|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#1
|
|||
|
|||
Apparently need a Hijack looked at
I'm seriously new to comuters. I posted my problem over in the win. ME forum, but the sticky note directed me to post in this forum. My computer resources on start up is running at: System: 53%, User 53%, GDI: 86%. After I run a large program, or after my system awakens from stanby, everything is terribly slow. The biggest indicator is how slowly my mouse cursor moves acroo the screen. Any help is appreciated.
Johnny |
#2
|
|||
|
|||
Hey Johnny.
Download HJT HijackThis Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt. Unzip HijackThis into this folder. Launch Hijack This, then press Scan, and press Save Log This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more. Most things are harmless and needed so don't make any changes. Don |
#3
|
|||
|
|||
Thanks Don, appreciate the detailed instructions. Here's the text............
Logfile of HijackThis v1.97.7 Scan saved at 5:19:51 PM, on 5/6/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE C:\WINDOWS\SYSTEM\NVSVC.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\BCMDMMSG.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\SK9910DM.EXE C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\GATEWAY\GATEWAY INK MONITOR\INKWATCH.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\WINDOWS\SYSUPD.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\VDISPN.EXE C:\HJT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file) O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~2\INKWATCH.EXE O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [SAClient] "C:\PROGRAM FILES\INSIGHT\BBCLIENT\Programs\RegCon.exe" /admincheck O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT O4 - HKLM\..\Run: [Windows Trace Remover] C:\PROGRAM FILES\WINDOWS TRACE REMOVER\wtr.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE O4 - HKLM\..\Run: [VDISPN] C:\WINDOWS\SYSTEM\VDISPN.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [Windows Trace Remover] C:\PROGRAM FILES\WINDOWS TRACE REMOVER\wtr.exe /STARTUP O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Startup: PowerReg SchedulerV2.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Encarta Encyclopedia (HKLM) O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM) O9 - Extra button: Define (HKLM) O9 - Extra 'Tools' menuitem: Define (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...924.4470833333 O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab |
#4
|
|||
|
|||
Can anyone tell me what to remove off of here. Thanks.
Johnny |
#5
|
|||
|
|||
Hi again Donkey,
Please restart HJT put a check next to the following, close all open windows and click fix. O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file) O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file) O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE O4 - HKLM\..\Run: [VDISPN] C:\WINDOWS\SYSTEM\VDISPN.exe O4 - Startup: PowerReg SchedulerV2.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files http://www.xtra.co.nz/help/0,,4155-1916458,00.html search for and delete the following in BOLD SYSUPD.EXE VDISPN.exe Restart your computer, restart HJT and post back a fresh log. Don |
#6
|
|||
|
|||
Thanks, again for the help Don. I'm working on this now.
Johnny |
#7
|
|||
|
|||
Got that completed Don. Here's the text.........
Logfile of HijackThis v1.97.7 Scan saved at 9:35:55 AM, on 5/7/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\BCMDMMSG.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE C:\WINDOWS\SYSTEM\NVSVC.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\SK9910DM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE C:\PROGRAM FILES\GATEWAY\GATEWAY INK MONITOR\INKWATCH.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\WINDOWS\SYSUPD.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\ITJ.EXE C:\HJT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~2\INKWATCH.EXE O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [SAClient] "C:\PROGRAM FILES\INSIGHT\BBCLIENT\Programs\RegCon.exe" /admincheck O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT O4 - HKLM\..\Run: [Windows Trace Remover] C:\PROGRAM FILES\WINDOWS TRACE REMOVER\wtr.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE O4 - HKLM\..\Run: [itj] C:\WINDOWS\SYSTEM\itj.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [Windows Trace Remover] C:\PROGRAM FILES\WINDOWS TRACE REMOVER\wtr.exe /STARTUP O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Encarta Encyclopedia (HKLM) O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM) O9 - Extra button: Define (HKLM) O9 - Extra 'Tools' menuitem: Define (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...924.4470833333 O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab |
#8
|
|||
|
|||
Johnny this is a slippery little bugger.
Please restart HJT put a check next to the following, close all open windows and click fix. O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE O4 - HKLM\..\Run: [itj] C:\WINDOWS\SYSTEM\itj.exe Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files <http://www.xtra.co.nz/help/0,,4155-1916458,00.html> search for and delete the following in BOLD SYSUPD.EXE <<<<< check in upper and lower case for this DPUSYS <<<<<< check in upper and lower case for this itj.exe Restart your computer, restart HJT and post back a fresh log. Don |
#9
|
|||
|
|||
Here you go Don.............
