Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
When my computer has loaded there is two programs running which I can't seem to remove. One is called Blontula8 the other is fatpammy. I have tried using Hijack This, Norton 2003, Adaware, and Spybot but have not succeeded with any. If I leave the computer for a while and do ctrl alt delete there is then several copies of the above programs running. Please can anyone help. Many Thanks!
What happens when you chose to End Task on each of them? Do they close Ok?
Did you try using Add/Remove in the Control Panel after End Tasking them?Post back with answers for more instruction.
Bryan
0 
Go to Start > Run, type msconfig and click OK.
Open the Startup tab and scan the list for something that looks like them.
Deselect anything suspecicious.
You can deselect andything in that list temporarily without worry of hurting the system.
0
Keep ScanRegistry ticked though. Without this if your registry goes awry you will get no help from Windows to put it right.
Derek.W
0
download this prcview (link below)
no install
when it is doubleclicked, you see a list of running programs WITH their location. just delete the bad ones, that's all
proces viewer
0 0
In addition to ding's idea, you can use something like "StartupCop" to prevent the programs from automatically running when the computer boots. If they're not running, it'll be much easier to delete them.
Best Luck,
Bob
0
I only have problem with the Blontula8 now. I can find where the program is stored (windows/system) I can stop it running using end task and I can delete it from the directory but when I restart computer it runs again. Even if I start in safe mode it is running.
0
I suspect it is stored in the registry.
Download "HijackThis" and run it. This shows all the running tasks (registry based or otherwise). If you see an entry for the program you mention you can then ask Hijack to delete the entry.
Derek.W
0
If you run hijackthis go ahead and post back the log. I'd be interested in seeing where something is loading from that also runs in safe mode.
Some other things to check: Open win.ini with sysedit or msconfig and see if anything is loading in the run= or load= lines in the [windows] section.
Open system.ini in the same way and check the shell= line in the [boot]section. It should read shell=explorer.exe. Nothing else should be in that line.
I don't know if alterations to the above lines will affect safe mode, but it's something to check.
0
Here is the hijack this log
Logfile of HijackThis v1.97.7
Scan saved at 09:29:19, on 19/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\MSIAGENT.exe
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\D-TOOLS\DAEMON.exe
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.exe
C:\WINDOWS\SYSTEM\BLONTULA8.exe
C:\WINDOWS\SYSTEM\BLONTULA8.exe
C:\MY DOCUMENTS\HIJACKTHIS.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F0 - system.ini: Shell=explorer.exe msiagent.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BBDial] C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\BT BROADBAND.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [MSI Setup Agent] hnjzljjk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\RunOnce: [MSI Setup Agent] MSIAGENT.exe
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38149.8902199074
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
0
Check system.ini as I recommended above. This line in your log:
F0 - system.ini: Shell=explorer.exe msiagent.exe
indicates you've got msiagent.exe also loading in the shell=explorer.exe line.
I only found one link to msiagent on google that discussed that file. There they seemed to think it was a legitimate file but I don't think it should load there.
Then farther down in your log is this:
O4 - HKLM\..\Run: [MSI Setup Agent] hnjzljjk.exe
which indicates msiagent it loading a file named hnjzljjk.exe. That's probably where the blontula8.exe is loading from. Most likely when you boot up, msiagent loads hnjzljjk which copies itself to windows\system as blontula8 and then runs.
Use notepad or sysedit to edit out msiagent.exe loading in system.ini (I'm not sure you can perform that edit with hijackthis). Then have hijackthis remove the line loading hnjzljjk.exe (the 04 line above). Then do a file search and remove all instances of hnjzljjk.exe and blontula8.exe
Then reboot and see if any of those files show up again. You may want to run hijackthis again but you don't need to post back the log unless the problem persists.
0
I just noticed this line too:
O4 - HKCU\..\RunOnce: [MSI Setup Agent] MSIAGENT.EXE
This may be a legitimate loading of the file so don't remove it as yet. But it should show up in the startup tab when you run msconfig. Try unchecking it to stop it from loading and see if that has any affect on your system.
0
Thank You DAVEINCAPS
I removed items from system.ini, and with hijackthis. Then ran safe mode to remove blontula and msiagent programs and now for the first time in weeks it has gone (hopefully forever). Thank you for your help it has saved me formatting and starting from scratch.
Many Thanks again
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
