having issues with computer

Question

I've had this computer for almost a year and starting having problems a few months ago.  I've tried several steps, different spyware programs and am having no luck.  The computer itself it somewhat slow.  I sometimes have issues with the internet.  I've downloaded AdawareSE and it found over 400 objects.  I have run a virus scan, but nothing was found.  Each time I boot up, I receive the following error message:   smsc.exe has encountered an error and must close   Also, I have disabled everything in my startup, however, each time I turn on the computer, some are enabled again.  Each time I log off the computer, I received the following message:   Gkcahhp.exe is still running, end program?   Can anyone help?

100mph · Answer

Please see the second link below for spyware/virus removal instructions, tools and links. If still having problems, comeback with your HijackThis log. All the Best!

Midnight Star · Answer

gltllw,

After following 100mph's removal links, be sure to post back a hjt log for analysis.

Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Now, let's do the following:

1. Click " Scan"
2. Click " Save log"

Notepad will pop-up with a copy of your system long, then:

1. " Edit | Select all"
2. " Edit | Copy"

Next, let's " Reply" back to this post, then:

1. Right-click on the message body.
2. Select " Paste"

Then just " Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).

Mike.

gltllw · Answer

Well, I havent got too far... for some reason, my computer will not allow me to enable the Internet Connection Firewall.  I clicked properties and it does not do anything.  If I choose another connection, it works, but not for the connection that I use.  Should I continue with the other steps?

gltllw · Answer

Here is it.   Logfile of HijackThis v1.99.0 Scan saved at 7:29:33 PM, on 2/3/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svcshost.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\WINDOWS\System32
avupdaters.exe C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe C:\Program Files\ISP50\bin\bartshel.exe C:\PROGRA~1\ISP50\dialer\DIALER.EXE C:\WINDOWS\System32\wuauclt.exe C:\PROGRA~1\ISP50\bin\ppshared.exe C:\Program Files\ISP50\bin\bartshel.exe C:\Program Files\PeoplePC Accelerated\propelac.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Laurie Ward\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080 O2 - BHO: PeoplePC FixedBandBHO - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla	fswshx.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [NAV Auto Updates] navupdaters.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [DS211patch] C:\Documents and Settings\All Users\Application Data\Dell\Alert\491\updtSup5.exe O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe O4 - HKLM\..\RunServices: [B9A31D64] C:\WINDOWS\System32\wspsxruhprtmdn.exe O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Microsoft Windows Updates] EXPLORER32.EXE O4 - HKLM\..\RunServices: [Microsoft Windows Update] svcshost.exe O4 - HKLM\..\RunServices: [Windows Media Player] msams.exe O4 - HKLM\..\RunServices: [NAV Auto Updates] navupdaters.exe O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svcshost.exe O4 - HKCU\..\Run: [NAV Auto Updates] navupdaters.exe O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svcshost.exe O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O14 - IERESET.INF: START_PAGE_URL=http://www.att.net O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102129162843 O17 - HKLM\System\CCS\Services\Tcpip\..\{24F876C6-556F-497D-BCB1-F2D7D7F96F26}: NameServer = 206.134.133.10 206.134.224.5 O17 - HKLM\System\CS1\Services\Tcpip\..\{24F876C6-556F-497D-BCB1-F2D7D7F96F26}: NameServer = 206.134.133.10 206.134.224.5 O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Ababdfml.dll O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: ptssvc - Unknown - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

Midnight Star · Answer

gltllw,   Go ahead and post up a hjt log and let me see what you have.   Mike.

Midnight Star · Answer

gltllw, Let's see if this helps... Go to www.trendmicro.com, and then: 1.  Click ' Free Online Scan'. 2.  Click ' Scan now, it's free'.   It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:   1.  Select all available drives. 2.  Check(tick) ' Auto Clean'. 3.  Click ' Scan'.   When it completes, post back the full filename of any files that cannot be cleaned or deleted.   Next, Open a command prompt by:   1.  Clicking ' Start', then ' Run...'. 2.  Enter ' cmd' ( without the quotes). 3.  Enter ' services.msc' ( without the quotes).   -   Now, locate and ' stop' the following services, if present:   scrgrd.exe wspsxruhprtmdn.exe smsc.exe soundblaster.exe EXPLORER32.EXE svcshost.exe msams.exe navupdaters.exe   Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.   Run HiJackThis then:   1.  Click ' Config...' 2.  Click ' Misc Tools' 3.  Click ' Open Process manager'   -   Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:       C:\WINDOWS\System32\svcshost.exe     C:\WINDOWS\System32
avupdaters.exe   Now double-check and make sure that only those item(s) above are highlighted, then click ' Kill process'. Now, click ' Refresh', check again, and repeat this step if any remain.   Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done ' cleaning' off your system, we're going to ' flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.   Also move the ' Backups' folder, for HiJackThis, if present.   Run HiJackThis and click ' Scan', then check(tick) the following, if present:   O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)   O4 - HKLM\..\Run: [NAV Auto Updates] navupdaters.exe O4 - HKLM\..\Run: [DS211patch] C:\Documents and Settings\All Users\Application Data\Dell\Alert\491\updtSup5.exe O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe O4 - HKLM\..\RunServices: [B9A31D64] C:\WINDOWS\System32\wspsxruhprtmdn.exe O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Microsoft Windows Updates] EXPLORER32.EXE O4 - HKLM\..\RunServices: [Microsoft Windows Update] svcshost.exe O4 - HKLM\..\RunServices: [Windows Media Player] msams.exe O4 - HKLM\..\RunServices: [NAV Auto Updates] navupdaters.exe O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svcshost.exe O4 - HKCU\..\Run: [NAV Auto Updates] navupdaters.exe O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svcshost.exe   O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Ababdfml.dll   Now, with all windows closed except HiJackThis, click ' Fix checked'.   Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:   files...       C:\WINDOWS\System32\svcshost.exe     C:\WINDOWS\System32
avupdaters.exe     C:\Documents and Settings\All Users\Application Data\Dell\Alert\491\updtSup5.exe     C:\WINDOWS\System32\wspsxruhprtmdn.exe     C:\WINDOWS\System32\Ababdfml.dll   -   Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from ' Safe Mode'.     Post back a new log.   -   Mike.

