Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old October 29th, 2004, 07:19 AM
bevkoof_no_1 bevkoof_no_1 is offline
New Member
 
Join Date: Oct 2004
Posts: 17
cannot open my add remove program

I cannot open my add remove program (it opens but my PC freezes) until i use task manager to close the program even my sub menu's takes ages to open else the PC works superfast. the log appended below from HijackThis without the browser i have tried the solution given on the WINXP threadplease help me.

I am sorrry to post this again


Logfile of HijackThis v1.98.2
Scan saved at 11:32:57 AM, on 29/Oct/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\NVATray.exe
C:\CCProxy\CCProxy.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Administrator\Application Data\rrrt.exe
C:\Program Files\SpamWeasel\spamweas.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\WINDOWS\system32\Notepad.exe
C:\ht\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.in/0SEENIN/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bseindia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwww.com/bar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://moneycontrol.com/stocks/index.php
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEEventTrapper Class - {47D5A45E-6B1A-11D7-BA96-000021F32E38} - C:\WINDOWS\Sify\COMPON~1\IEINTE~1.DLL
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.hi\msntb.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [CCProxy] C:\CCProxy\CCProxy.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Dbwl] C:\Documents and Settings\Administrator\Application Data\rrrt.exe
O4 - Startup: SpamWeasel.lnk = C:\Program Files\SpamWeasel\spamweas.exe
O4 - Startup: YahooPOPs.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://TryToImproveSecurity.com/fa/x.chm::/load.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...1a0351cafa03db
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://liverep.esignal.com/netagent/.../custappx3.CAB
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23ea10ff...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dtitrader.webex.com/client/l...ng/ieatgpc.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/downplain.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://216.65.38.226/crack.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) - http://microsoft.com/security/controls/DoomChk.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{21AC49AC-3652-43F9-9C98-B5C64DDF58C6}: NameServer = 202.9.145.94 202.9.145.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
Reply With Quote
  #2  
Old October 29th, 2004, 09:31 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Welcome to CTH bevkoof_no_1, you have some nasties onboard. Go here and download CWShredder but do not run it yet.

Close Internet Explorer and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.in/0SEENIN/SAOS01

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwww.com/bar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

O4 - HKCU\..\Run: [Dbwl] C:\Documents and Settings\Administrator\Application Data\rrrt.exe

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://TryToImproveSecurity.com/fa/x.chm::/load.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...a0 351cafa03db

O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://liverep.esignal.com/netagent...s/custappx3.CAB

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23ea10f...ip/RdxIE601.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/downplain.cab

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://216.65.38.226/crack.CAB

Run CWShredder now. Click on Fix and reboot afterwards. Post a new Hijack This log.

I dont know what the below BHO does so lets just disable it for now.

O2 - BHO: IEEventTrapper Class - {47D5A45E-6B1A-11D7-BA96-000021F32E38} - C:\WINDOWS\Sify\COMPON~1\IEINTE~1.DLL


Go here, download and install BHO Demon and use it to disable that BHO only. Could you please navigate to C:\WINDOWS\Sify\COMPON~1 and copy IEINTE~1.DLL, zip it up and send it to me please. My email address is anniefriday@boomspeed.com. Thanks. Also post back a new Hijack This log.

Transferring to the Cyber Safety Forum.
Reply With Quote
  #3  
Old October 29th, 2004, 12:11 PM
bevkoof_no_1 bevkoof_no_1 is offline
New Member
 
Join Date: Oct 2004
Posts: 17
Post Thanks a lot AnnMarie for your help the new HijakThis log

Thanks a lot AnnMarie for your help I fix checked all the lines given by you and ran CWShredder which said "your PC had no infection"

PC is visibly faster and the add remove did open fast but still I can not select any program (it still is not working) and the pc stops responding .

When i click on any the sub menu's they release the PC faster this time (but it still freezes).

The File you asked for has been mailed on your ID hope you have received it by now. the mail is from ID adiyakumar1975@yahoo.co.in with subject "C:\WINDOWS\Sify\COMPON~1 and copy IEINTE~1.DLL as required by you"

Now new HijakThis log

Logfile of HijackThis v1.98.2
Scan saved at 4:27:04 PM, on 29/Oct/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\NVATray.exe
C:\CCProxy\CCProxy.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpamWeasel\spamweas.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\ht\HijackThis.exe
C:\WINDOWS\system32\Notepad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bseindia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://moneycontrol.com/stocks/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.0.2:808
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.hi\msntb.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [CCProxy] C:\CCProxy\CCProxy.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [RevertSettings] 8o
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpamWeasel.lnk = C:\Program Files\SpamWeasel\spamweas.exe
O4 - Startup: YahooPOPs.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dtitrader.webex.com/client/l...ng/ieatgpc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) - http://microsoft.com/security/controls/DoomChk.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1

Last edited by bevkoof_no_1; October 29th, 2004 at 06:21 PM.
Reply With Quote
  #4  
Old October 29th, 2004, 09:08 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi bevkoof_no_1, thank you I received the file. It looks fine, it's a Sify file (your ISP?) and appears to be related to their Intelligent Downloader service.

I'm sorry about this but I did miss a very suspicious startup when I first looked at you log though.

[CCProxy] C:\CCProxy\CCProxy.exe

This file is masquerading as a Norton file. Can you please send me CCProxy.exe too.
Reply With Quote
  #5  
Old October 30th, 2004, 07:09 AM
bevkoof_no_1 bevkoof_no_1 is offline
New Member
 
Join Date: Oct 2004
Posts: 17
CC Proxy

CC Proxy is the proxy server I am using to share my internet connection sending a copy of the EXE to u.
Reply With Quote
  #6  
Old October 30th, 2004, 08:44 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Thanks bevkoof_no_1, I received the file and it's fine. There is one entry still to fix though. Close Internet Explorer and all open windows and run Hijack This again. Check the below entry and click on Fix Checked and reboot afterwards.

