Skip to main content

RKinner

2 Intern

 • 

5.9K Posts

December 7th, 2005 18:00

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Use your usual login or you will have problems finding your desktop.


Run HijackThis and just do a Scan only. Check  then Fix Checked the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7507739F-BC2E-4DC3-B233-816783C25DC9} - (no file)
O2 - BHO: (no name) - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - (no file)
O2 - BHO: (no name) - {C7CF1142-0785-4B12-A280-B64681E4D45E} - C:\WINDOWS\prflbmsgp32.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [ClearCookies] C:\WINDOWS\cc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
13 - WWW. Prefix: http://
O16 - DPF: Win32 Classes -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll (file missing)
O20 - Winlogon Notify: st3 - C:\WINDOWS\
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Run your antivirus and have it do a full scan while still in Safe mode.

Reboot into normal mode and run a new log and post it as a reply.

 

Also Start, Run, cmd, OK to bring up a command window.  Type:

cd \

dir /a \windows\tasks

Copy the results by highlighting them and then hitting Enter then move to the reply and edit, paste.

 

Ron

gbsiegle

2 Posts

December 8th, 2005 00:00

Fixed the identified items and ran system scan in safe mode.    Here is the new log requested and the windows\tasks list.     Thanks.  So far so good.

 

Logfile of HijackThis v1.99.1
Scan saved at 9:14:47 PM, on 12/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\hackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=socks2.server.ibm.com:1080
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MNYSIDE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Send Image to Photo Library - FILE://G:\PROGRAM FILES\MGI\MGI PHOTOSUITE II\TEMP\MGI00000.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MNYSIDE.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O15 - Trusted Zone: http://*.msn.com (HKLM)
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133010384875
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?316
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

 

C:\>dir/a \windows\tasks
 Volume in drive C is DRV4_VOL1
 Volume Serial Number is E469-8DB5

 Directory of C:\windows\tasks

03/18/2005  04:38 PM   

          .
03/18/2005  04:38 PM              ..
12/07/2005  09:15 PM             1,430 Low disk space notification.job
12/07/2005  06:00 AM               286 ScanDisk for Windows (Standard test).job
12/06/2005  12:00 PM               244 Disk Defragmenter.job
12/01/2005  09:08 PM               286 ScanDisk for Windows (Thorough test).job
12/07/2005  09:10 PM                 6 SA.DAT
12/01/2005  08:30 PM               528 Maintenance-Disk cleanup.job
03/02/2005  09:00 PM               384 Maintenance-Clean up Start menu.job
12/07/2005  12:24 AM               338 {D34F18B0-576E-11D0-B28C-00C04FD7CD22}_Si
egle.job
12/07/2005  12:43 AM               338 {6A017320-DEC1-11D2-BCC0-602C57C10000}_Si
egle.job
12/07/2005  04:30 AM               338 {6A017321-DEC1-11D2-BCC0-602C57C10000}_Si
egle.job
12/07/2005  05:01 PM               338 {6A017322-DEC1-11D2-BCC0-602C57C10000}_Si
egle.job
12/07/2005  08:24 AM               338 {6A017323-DEC1-11D2-BCC0-602C57C10000}_Si
egle.job
08/25/2001  01:26 PM                65 desktop.ini
12/07/2005  12:06 AM               340 {D34F18B0-576E-11D0-B28C-00C04FD7CD22}_De
fault.job
12/07/2005  12:49 AM               340 {2BC8A500-72AF-11D4-BCC4-20F169C10000}_De
fault.job
12/07/2005  01:48 AM               340 {2BC8A501-72AF-11D4-BCC4-20F169C10000}_De
fault.job
12/07/2005  05:55 AM               340 {2BC8A502-72AF-11D4-BCC4-20F169C10000}_De
fault.job
12/06/2005  08:06 PM               340 {2BC8A503-72AF-11D4-BCC4-20F169C10000}_De
fault.job
12/07/2005  02:00 PM               502 Tune-up Application Start.job
12/07/2005  12:04 AM               342 {D34F18B0-576E-11D0-B28C-00C04FD7CD22}_si
eglejr.job
12/07/2005  03:03 AM               342 {BACCF460-995D-11D5-BCCB-20066BC10000}_si
eglejr.job
12/07/2005  04:10 AM               342 {BACCF461-995D-11D5-BCCB-20066BC10000}_si
eglejr.job
12/07/2005  05:21 PM               342 {BACCF462-995D-11D5-BCCB-20066BC10000}_si
eglejr.job
12/06/2005  06:04 PM               342 {BACCF463-995D-11D5-BCCB-20066BC10000}_si
eglejr.job
12/07/2005  12:14 AM               398 {D34F18B0-576E-11D0-B28C-00C04FD7CD22}_DE
SKTOP_sieglejr.job
12/07/2005  03:53 AM               398 {E4AEA41B-45DB-47B2-AE95-E1FBE3E74F7E}_DE
SKTOP_sieglejr.job
12/07/2005  05:20 PM               398 {795A73DE-5BFD-4619-8DBA-D996FAEE9BF1}_DE
SKTOP_sieglejr.job
12/07/2005  02:11 AM               398 {9A395AFA-0F7A-4B4F-96BB-7B9D09F38B85}_DE
SKTOP_sieglejr.job
12/06/2005  06:14 PM               398 {96D0524E-0AE3-44A2-9DF4-9495AE45913F}_DE
SKTOP_sieglejr.job
12/05/2005  03:36 PM               298 Norton SystemWorks One Button Checkup.job

12/07/2005  03:46 PM               366 Symantec NetDetect.job
12/07/2005  12:00 AM               314 Symantec Drmc.job
              32 File(s)         11,799 bytes
               2 Dir(s)  22,114,713,600 bytes free

C:\>

 

 

RKinner

2 Intern

 • 

5.9K Posts

December 8th, 2005 15:00

Log looks clean.

You have an awfully large number of tasks with cryptic names. that trigger about once an hour.  If you don't know what these are I would delete them.  I believe in XP (I have W2K) there is a icon for Task Manager and it will let you delete the tasks there.  If you can't see them there is an option (Under View?) that will let you see hidden tasks.

You can also do it this way:

Right click on Start and select Explore.  Then in the new window find the Views icon (bottom right of the two toolbars at the top.  Looks like a little window with a down arrow.  Press it and select Details.  Then select Tools, Folder Options, check Use Windows Classic Folders, Apply then View, check Show Hidden Files and Folders, and uncheck the two that start with Hide. (ignore the warning) then say Apply.  Then press Like Current Folder.  OK.

Now locate the Windows folder (My Computer=>  Local Disk C: => Windows and click once on it.  In the right pane will be an alphabetical list of folders and files.  Find the Folder Tasks and click on it.

Now you can rightclick on and delete any task you don't recognize.  Or move them to a different folder in case you change your mind.

The only files that really need to be there are  sa.dat and desktop.ini. 

Ron

Message Edited by RKinner on 12-08-2005 11:36 AM

Was this post helpful?

View All

No Events found!

Top