Many Many problems

Computing.Net > Forums > Security and Virus > Many Many problems

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Many Many problems

Name: Sunnmann
Date: July 10, 2004 at 00:03:01 Pacific
OS: Windows XP Home Edition V
CPU/Ram: P4 2.4 GHz / 504 MB RAM

Comment:

Sorry for such a off the wall problem here. I am helping my friend fix a problem with his PC. I was able (through Adaware and Apybot A&D) to remove over 400 programs and registry keys (at least they said they removed em. Then I was able to tricj a search bar (stcloader and stc(something)) into getting off the system in a round about way. (opening a cmd promt, stopping the explorer service and anything else that was not windows needed and would let me, then deleting files.)
When I posted it told me to not post a Highjack log unless requested, but one is needed here I think because I dont know what all IS on this computer anymore that is causing the problems (There is so much I think still left)
Logfile of HijackThis v1.97.7
Scan saved at 12:50:48 AM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINNT\Explorer.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\nxsnkhzm.exe
C:\WINNT\System32\dp-him.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINNT\System32\dmskui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\Wlrb9SH.exe
C:\WINNT\System32\Tufc6sZ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\ComputerFixes\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: (no name) - {029BB53A-C312-4b09-9B4F-ED57AF027B28} - C:\WINNT\winhlp32.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINNT\System32\mseggo.gif
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINNT\dealhlpr.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINNT\dealhlpr.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [tjdeeudyknoz] C:\WINNT\System32\nxsnkhzm.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Ylf4.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.exe C:\WINNT\bxxs5.dll,DllRun
O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msgked.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Mw47RSa4S] dmskui.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
I then did what Abnormal said in a post once and downloaded 2xEplorer and here is the file he said he would like to see:
NAME SIZE MODIFIED
AznG.exe 233,482 7/1/2004 4:31:07 PM [C:\WINNT\system32]
Bbbs.exe 233,482 7/1/2004 4:31:07 PM [C:\WINNT\system32]
IviUdB.exe 233,482 7/1/2004 4:31:07 PM [C:\WINNT\system32]
Jufsa7x.exe 458,762 7/1/2004 4:31:06 PM [C:\WINNT\system32]
SqfgN9.exe 233,482 7/1/2004 4:31:07 PM [C:\WINNT\system32]
Tufc6sZ.exe 233,482 7/1/2004 4:31:07 PM [C:\WINNT\system32]
UbgrYPnp.exe 458,762 7/1/2004 4:31:05 PM [C:\WINNT\system32]
Wlrb9SH.exe 233,482 7/1/2004 4:31:07 PM [C:\WINNT\system32]
Ylf4.exe 458,762 7/1/2004 4:31:05 PM [C:\WINNT\system32]
---------------
9 item(s); 2,777,178 bytes in total
I was able to get alot of the stuff off, but the rest are kicking the heck out of me.
Can anyone help?
Sorry I could not give anymore information, but I will see what I can do on my own until someone is able to help (I would hate to have to reblast this PC with windows again and have him lose what is on it.)

Sponsored Link

Ads by Google

Response Number 1

Name: Dog
Date: July 10, 2004 at 00:24:34 Pacific

Reply:

I can see an instance op peper trojan but the link I had does not work any more.
others who know more will post.
Dog's Security Ideas
D4

Response Number 2

Name: ranchhand
Date: July 10, 2004 at 04:36:28 Pacific

Reply:

Hi Sunnman: you have a mess there, and this forum is inadequate for helping you because of the way it is set up (not the quality of posters here!).
Please see "What is 'about:blank" a few posts above this one for my post on where to go.

Response Number 3

Name: Sunnmann
Date: July 10, 2004 at 12:22:02 Pacific

Reply:

Thank you for your reply, I have done as you said and am awaiting a response from that forum now.
On a side note: I may have been able to get rid of most (if not all) the stuff installed by going into safe mode. So far no adverse affects and the only thing I seee may happen now is when I ghive it back to my friend and we put it back on the net.

Response Number 4

Name: Paul Fahrenbach
Date: July 10, 2004 at 16:58:31 Pacific

Reply:

wintools is a down load trojan, it will down load popups faster then you can close then down if you have a fast internet connection.
look in add and remove programs and remove wintools there if found. delet all files in directory wintools and directory wintools.
I had this one a couple of weeks back. Spybot S&D Adaware, CWShredder, SpySweeper none of there picked it up.

Response Number 5

Name: Thresher
Date: July 11, 2004 at 17:27:07 Pacific

Reply:

You have Wintools among other things:
WinTools:

C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
C:\WINDOWS\System32\SWin32.dll
C:\Program Files\TV Media\Tvm.exe
These seem always to be together.
Windows Startup On-Line explains what the known startup programs are
This is a list of CWS Domains
Sysinfo.org Has a list of CLSID's to search against
LI Utilities is great to check Windows Processes
and as always there is Google. Google the file in question and you can gather a whole lot of information.
This should give you a good start. You can also learn a lot by reviewing the
Tom Coyote forum:
http://forums.tomcoyote.com/index.php?act=idx
Post your HJT here:
http://forums.spywareinfo.com/
You can do so without permission, read the FAQ first, and...good luck...
Thresher

ixus 400 webcam net md walkman software .net delete all files in directory windows process history yahoo problem cmd problem cmd size what is about blank spybot teatimer problems what is about:blank	winhlp32 lexmark 2600 ink real player 10.5 plugin for firefox http 400 bad request windows process table http 400 print CPS lexmark 2600 problems no name webcam synaptics touchpad problems
See More

Response Number 6

Name: nesianise
Date: July 11, 2004 at 20:48:26 Pacific

Reply:

that svchost file that you have listed a few times came up as a trojan on my system...
i had about 3 listings of it, myself, before i removed them...
i saw this link posted by a user named Bryce **gotta give him the credit since he posted it up for our benefit**
but i found it to be extremely helpful..
http://www.sysinfo.org/startuplist.php
Should've taken a darn class on this stuff... lol

Sponsored Link

Ads by Google

Suspicious Email

what is 'about:blank'?

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Many Many problems

many many problems...big trouble

Summary

www.computing.net/answers/security/many-many-problemsbig-trouble/21318.html

many problems from fake anti-virus

Summary

www.computing.net/answers/security/many-problems-from-fake-antivirus/27433.html

so many viruses ...

Summary

www.computing.net/answers/security/so-many-viruses-/15044.html

From the Geek Dictionary
In Closet Nerd - The Computer Nerd That Can Fix Computers, is called for help by friends in ...

Ask a Question!

Weekly Poll
Do you think Comcast should have bought NBC?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
Combo Box

Script help

Assign printer automatically to domain user

computer usb problems

borhter mfc-240c installation is taking forev

All Awaiting Reply

Tom's News
N64 Mini is Tiny, Portable Nintendo 64

Storm8: We're Not Collecting Private iPhone Data

Sony's PlayStation Turns 15

Russia 1st to Get LG's Borderless LCD HDTV

Leaked File Reveals Yahoo's Spy Service

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE