Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Infested Computer


  • This topic is locked This topic is locked
7 replies to this topic

#1 SnakeNdGrass

SnakeNdGrass

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 17 February 2006 - 04:29 AM

Hey, first off I would like to say thankyou to Jet Ian for helping me clean up my laptop. Thankyou, now I am trying to get my Desktop cleaned up, it is sooo slowww, anyways here is my hijack this log and my panda log for my desktop, your help will be appreciated

Logfile of HijackThis v1.99.1
Scan saved at 3:18:22 AM, on 2/17/2006
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.netpathway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...6oJUfadIzFGzm8C
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Internet Pathway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: DLHelperEXE.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra button: Dell Home - {D374746B-09EE-42A6-8867-584B357F39F0} - http://www.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/deltacvx.cab
O16 - DPF: {7565A160-5C60-4866-A120-F4D5B2BA3AAE} (FSLoaderCtrl Class) - http://www.clickedyclick.com/Download_Helper/fsloader_v3.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = netpathway.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 208.137.139.2,208.137.139.4





Incident Status Location

Adware:Adware/eZula Not disinfected C:\WINDOWS\SYSTEM\stub.exe
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\SYSTEM\InstantPleasure3-uninstall.exe
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\SYSTEM\InstantPleasure-uninstall.exe
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\SYSTEM\UKVideo-uninstall.exe
Spyware:Spyware/Overpro Not disinfected C:\WINDOWS\SYSTEM\InetFuel.exe
Adware:adware/kingporn Not disinfected C:\WINDOWS\SYSTEM\uninstidctr.exe
Adware:Adware/eZula Not disinfected C:\WINDOWS\SYSTEM\ezPopStub.exe
Adware:Adware/LocalNRD Not disinfected C:\WINDOWS\INF\LOCALNRD.INF
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\CONSCORR.INF
Adware:Adware/Twain-Tech Not disinfected C:\WINDOWS\INF\TWAINTEC.INF
Spyware:Cookie/Rightmedia Not disinfected C:\WINDOWS\Cookies\probstsr@rightmedia[1].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\anyuser@xiti[1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\anyuser@com[2].txt
Spyware:Cookie/go Not disinfected C:\WINDOWS\Cookies\anyuser@go[2].txt
Spyware:Cookie/GoStats Not disinfected C:\WINDOWS\Cookies\anyuser@c2.gostats[2].txt
Spyware:Cookie/Kount Not disinfected C:\WINDOWS\Cookies\anyuser@kount[2].txt
Spyware:Cookie/Ask Not disinfected C:\WINDOWS\Cookies\anyuser@ask[2].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Cookies\anyuser@888[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\WINDOWS\Cookies\anyuser@adultfriendfinder[1].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\WINDOWS\Cookies\anyuser@abetterinternet[2].txt
Spyware:Cookie/TouchClarity Not disinfected C:\WINDOWS\Cookies\anyuser@intercasino.touchclarity[1].txt
Spyware:Cookie/Barelylegal Not disinfected C:\WINDOWS\Cookies\anyuser@c.fsx[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\WINDOWS\Cookies\anyuser@rightmedia[2].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Cookies\anyuser@webpower[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\anyuser@ccbill[2].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\WINDOWS\Cookies\anyuser@www.affiliatefuel[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\anyuser@www.burstbeacon[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\anyuser@burstnet[1].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Cookies\anyuser@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\WINDOWS\Cookies\anyuser@adopt.hbmediapro[1].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Cookies\anyuser@www.web-stat[1].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\anyuser@ct.360i[2].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\anyuser@belnk[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\WINDOWS\Cookies\anyuser@rightmedia[3].txt
Spyware:Cookie/Errorguard Not disinfected C:\WINDOWS\Cookies\anyuser@errorguard[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\anyuser@ath.belnk[2].txt
Spyware:Cookie/GoStats Not disinfected C:\WINDOWS\Cookies\anyuser@c2.gostats[3].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\anyuser@ccbill[3].txt
Spyware:Cookie/Cassava Not disinfected C:\WINDOWS\Cookies\anyuser@cassava[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\anyuser@burstnet[3].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Cookies\anyuser@888[4].txt
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\Cookies\anyuser@outster[2].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\WINDOWS\Cookies\anyuser@spywarestormer[2].txt
Spyware:Cookie/Banner Not disinfected C:\WINDOWS\Cookies\anyuser@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\anyuser@dist.belnk[1].txt
Spyware:Cookie/Ask Not disinfected C:\WINDOWS\Cookies\anyuser@ask[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\WINDOWS\Cookies\anyuser@adultfriendfinder[3].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\anyuser@did-it[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\Cookies\anyuser@searchportal.information[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\anyuser@www.burstbeacon[3].txt
Spyware:Cookie/Microsofte Not disinfected C:\WINDOWS\Cookies\anyuser@microsofteup.112.2o7[2].txt
Spyware:Cookie/go Not disinfected C:\WINDOWS\Cookies\anyuser@go[1].txt
Spyware:Cookie/Qsrch Not disinfected C:\WINDOWS\Cookies\anyuser@newnet.qsrch[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Cookies\anyuser@ad.yieldmanager[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Cookies\anyuser@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Cookies\anyuser@doubleclick[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\WINDOWS\Cookies\anyuser@2o7[2].txt
Spyware:Cookie/Tucows Not disinfected C:\WINDOWS\Cookies\anyuser@tucows[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\WINDOWS\Cookies\anyuser@questionmarket[1].txt
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\iconzx.exe
Adware:Adware/eZula Not disinfected C:\WINDOWS\ezStub.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Toolbar2\nzqlihv.wzg
Adware:Adware/DownloadPlus Not disinfected C:\Files.rar[DP807615.EXE]
Spyware:Spyware/Spydeleter Not disinfected C:\Files.rar[SDMSG.EXE]
Spyware:Spyware/Spydeleter Not disinfected C:\Files.rar[SD.EXE]
Adware:Adware/IST.ISTBar Not disinfected C:\Files.rar[istinstall_154074.exe]
Adware:Adware/Look2Me Not disinfected C:\Files.rar[IF01.EXE]
Adware:Adware/PortalScan Not disinfected C:\Files.rar[KJBERUP.EXE]
Adware:Adware/BookedSpace Not disinfected C:\Files.rar[NEWDEVIN.EXE]
Spyware:Spyware/Spydeleter Not disinfected C:\Files.rar[O.BAT]
Spyware:Spyware/Spydeleter Not disinfected C:\Files.rar[O]
Virus:Exploit/CodeBase.A

BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:04 AM

Posted 21 February 2006 - 04:20 PM

SnakeNdGrass



Go to Add/Remove Programs thru Control Panel. Uninstall the following if they exist:

Window Search
Win Tools
IEtools
IESearch
Windows Assistant
WindowsSA
Search Assistant
Windows Search Assistant

When uninstalling you will be prompted to insert a security code. Please do so and reboot when done.

If you do not see these programs in your Add/Remove programs then download and run both of these uninstallers:

http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe


Then open HJT Scan Only, close your browser and all open windows , check these entries and click on Fix Checked.

R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - Startup: DLHelperEXE.exe
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {7565A160-5C60-4866-A120-F4D5B2BA3AAE} (FSLoaderCtrl Class) - http://www.clickedyclick.com/Download_Helper/fsloader_v3.cab






SHOW HIDDEN FILES AND FOLDERS

* Click on MY COMPUTER
* Then on your C: Drive
* Then to TOOLS/ FOLDER OPTIONS/ VIEW
* Choose the radio button to SHOW HIDDEN FILES AND FOLDERS
* Take the checkmark out of HIDE EXTENSIONS FOR KNOWN FILE TYPES
* Then APPLY/ OK

* Don't forget to reverse this once your computer is clean



To Enter SAFEMODE

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD


Look for and delete the files and folders in Red.

C:\PROGRA~1\COMMON~1\WINTOOLS

DLHelperEXE.exe
<-- You will have to do a search for this one.

Reboot normally


Download and Install CCleaner

* Click on Run Cleaner
* Run the Issues Scan < When it asks you to backup the Registry..Say Yes


Tutorial
http://www.ccleaner.com/help/tour1.asp

Post back with a new HJT log and let me know how your system is running at the moment.

