Now go to Hijackthis's Config and check the box: Mark Everything Found For Fixing After Scan. Then Back and run a new scan and then Fix Checked. It will ask you if you are sure but do it anyway.
This will not get rid of everything but it will be a start. Shutdown and reboot into Safe Mode.
Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu.
Run a HijackThis scan and Fix Checked everything. Then reboot into regular mode.
Run HijackThis, Misc Tools, Open Hosts Files Manager and Open in Notepad.
Delete everything except:
127.0.0.1 localhost
(Lines which start with # are comments and can be left in)
Save and exit.
Run another scan and put the log in your next reply.
You will still have the About Blank infection but let's see if we can get you back on line.
thanks for responding, ron. i followed your instruction. btw, when i got to this part of the instruction:
"Run HijackThis, Misc Tools, Open Hosts Files Manager and Open in Notepad.
Delete everything except:
127.0.0.1 localhost
(Lines which start with # are comments and can be left in)
Save and exit."
nothing showed up except 127.0.0.1 localhost. also, i tried getting on the 'net, but it still wouldn't let me. also, i can't get rid of those O15 lines. again, thanks in advance.
here's my new log:
Logfile of HijackThis v1.99.1
Scan saved at 7:12:50 PM, on 1/15/1980
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Run HijackTHis, Misc Tools, Open Process Manager then
find and highlight:
C:\WINDOWS\SYSTEM\LFGSNMDM.EXE
Then Kill Process.
Then Start, Run, command, OK to bring up a DOS-type window. Type:
attrib -r -h -s \WINDOWS\SYSTEM\LFGSNMDM.EXE
del \WINDOWS\SYSTEM\LFGSNMDM.EXE
exit
Then reboot and run a new scan and see if it comes up again.
Then run a new HijackThis scan and try to get rid of the remainder. Post the new scan as a reply.
You can also try right clicking on the Internet Explorer icon on the desktop and select Properties (or bring up Internet Explorer and select Tools, Internet options) then select Security and Trusted Zone and then Sites and manually delete the entries. If it says you need a password then let me know and I'll tell you how to get around it.
Finally let's see if lspfix.exe will fix your internet problem.
ron, once again thank you. you might just have saved my aunt from buying a new computer. let me retract back and tell you what exactly i'm doing; i doubt that this has anything to do with my (lack of)
internet access, since i did downloaded the latest description of Norton antivirus last week with this set up.
ok, since i didn't feel like driving back and forth to her place, and didn't want to log her pc tower to my house, i took the hard drive from her pc and placed it on one of my older pc (as a master drive). since it's ME, it automatically recognized the drivers, thus the online connection with symantec.
now back to your latest prescription. you said:
"You got rid of more than I expected.
Run HijackTHis, Misc Tools, Open Process Manager then
find and highlight:
C:\WINDOWS\SYSTEM\LFGSNMDM.EXE
Then Kill Process.
Then Start, Run, command, OK to bring up a DOS-type window. Type:
attrib -r -h -s \WINDOWS\SYSTEM\LFGSNMDM.EXE
del \WINDOWS\SYSTEM\LFGSNMDM.EXE
exit
Then reboot and run a new scan and see if it comes up again."
did that. rerun hijackthis, misc tools, open process manager, and this time
C:\WINDOWS\SYSTEM\LFGSNMDM.EXE
didn't show up. also went to internet option and manually deleted those sites. reran the scan but those O15's were still there. fix checked it, but when re scan, it came back (see log below).
finally, d/l'ed lspfix.exe and followed your instruction, but as of yet, i still don't have internet access.
here's my latest log:
Logfile of HijackThis v1.99.1
Scan saved at 1:00:01 PM, on 1/16/1980
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
I don't see anything else that looks odd in the running processes. I assume there is still something that runs at startup that HijackThis didn't find in its normal mode. Try HijackThis, Misc Tools, Ignore list, Delete All and then on the Misc Tools page, check the two boxes next to Generate Startup List then press Generate Startup List. The log will be too big to post so send it to me as an attachment. rkinner AT att DOT net
IF you can it would be a good idea to get the latest version of AdAware and run it on your PC.
RKinner
2 Intern
•
5.9K Posts
0
July 18th, 2005 21:00
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [Gateway Ink Monitor] C:\Program Files\Gateway\Gateway Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TypingSatellite] "C:\PROGRAM FILES\TYPINGMASTER\KBOOST.EXE"
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
Now go to Hijackthis's Config and check the box: Mark Everything Found For Fixing After Scan. Then Back and run a new scan and then Fix Checked. It will ask you if you are sure but do it anyway.
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu.
Spunjer
174 Posts
0
July 19th, 2005 00:00
"Run HijackThis, Misc Tools, Open Hosts Files Manager and Open in Notepad.
Delete everything except:
127.0.0.1 localhost
(Lines which start with # are comments and can be left in)
Save and exit."
nothing showed up except 127.0.0.1 localhost. also, i tried getting on the 'net, but it still wouldn't let me. also, i can't get rid of those O15 lines. again, thanks in advance.
here's my new log:
Logfile of HijackThis v1.99.1
Scan saved at 7:12:50 PM, on 1/15/1980
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\GWMDMMSG.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LFGSNMDM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\TYPINGMASTER\KBOOST.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
A:\HIJACKTHIS1991.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
RKinner
2 Intern
•
5.9K Posts
0
July 19th, 2005 13:00
Spunjer
174 Posts
0
July 19th, 2005 19:00
ron, once again thank you. you might just have saved my aunt from buying a new computer. let me retract back and tell you what exactly i'm doing; i doubt that this has anything to do with my (lack of)
Scan saved at 1:00:01 PM, on 1/16/1980
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\GWMDMMSG.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
A:\HIJACKTHIS1991.EXE
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
RKinner
2 Intern
•
5.9K Posts
0
July 19th, 2005 21:00