe it is the winkjhn.exe file. But I could be wrong! Here is my HACKTHIS log... Logfile of HijackThis v1.96.0 Scan saved at 10:38:36 PM, on 8/13/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\Winkjhn.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.exe C:\Program Files\EarthLink 5.0\ConMgr.exe C:\PROGRA~1\BMCENT~1\BMLauncher.exe C:\Program Files\Common Files\CMEII\CMESys.exe C:\WINDOWS\wt\updater\wcmdmgr.exe C:\PROGRA~1\Save\Save.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\cgtask.exe C:\Program Files\Hotbar\bin\3.0.100.0\HBinst.exe C:\WINDOWS\mscvb32.exe C:\Program Files\AIM95\aim.exe C:\Program Files\Date Manager\DateManager.exe C:\Program Files\Gator.com\Gator\Gator.exe C:\Program Files\Common Files\GMT\GMT.exe C:\Program Files\hp center\137903\Program\BackWeb-137903.exe C:\Program Files\PrecisionTime\PrecisionTime.exe C:\WINDOWS\WallADay.exe C:\Program Files\Smartek\WordSmart\trayicon.exe C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for ~our_details5.zip\details.pif A:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll O2 - BHO: (no name) - {197DBB33-2BDB-41A0-A0A3-C134BC89BF40} - C:\WINDOWS\SYSTEM32\mbho.dll O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\3.0.99.0\HbHostIE.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\3.0.99.0\HbHostIE.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe" O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup O4 - HKLM\..\Run: [System MScvb] C:\WINDOWS\mscvb32.exe O4 - HKLM\..\Run: [Cgtask Services] C:\WINDOWS\System32\cgtask.exe O4 - HKLM\..\Run: [windows auto update] msblast.exe O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [SSK Service] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for ~our_details5.zip\details.pif O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\3.0.100.0\HBinst.exe /Upgrade O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [System MScvb] C:\WINDOWS\mscvb32.exe O4 - HKCU\..\Run: [SSK Service] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for ~our_details5.zip\details.pif O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe O4 - Global Startup: WallADay.lnk = C:\WINDOWS\WallADay.exe O4 - Global Startup: WordSmart Tray Icon.lnk = C:\Program Files\Smartek\WordSmart\trayicon.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: AIM (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: ChatSpace Java Client 2.0.0.66 - http://chat.facethejury.com:8000/Java/cs4ms066.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs7.chat.yahoo.com/v43/yacscom.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,9/mcinsctl.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4023.cab

You might try an online virus scan at either Panda or House Call to see if they can identify anything Good luck

try the w32.klez removal tool http://www.sarc.com/avcenter/venc/data/w32.klez.h@mm.html