Ken :thumbsup:

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 SnakeNdGrass

SnakeNdGrass
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 23 February 2006 - 02:08 AM

Hi Ken,
Thankyou for your help, I believe that my computer is starting to run faster than it had before. I have a couple of popup errors when I startup my computer though. I have had these for about two months they are: 'Stmgr has caused an error in WINTRUST.DLL', and the other is 'Stmgr has caused an error in KERNEL.32.DLL'

Here is my new hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 12:57:29 AM, on 2/23/2006
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.netpathway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Internet Pathway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra button: Dell Home - {D374746B-09EE-42A6-8867-584B357F39F0} - http://www.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/deltacvx.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = netpathway.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 208.137.139.2,208.137.139.4

#4 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:04 AM

Posted 23 February 2006 - 05:39 AM

SnakeNdGrass.

Online poker sites are known to infect their visitors with all manner of Internet parasites. Recommendation: Go to Control Panel-->Add/Remove Programs and Uninstall/Remove all entries found for Poker.com, PartyPoker.com, PartyPoker,PartyPoker.net, Bodog Poker and and any other variant found.

Open HJT Scan only and fix this entry.

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe

If you uninstall any of the poker programs than you can fix the rest of any 09 entries related to party poker. But this is totally your decision.

Out side of that, the rest of your log looks good. :thumbsup: I am glad things are running better.


The error you are getting is in relation to the System Restore feature and maybe be the result of installing a bad windows update. Try opening IE > Tools> Windows update and download any current updates and see if that fixes it. Not to bust your bubble but Windows ME was the worst Operating System that Microsoft ever came out with, you would be so much better off , problem wise and security wise if you upgraded to Windows XP. WinMe is known for having one problem after another.

You can try this also.
Strmgr is a component of System Restore, and Wintrust is a component which creates and checks hash values and thus determines if a file has been modified or replaced. It could be that you performed an update on Windows ME and something got messed up. One thing that may need to be done is to register this DLL in your registry. You can do this through the use of the Regsvr32 command. Go to the Start Menu / Run and type "Command" to get your command prompt window. Then change directory to your "c:\Windows\System" directory and then run the following command:

Regsvr32 wintrust.dll

This is a windows issue and if any of the above do not work, I can direct you to some excellent Windows Tech Support sites that deal with this sort of thing.

Ken :flowers:

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#5 SnakeNdGrass

SnakeNdGrass
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 24 February 2006 - 02:41 AM

Thankyou Ken, I appreciate your help :thumbsup:

I am also recieving an error stating 'Loadqm is causing an error in <unknown>'

Also I am having some problems getting to the system directory in the command prompt, It just stays on desktop.

I believe I am going to get windows xp though, thanks for the tip

SnakeNdGrass

Edited by SnakeNdGrass, 24 February 2006 - 03:13 AM.


#6 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:04 AM

Posted 24 February 2006 - 09:42 AM

Good Morning Snakeinthegrass,

You can try this and see if it helps, it may work in ME.

How to remove LOADQM.EXE from the Startup

After running MSCONFIG (on Windows 98, click: START -> RUN -> msconfig, then click the STARTUP tab), I disabled LOADQM.EXE from starting when Windows first loads. After being told to reboot, it appeared that his system was running much faster.


If you look around you can find an upgrade OEM version of Windows XP for under a $100. Just buy from a reputable dealer and make sure its not illigal, with an illegal copy of windows, you wont be able to do any updates and you will be right back to square one.

Ken :thumbsup:

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#7 SnakeNdGrass

SnakeNdGrass
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 24 February 2006 - 12:49 PM

Hey Ken,

I was thinking of downloading a windows xp torrent with a serial. Is this what you mean by illegal? If I do download that copy will I be able to get the updates for that? Thankyou again for your help.

Snake

#8 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:04 AM

Posted 24 February 2006 - 01:08 PM

Snake,

Microsoft does not offer any of its Operating Systems or Office products, for that matter most of what they sell for download. You need to buy a disk. The OEM ( Original Equipement Manufacturers ) is a legal copy, you just get the disk and the licence, no fancy box or manual.


This is a site that I have purchased from before and never had any problems.
http://www.directdeals.com/item-N09-00985.aspx

This is totally your call, you may want to look at places like Best Buy or Staples or places like that. You can use the upgrade , but I am not a big fan of upgrades, you may want to look into the full version for just a few bucks more.

If you decide to upgrade, before you buy a disk, post back and I can give you some links to great tech support sites that can guide you through the installation.

Ken :thumbsup:

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users