Logfile of HijackThis v1.97.7 Scan saved at 11:01:21 AM, on 5/7/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\BCMDMMSG.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE C:\WINDOWS\SYSTEM\NVSVC.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\SK9910DM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE C:\PROGRAM FILES\GATEWAY\GATEWAY INK MONITOR\INKWATCH.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\ERENUMS.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\HJT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~2\INKWATCH.EXE O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [SAClient] "C:\PROGRAM FILES\INSIGHT\BBCLIENT\Programs\RegCon.exe" /admincheck O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT O4 - HKLM\..\Run: [Windows Trace Remover] C:\PROGRAM FILES\WINDOWS TRACE REMOVER\wtr.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [ERENUMS] C:\WINDOWS\SYSTEM\ERENUMS.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [Windows Trace Remover] C:\PROGRAM FILES\WINDOWS TRACE REMOVER\wtr.exe /STARTUP O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Encarta Encyclopedia (HKLM) O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM) O9 - Extra button: Define (HKLM) O9 - Extra 'Tools' menuitem: Define (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...924.4470833333 O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab |
#10
|
|||
|
|||
OK lets do this.
Make sure your AV is updated, Next Please restart HJT put a check next to the following, close all open windows and click fix. O4 - HKLM\..\Run: [ERENUMS] C:\WINDOWS\SYSTEM\ERENUMS.exe Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files <http://www.xtra.co.nz/help/0,,4155-1916458,00.html> search for and delete the following in BOLD ERENUMS.exe While still in safe mode Press crtl-alt-delete and close everything except for Explorer and systray. Then run a scan with your AV. Restart your computer, restart HJT and post back a fresh log.and a log from your AV if you could please Don |
#11
|
|||
|
|||
Here is the info Don. I did not know how to get the log from the A.V. program. I use AVG, and it came up virus free. Here is the new log........
Logfile of HijackThis v1.97.7 Scan saved at 6:00:07 PM, on 5/7/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\BCMDMMSG.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE C:\WINDOWS\SYSTEM\NVSVC.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\SK9910DM.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE C:\PROGRAM FILES\GATEWAY\GATEWAY INK MONITOR\INKWATCH.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\BDHIDK.EXE C:\HJT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~2\INKWATCH.EXE O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [SAClient] "C:\PROGRAM FILES\INSIGHT\BBCLIENT\Programs\RegCon.exe" /admincheck O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT O4 - HKLM\..\Run: [Windows Trace Remover] C:\PROGRAM FILES\WINDOWS TRACE REMOVER\wtr.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [BDHIDK] C:\WINDOWS\SYSTEM\BDHIDK.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [Windows Trace Remover] C:\PROGRAM FILES\WINDOWS TRACE REMOVER\wtr.exe /STARTUP O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Encarta Encyclopedia (HKLM) O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM) O9 - Extra button: Define (HKLM) O9 - Extra 'Tools' menuitem: Define (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...924.4470833333 O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab |
#12
|
|||
|
|||
This is giving me the run.
Please Download Adaware from here http://www.lavasoftusa.com/ CHECK FOR UPDATES Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine: check: "Unload recognized processes during scanning." - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine: Check: "Let Windows remove files in use after reboot." Press "Scan Now" - Check option "Use Custom scanning options" - Check option "Activate In-Depth Scan" - Press "Select drives\folders to scan" - Select the active partition which is usually C: Now press "Next" to let Ad-aware scan your drives... It will find a number of "bad" files and registry keys. Right-click in that pane and choose "select all" Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK." Then run this Panda Active Scan Please. Don |
#13
|
|||
|
|||
Thanks for the continued help Don. I'll get this done today.
Johnny |
#14
|
|||
|
|||
I got the ad-aware up and running today, that turned out to be a mess. I had 285 things to be removed. The biggest one was *winpup32*. It took forever to remove it. I'll do the Panda scan tonight and post a new hijack.
Johnny |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Apparently i have no video card... | Syrup_fairy | Hardware | 5 | September 10th, 2008 11:32 PM |
HiJack This log needed to be looked at... | Jesse B | Malware Removal | 1 | January 31st, 2006 03:54 AM |
Apparently an old problem | Tommo | Malware Removal | 6 | October 24th, 2005 12:10 PM |
I need a hijack looked at. | donkeykong | Malware Removal | 7 | December 2nd, 2004 11:51 PM |
hijack log need looked at | Deralict | Malware Removal | 1 | June 25th, 2004 02:40 AM |
All times are GMT +1. The time now is 07:58 PM.