Hi TB, FIRST you must get rid of the W32.Blaster.Worm using either the removal tool from http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html OR You could try this REALLY easy one click solution…Worm Blaster remover (anti_blaster.zip) http://www.dslreports.com/forum/remark,7662765~root=security,1~mode=flat -------------------- Quote: “As I designed the cleaner I thought about usability and simplicity. I tried to offer a "one click solution". That’s why the cleaner does things that seem to be illogical. But well ... let’s explain why it does all that things. Normally you will first clean your system and than install the patch. That means after disinfecting you are still vulnerable. So you have high chance to get infected again. I registered about every half minute a port access to 135. That means it would only take 30 seconds to get infected again. Well ... I guess its impossible to download and install the patch within 30 seconds. That’s why the cleaner stays active after cleaning. It prevents the worm from installing again. Quite simple - isn't it? The cleaner also adds itself to the auto start so it’s started every time the system boots. That has 2 simple reasons: 1. If the download server of Microsoft is to busy you are still protected until you get the patch - even if you restart your computer. 2. Some of you will install the patch using Windows Update. In fact Windows Update will first install service packs etc. that need a reboot. To stay protected after the reboot the cleaner has to be loaded again. I guess many people will forget this step and while they download the updates they will get infected again. So I decided to let the cleaner start automatically until you uninstall it using the "Add/Remove software" function inside your "Control Panel".” You must install the Microsoft security patch using Windows Update; I believe anti_blaster.zip will prompt you to do so. And boy I hope you don’t get hit by the variants W32.Blaster.B & C. before you complete the patch. --------------------- NOW you can continue on…. Run an updated Spybot Search and Destroy (LOL well maybe not, as your having problems with it) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/ O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL IPInsight - See http://www.doxdesk.com/parasite/IPInsight.html O2 - BHO: (no name) - {197DBB33-2BDB-41A0-A0A3-C134BC89BF40} - C:\WINDOWS\SYSTEM32\mbho.dll O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll Net.net - See http://www.doxdesk.com/parasite/NewDotNet.html O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\3.0.99.0\HbHostIE.dll HotBar – See http://www.doxdesk.com/parasite/HotBar.html O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\3.0.99.0\HbHostIE.dll See HotBar above O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" Part of Gator advertising spyware - See http://www.doxdesk.com/parasite/Gator.html and http://www.thiefware.com/info/data.gator.shtml O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe Rebranded version of SaveNow advertising spyware O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup See Net.net above ****O4 - HKLM\..\Run: [System MScvb] C:\WINDOWS\mscvb32.exe Added as a result of the SOBIG.C VIRUS! ****O4 - HKLM\..\Run: [Cgtask Services] C:\WINDOWS\System32\cgtask.exe Added as a result of a VIRUS related to the SOBIG.E VIRUS! ****O4 - HKLM\..\Run: [windows auto update] msblast.exe W32.Blaster.Worm - See http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html ****O4 - HKLM\..\Run: [SSK Service] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for ~our_details5.zip\details.pif SSK Service is usually the result of the SOBIG.E VIRUS! See http://www.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\3.0.100.0\HBinst.exe /Upgrade See HotBar above ****O4 - HKCU\..\Run: [System MScvb] C:\WINDOWS\mscvb32.exe Added as a result of the SOBIG.C VIRUS! - See http://www.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html ****O4 - HKCU\..\Run: [SSK Service] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for ~our_details5.zip\details.pif SSK Service is usually the result of the SOBIG.E VIRUS! See http://www.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe Date Manager - calendar program. Spyware/adware based provided by The Gator Corporation O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe Spyware O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe Gator spyware variant. See http://www.doxdesk.com/parasite/Gator.html O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe User Interface for HP Center below O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe Based upon HP's own description from http://www.hp.com/hpinfo/newsroom/press/12oct01a.htm - "With the My HP Center, consumers have access directly from the desktop to Internet sites featuring special offers for HP customers ranging from personal finance and shopping to digital imaging and music" - classified as adware. O4 - Global Startup: WallADay.lnk = C:\WINDOWS\WallADay.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Do not fix these O10 entries using HijackThis. Spybot S&D should fix these when it removes New.net, if it does not you must repair the Winsock 2 settings using LSPFix from http://www.cexx.org/lspfix.htm ---------------------- O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net After reboot then delete the following: ----------------------- The folder CMEII at C:\Program Files\Common Files\CMEII The folder Save at C:\Program Files\Save The folder NewDotNet at C:\Program Files\NewDotNet The file mscvb32.exe at C:\WINDOWS\mscvb32.exe The file cgtask.exe at C:\WINDOWS\System32\cgtask.exe The folder Hotbar at C:\Program Files\Hotbar The file mscvb32.exe at C:\WINDOWS\mscvb32.exe The folder Temporary Directory 1 for ~our_details5.zip at C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for ~our_details5.zip The folder Date Manager at C:\Program Files\Date Manager The folder Gator.com at C:\Program Files\Gator.com The folder GMT at C:\Program Files\Common Files\GMT The file WallADay.exe at C:\WINDOWS\WallADay.exe As you know you have/had more than one active Trojan or Virus (Identified by ****). HijackThis will have rendered them inactive when you did the above. And by removing the files (specified above) they will not be able to execute anymore. You can also use any removal instructions provided with the links to remove any other traces. You may still have other inactive Viruses/Trojans. Even though Symantec is a good Anti-Virus program (with some Trojan detection) they are not in the Anti-Trojan business. I recommend either Trojanhunter or TDS-3 (both have thirty day trials) You can also try an online AV scanner such as - Panda ActiveScan http://www.pandasoftware.es/activescan/activescan-com.asp - Trend Micro Housecall http://housecall.antivirus.com/ Recommend Panda ActiveScan first, Trend HouseCall second, as the two best online scans, in that order. They may detect and remove other Viruses/Trojans also. No one program finds everything. Recommend updating Windows XP and IE (By the way if you would have done the security updates, you would not have gotten the W32.Blaster.Worm). Platform: Windows XP currently at SP1 MSIE: Internet Explorer v6.00 currently at SP1 -------------- For Spyware free future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck cause man you’re going to need it, LOL.

Dale Hutchinson Hi TB??? LOL, that was the last person I tried to help. No the above (long) post is for you Dale Hutchinson Mark

THANKS FOR THE HELP! I know this computer had more than one. Really learned a lot about cleaning! Thank you Mark! I will post an update to see if it all clears up. Dale