i'm more familiar with the other case (O2-MSEvents), but since there's a shortage of help around at the moment, i'll give this a shot:
run HiJackThis. place a check-mark in the box in front of the line:
O4 - HKLM\..\Run: [NI.UWFX5_0001_LP1014] "C:\WINNT\Downloaded Program Files\UWFX5_0001_LP1014NetInstaller.exe"
click on FIX CHECKED. then close HJT. reboot. and see if this made a difference.
if either HiJackThis seems to "choke" on this fix, or if the problem line is still there after you reboot, then try booting up in SAFE MODE, and running HJT and checking/fixing this in safe mode. reboot into normal mode, to see if it worked this time.
in either case, please post another HJT log (run from normal mode). if it worked, please let me know which mode (normal or safe) you used for the fix.
Thanks you very much for the quick response and sorry for the long delay in replying..
I ran HiJackThis and deleted checked the line you mentioned and restarted the PC.
The program "UWFX5_0001_LP1014NetInstaller.exe" was still there - so I went I located the prgram
and deleted ot manually - this seems to have fixed the issue - I've had no instances of "WinFixer 2005" trying to install iteself.
Here's the new HJT log file (in normal mode):
Logfile of HijackThis v1.99.1 Scan saved at 10:38:28, on 25/10/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
as long as it's gone, and the problem appears to be fixed.
i'm gonna ask someone else to step-in, to analyze your log for additional problems (if any) that you might have. it may take a few days for him to get here (as we have a long way to go to catch-up with everyone), so please be patient.
I see that significant time has passed, and that no one has "shown up" to do the follow-up on your log :smileysad: I apologize for this oversight.
in all likelihood, you may have implemented significant changes since you posted your last log here... meaning that the log, as posted above, probably no-longer reflects the current state of your system.
if you're experiencing any problems that you're aware of, or if you'd just like to request an overall "check-up" again, please start a NEW thread, generate your latest HJT log, and post it there.
Accordingly, this thread will now be considered "closed", and will not be monitored for future replies.
ky331
3 Apprentice
•
15.6K Posts
0
October 21st, 2005 11:00
hi.
i'm more familiar with the other case (O2-MSEvents), but since there's a shortage of help around at the moment, i'll give this a shot:
run HiJackThis. place a check-mark in the box in front of the line:
O4 - HKLM\..\Run: [NI.UWFX5_0001_LP1014] "C:\WINNT\Downloaded Program Files\UWFX5_0001_LP1014NetInstaller.exe"
click on FIX CHECKED. then close HJT. reboot. and see if this made a difference.
if either HiJackThis seems to "choke" on this fix, or if the problem line is still there after you reboot, then try booting up in SAFE MODE, and running HJT and checking/fixing this in safe mode. reboot into normal mode, to see if it worked this time.
in either case, please post another HJT log (run from normal mode). if it worked, please let me know which mode (normal or safe) you used for the fix.
bobak
2 Posts
0
October 25th, 2005 08:00
Thanks you very much for the quick response and sorry for the long delay in replying..
I ran HiJackThis and deleted checked the line you mentioned and restarted the PC.
The program "UWFX5_0001_LP1014NetInstaller.exe" was still there - so I went I located the prgram
and deleted ot manually - this seems to have fixed the issue - I've had no instances of "WinFixer 2005" trying to install iteself.
Here's the new HJT log file (in normal mode):
Logfile of HijackThis v1.99.1
Scan saved at 10:38:28, on 25/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\bhat\My Documents\My Software\FreeMem Professional\FMEMPRO.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\internat.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Steltor\CTime\CTime32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\bhat\My Documents\-- xtra --\virus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Http://fyi.imagination.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The Imagination Group Ltd v1_001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.imagination.co.uk:80;gopher=proxy.imagination.co.uk:80;http=proxy.imagination.co.uk:80;https=proxy.imagination.co.uk:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = rebusweb; imagination.co.uk;
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://easynews.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://easynews.com"); (C:\Documents and Settings\bhat\Application Data\Mozilla\Profiles\default\b9aocpe8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bhat\Application Data\Mozilla\Profiles\default\b9aocpe8.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Documents and Settings\bhat\My Documents\My Software\FreeMem Professional\FMEMPRO.EXE" Startup
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [mfuw] C:\PROGRA~1\COMMON~1\mfuw\mfuwm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=Http://fyi.imagination.co.uk
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {13510606-30FA-11D2-B383-444553540000} (WebClient Class) - http://rebusweb1.imagination.co.uk/ommaxie.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterexe/drsmartload44a.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21898a720f9a5934fd05/netzip/RdxIE601.cab
O16 - DPF: {586FA343-25F2-11D0-9E75-00AA0055C282} (MorphInk ActiveX Control) - http://www.morphink.com/download/morphink.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF} - http://www.haptek.com/products/player/autoinstall/data/latest.cab
O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\fp0o03d3e.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
ky331
3 Apprentice
•
15.6K Posts
0
October 25th, 2005 10:00
as long as it's gone, and the problem appears to be fixed.
i'm gonna ask someone else to step-in, to analyze your log for additional problems (if any) that you might have. it may take a few days for him to get here (as we have a long way to go to catch-up with everyone), so please be patient.
good luck.
ky331
3 Apprentice
•
15.6K Posts
0
November 4th, 2005 23:00
I see that significant time has passed, and that no one has "shown up" to do the follow-up on your log :smileysad: I apologize for this oversight.
in all likelihood, you may have implemented significant changes since you posted your last log here... meaning that the log, as posted above, probably no-longer reflects the current state of your system.
if you're experiencing any problems that you're aware of, or if you'd just like to request an overall "check-up" again, please start a NEW thread, generate your latest HJT log, and post it there.
Accordingly, this thread will now be considered "closed", and will not be monitored for future replies.
wishing you good luck.