Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

blondeguy

215 Posts

360

April 24th, 2005 04:00

bloack icons-freind's computer

My friend's computer has black icons...think she has a virus! Any help appreciated...
 
Here is her log:
 
 

Logfile of HijackThis v1.99.1

Scan saved at 10:45:18 PM, on 4/23/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE

C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE

C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPMEMCHECK.EXE

C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPCONTROL.EXE

C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\COOKIEPATROL.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\PASSWORD MANAGER\ACCTMGR.EXE

C:\PROGRAM FILES\PAGIS FOR MULTIPASS\SENDBAR.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE

C:\WINDOWS\SYSTEM\HPZIPM12.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE

C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

C:\HJT\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumericon&c=2C01&lc=0409

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?s=searchicon&c=2C01&lc=0409

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe

O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe

O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe

O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE

O4 - Startup: MultiPASS Background.lnk = C:\MPASS\MPSERVER.EXE

O4 - Startup: SendTo Bar.lnk = C:\Program Files\Pagis for MultiPASS\SendBar.exe

O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe

O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\Csinsm32.exe

O4 - Startup: Norton Disk Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll

O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/smtptool/MailCfg.cab

O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = surfside.net

O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = surfside.net

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 64.68.197.50,64.68.197.60

O20 - AppInit_DLLs: apitrap.dll;

 

SpotCheckBilly

932 Posts

April 27th, 2005 06:00

Hello blondeguy,

Your friends log file shows no sign of a virus, which is good news. The only questionable items in her log file are the O17 entries. If her ISP is not surfside.net, those entries should be fixed according to the directions below. If it is, her log is clean. For peace of mind she might like to go to TrendMicro and run the free online scan described below.

Otherwise, I would recommend posting to the Software- WindowsME board here at Dell with a description of what the problem is, when it started etc..
For the TrendMicro scan, do this:

Go to www.trendmicro.com , and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan ".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Run HiJackThis and click " Scan", then check(tick) the following, if present:

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = surfside.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = surfside.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 64.68.197.50,64.68.197.60
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)<-- as stated above, if surfside.net is her ISP, DO NOT fix these entries.

Now, with all windows closed except HiJackThis, click " Fix checked".

Seems to me, I remember seeing this problem crop up before. You might try just doing a board search at the WindowsME board.

Good luck:smileyhappy:

George a.k.a. SpotCheckBilly

Was this post helpful?

View All

Top