Midnight Star · Answer

gltllw,

Can you post the full file name of the purity scan trojan? Try deleting these after you run HiJackThis and kill the processes, in the fix:

C:\WINDOWS\SYSTEM32\Ababdfml.d..
C:\WINDOWS\SYSTEM32\Gkcahhp.exe

-

Mike.

gltllw · Answer

Cannot delete/clean the following: TROJ PURITYSCN.O C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\Media Ticketinstaller[1].cab 'MediaTicketinstaller.ocx' BKDR BERBEW.I C:\WINDOWS\SYSTEM32\Ababdfml.d.. BKDR BERBEW.I C:\WINDOWS\SYSTEM32\Gkcahhp.exe WORM RBOT.AKX C:\WINDOWS\SYSTEM32
avupdaters.exe

Midnight Star · Answer

gltllw,

Good job! - Your more than welcome.

-

Now, let's see if we can find anything else there that should be...

Download mwav.exe from MicroWorld, then:

1. Double-click the mwav.exe icon to run it ( it'll self extract).
2. Click " Scan".
3. When it completes, post back the results from the 'Virus log information' pane.

Mike.

gltllw · Answer

Thanks so much for you help... i've noticed a huge improvement.

The full name (that I can see) of the purity scan trojan is:

TROJ PURITYSCN.O C:\WINDOWS\SYSTEM32\CONFIG\System Profile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\Media Ticketsinstaller[1].cab "Media Ticket Installer.ocx"

I am unable to find these files for deletion:

C:\WINDOWS\SYSTEM32\Abadfml.dll

C:\WINDOWS\SYSTEM32\Gkcahhp.exe

Here is my new HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 3:30:18 PM, on 2/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\PeoplePC Accelerated\propelac.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
c:\progra~1\outloo~1\msimn.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: PeoplePC FixedBandBHO - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102129162843
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24F876C6-556F-497D-BCB1-F2D7D7F96F26}: NameServer = 206.134.133.10 206.134.224.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{24F876C6-556F-497D-BCB1-F2D7D7F96F26}: NameServer = 206.134.133.10 206.134.224.5
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ptssvc - Unknown - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

gltllw · Answer

Here is the virus log information:

File C:\WINDOWS\system32\svphost.exe infected by "Trojan-Proxy.Win32.Agent.dj" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\TEMPOR~1\Content.IE5\4BSPEZOF\hot[1].html infected by "not-a-virus:AdWare.MediaTickets.e" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\TEMPOR~1\Content.IE5\6JYLAZOX\hot[1].html infected by "not-a-virus:AdWare.MediaTickets.e" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\TEMPOR~1\Content.IE5\6JYLAZOX\silent_install[1].exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\TEMPOR~1\Content.IE5\6JYLAZOX\webrebates_usa[1].exe infected by "not-a-virus:AdWare.WebRebates.d" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\TEMPOR~1\Content.IE5\O9YJK1IJ\prompt[1].html infected by "Trojan-Downloader.JS.IstBar.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\TEMPOR~1\Content.IE5\OT2JQP0H\js[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\TEMPOR~1\Content.IE5\OT2JQP0H\mtrslib2[1].js infected by "Trojan-Downloader.JS.Small.ag" Virus. Action Taken: No Action Taken.

Midnight Star · Answer

gltllw,

All of those, except one should be deleted when we 'cleanup'.

-

Let's delete this file:

C:\WINDOWS\system32\svphost.exe

Post back a new hjt this log, if we're still ok, we'll do the final cleanup, and you should be good to go.

-

Mike.

gltllw · Answer

here's my new hjt log.

Logfile of HijackThis v1.99.0
Scan saved at 6:48:18 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\PEOPLE~1\propelac.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: PeoplePC FixedBandBHO - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\propelac.exe"
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102129162843
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ptssvc - Unknown - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

Also, I'm not sure if it affects anything, but I have my computer on the "selective start up" with everything disabled. If I change it to "normal start up", it seems to be slower and locks up.

Midnight Star · Answer

gltllw,   Thanks for telling me. Are you able to post back a log from full startup before it locks up? Or at least get the log created, then post it back from selective startup?   Mike.

gltllw · Answer

Here's the hjt from normal start up. Sorry, I completely forgot that I had disabled everything awhile ago to try to make it better.

Logfile of HijackThis v1.99.0
Scan saved at 7:58:02 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\PEOPLE~1\propelac.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: PeoplePC FixedBandBHO - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\PEOPLE~1\propelac.exe
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\LAURIE~1\LOCALS~1\Temp\28.tmp.exe
O4 - HKLM\..\Run: [Windows Media Player] msams.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [vcz] C:\WINDOWS\vcz.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\evajezqf.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\private.exe
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Windows Updates] EXPLORER32.EXE
O4 - HKLM\..\Run: [Microsoft Windows Update] svcshost.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [D9ufU] C:\WINDOWS\ottysp.exe
O4 - HKLM\..\Run: [Canon_Setup] "D:\SETUP.EXE"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [361C08F9] C:\WINDOWS\System32\wspsxruhprtmdn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102129162843
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ptssvc - Unknown - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

Virus & Spyware

Was this post helpful?