Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something's closing my Spybot (Hijackthis Log)


  • This topic is locked This topic is locked
18 replies to this topic

#1 squall_leonhart_wi

squall_leonhart_wi

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:04:07 AM

Posted 23 May 2004 - 03:15 PM

Something keeps closing my Spybot, but CWShredder, Ad-Aware, and Spyware Blaster don't find anything. Here's my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 3:20:26 PM, on 5/23/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

(Unable to list running processes (error#53))
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot\SpybotSD.exe" /autocheck /autoclose
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\AVGANT~1\avgcc32.exe /STARTUP
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\Wallpaper Changer\AWC.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip32\WZQKPICK.EXE
O4 - Global Startup: Pow!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Global Startup: Yahoo! Messenger.lnk = C:\Program Files\Yahoo!\Messenger\YPager.exe
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2207d96aa58cb4...ip/RdxIE601.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
"Peace at any cost is no peace at all..." - Jason Jonovic

BC AdBot (Login to Remove)

 


#2 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 23 May 2004 - 03:30 PM

Do me a favor and give me another log from safe mode:

How to enter Safe Mode.

Save the log to your drive somewhere, and then reboot. Post the log from safe mode into a reply to this message

#3 squall_leonhart_wi

squall_leonhart_wi
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin

Posted 23 May 2004 - 03:31 PM

This computer has Windows NT 4.0, so I can't go into safe mode at all. What else can I do?
"Peace at any cost is no peace at all..." - Jason Jonovic

#4 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 23 May 2004 - 03:39 PM

Well there is nothing apparent wrong with your logs. It is possible this line:

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

is bad, but I can not tell without seeing the list of processes. If hijackthis is saved to its own directory and not running from a temp directory (cant see that either), then you can try fixing that and see if it fixes the problem and if it has not fixed it you can restore it.

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 23 May 2004 - 03:44 PM

squall, are you running version 1.2 of Spybot? If so do you have it set to do anything automatically, such as scan on reboot?

Edited by Papakid, 23 May 2004 - 03:49 PM.

The thing about people

is they change

when they walk away.--Mipso


#6 squall_leonhart_wi

squall_leonhart_wi
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin

Posted 23 May 2004 - 03:46 PM

Well here's a list of all processes that are running:
smss.exe
csrss.exe
winlogon.exe
EM_EXEC.EXE
services.exe
avgserv.exe
lsass.exe
spoolss.exe
RpcSs.exe
MSTask.exe
SysTray.exe
Explorer.exe
nddeagnt.exe
loadwwc.exe
AWC.exe
realsched.exe
avgcc32.exe
pqek.exe

Isn't the System Tray a necessary system process?
"Peace at any cost is no peace at all..." - Jason Jonovic

#7 squall_leonhart_wi

squall_leonhart_wi
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:03:07 AM

Posted 23 May 2004 - 03:47 PM

Yes I do have version 1.2, and I have it set to start on reboot, but it quits then, and I can't change the setting, because it closes before it gets to the point where you can go to the setting part.
"Peace at any cost is no peace at all..." - Jason Jonovic

#8 squall_leonhart_wi

squall_leonhart_wi
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:04:07 AM

Posted 23 May 2004 - 03:53 PM

Btw, thanks a lot for helping me!^_^
"Peace at any cost is no peace at all..." - Jason Jonovic

#9 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 23 May 2004 - 03:53 PM

These twp processes dont look good:

pqek.exe
loadwwc.exe (Or did you mispell this and it is realy loadwc.exe?)

End task on those processes and give me a new log. THey are loading from somewhere.

Also can you go into the registry by clicking on start then run and typing regedit and pressing the ok button.

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Windows NT\CurrentVersion\Windows "AppInit_DLLs"

And tell me if you have anything in the Appinit_DLLs key

#10 squall_leonhart_wi

squall_leonhart_wi
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:04:07 AM

Posted 23 May 2004 - 03:56 PM

I just noticed I made a typo on both of those. The first one was supposed to be cpqek.exe, and the other one is loadwc.exe
"Peace at any cost is no peace at all..." - Jason Jonovic

#11 squall_leonhart_wi

squall_leonhart_wi
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:04:07 AM

Posted 23 May 2004 - 03:59 PM

I went to the folder you told me to go to, and there wasn't anything about "AppInit_DLLs" in it.
"Peace at any cost is no peace at all..." - Jason Jonovic

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,637 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 23 May 2004 - 04:01 PM

Yes I do have version 1.2, and I have it set to start on reboot, but it quits then, and I can't change the setting, because it closes before it gets to the point where you can go to the setting part.


OK, what's happening with Spybot is a known bug with version 1.2--it's best not to set it to do anything automatically. You can either install v 1.3 which doesn't have that issue or reinstall 1.2. The problem is in the configuration.ini file for Spybot that is in an application data folder--not sure of the location for NT 4--in XP it is the Documents & Settings directory. You need to delete that when you uninstall v 1.2--whether you reinstall 1.2 or 1.3.

Go ahead and check out those files Plimsol is helping you with, but I think this is all you have to do.

The thing about people

is they change

when they walk away.--Mipso


#13 squall_leonhart_wi

squall_leonhart_wi
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:04:07 AM

Posted 23 May 2004 - 04:08 PM

ok, I just deleted the configuration file, and reinstalled it, and it worked when I opened it, so thanks a lot!
"Peace at any cost is no peace at all..." - Jason Jonovic

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 AM

Posted 23 May 2004 - 04:15 PM

I just noticed I made a typo on both of those. The first one was supposed to be cpqek.exe, and the other one is loadwc.exe

Ok those are both legitimate.

Glad Papa was able to figure it out for you

#15 squall_leonhart_wi

squall_leonhart_wi
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:03:07 AM

Posted 23 May 2004 - 04:17 PM

Ok, thanks again!
"Peace at any cost is no peace at all..." - Jason Jonovic




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users