O4 - HKLM\..\Run: [RevertSettings] 8o

Post a new log. If you still have problem opening Add/Remove Programs, try this. Go to Start > Run and type:

rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl

and OK. Does Add/Remove Programs open now? If not, open a Command Prompt and type the following commands one after the other, each line followed by 'enter':

regsvr32 appwiz.cpl
regsvr32 mshtml.dll
regsvr32 jscript.dll
regsvr32 msi.dll
regsvr32 shell32.dll
regsvr32 shdocvw.dl

Run each line individually. After each run, you should see a short message stating the command was successful. Now reboot. Did this help?
Reply With Quote
  #7  
Old October 30th, 2004, 05:29 PM
bevkoof_no_1 bevkoof_no_1 is offline
New Member
 
Join Date: Oct 2004
Posts: 17
Unhappy the trouble still there

I m really sorry I did every thing told by you but nothing happened this what is in hijack this now



Logfile of HijackThis v1.98.2
Scan saved at 9:48:16 PM, on 30/Oct/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\system32\NVATray.exe
C:\CCProxy\CCProxy.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpamWeasel\spamweas.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\ht\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bseindia.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bseindia.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.hi\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [CCProxy] C:\CCProxy\CCProxy.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpamWeasel.lnk = C:\Program Files\SpamWeasel\spamweas.exe
O4 - Startup: YahooPOPs.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dtitrader.webex.com/client/l...ng/ieatgpc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) - http://microsoft.com/security/controls/DoomChk.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{21AC49AC-3652-43F9-9C98-B5C64DDF58C6}: NameServer = 202.9.145.94 202.9.145.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{0810F7CD-F126-4C52-A19F-5A8B3EA10451}: NameServer = 192.168.0.1
Reply With Quote
  #8  
Old October 30th, 2004, 11:34 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Try the fix here bevkoof_no_1.
Reply With Quote
  #9  
Old October 31st, 2004, 07:58 AM
bevkoof_no_1 bevkoof_no_1 is offline
New Member
 
Join Date: Oct 2004
Posts: 17
Unhappy been there did that

Hello and I am back with much tweaking deleting restarting etc. etc. did the following steps too and the others given on the page u sent me to. but nothing happened.

To resolve this behavior reinstall Internet Explorer 5.5 or Internet Explorer 6.
You may also resolve this behavior by using the following steps: 1. Start the computer in Safe mode with Networking by pressing the F8 key during startup.
2. Log on by using the local administrator account (the Windows Update dialog box appears that states that Windows is now updating the following items; Browsing Services, Internet Tools and System Services.)
3. After you log on, verify that the symptoms no longer occur.
4. Shut down and restart the computer, and then log on as usual.
Reply With Quote
  #10  
Old October 31st, 2004, 08:18 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Try this. Go to Start > Run and type:

regedit

then OK. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Uninstall and look in the righthand pane for the below value:

NoAddRemovePrograms

If it is present, doubleclick on it and change the value data to "0" (without the inverted comma's) and reboot.

If it is not present, try creating it. Go to Edit > New > DWORD value and name it:

NoAddRemovePrograms

When you have created it, doubleclick on it and set the value data to 0 and reboot.

If this doesnt work, it's possible that appwiz.cpl has been corrupted. If this is the case, your best bet would be to rename the existing file to appwiz.old and extract a fresh copy from your Installation CD.
Reply With Quote
  #11  
Old November 3rd, 2004, 04:05 PM
bevkoof_no_1 bevkoof_no_1 is offline
New Member
 
Join Date: Oct 2004
Posts: 17
Unhappy sorry for the delay the PC has gone very slow

The PC has gone very slow. I saw on microsoft support that I need to install IE again i m trying to find a link for IE download or a cd from a friend but all i can find is updates. if u can help me in this
Reply With Quote
  #12  
Old November 4th, 2004, 03:44 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Yes, you can download the full version of IE6 from here but I cannot see how that will help with your Add/Remove Programs problem.
Reply With Quote
  #13  
Old November 4th, 2004, 08:07 AM
bevkoof_no_1 bevkoof_no_1 is offline
New Member
 
Join Date: Oct 2004
Posts: 17
Lightbulb Add/Remove Programs problem

it is given on http://support.microsoft.com/kb/265829/EN-US/ that if i reinstall IE maybe it can solve the problem as i had used windows update site to update my 2k3 now it has stopped working
Reply With Quote
  #14  
Old November 5th, 2004, 01:09 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Thanks for that link bevkoof_no_1. Good luck with the install and keep us updated.
Reply With Quote
  #15  
Old November 5th, 2004, 05:27 AM
bevkoof_no_1 bevkoof_no_1 is offline
New Member
 
Join Date: Oct 2004
Posts: 17
Unhappy nothing happened

I reinstalled the IE but nothing happened what should i do now
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Add or remove program won't open.. kpf1965 Windows XP 6 June 3rd, 2008 09:06 PM
help, Control Panel's Add or Remove programs can't remove this program... nino613 Windows XP 2 March 27th, 2007 12:09 PM
Can't remove a program in the add/remove Spade357 Windows XP 5 November 19th, 2006 05:52 AM
How To Remove Program Not Listed In Add/Remove Programs? natwhit Windows XP 2 September 25th, 2006 11:16 PM
Q: how can I remove a program icon from " add\remove programs " list? chem3 Windows XP 1 March 16th, 2005 06:09 PM


All times are GMT +1. The time now is 11:48 AM.