System lockup & hijack log

  1. 16-03-2005  #1
    jimmyw
    jimmyw is offline Newbie

    System lockup & hijack log

    Need help with this 2-user computer

    Logfile of HijackThis v1.99.1
    Scan saved at 829 PM, on 3/15/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP
    SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\NIKON\PICTUREPROJECT\NKBMONITOR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP
    SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\CMMON32.EXE
    C:\WINDOWS\WUAUCLT.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.in4web.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.in4web.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.in4web.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://www.hotbar.com/dyn/hotbar/3.0...chPageHome.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer
    = http=127.0.0.1:5400
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
    Settings,ProxyOverride =
    ;*windowsupdate.microsoft.com;*windowsupdate.com;d ownload.microsoft.com;codecs.
    microsoft.com;activex.microsoft.com;liveupdate.sym antecliveupdate.com;liveupdate.sym
    antec.com;service1.symantec.com;*.nai.com;*.networ kassociates.com
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} -
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\PBHELPER.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
    Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
    -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor]
    C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [KB891711]
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"
    O4 - Startup: NkbMonitor.exe.lnk = C:\Program
    Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common
    Files\efax\HotTray.exe
    O4 - Startup: SlipStream Web Accelerator.lnk = C:\Program Files\SlipStream Web
    Accelerator\slipaccel.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM
    FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/227
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM
    FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/250
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links -
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.in4web.com
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX
    Control) -
    http://a840.g.akamai.net/7/840/5805/...includes/Conte
    ntAuditControl.cab
    O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) -
    http://www107.coolsavings.com/download/cscmv5X.cab
    O16 - DPF: {BFD3760D-36DB-4385-B10C-387A3D647092} (StubInstaller_ActiveX
    Control) -
    http://download.weather.com/web/desk...bInstaller.cab
    Last edited by jimmyw; 17-03-2005 at 06:32 AM. Reason: Additional info

  3. 17-03-2005  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://www.hotbar.com/dyn/hotbar/3....rchPageHome.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
    Settings,ProxyOverride =
    ;*windowsupdate.microsoft.com;*windowsupdate.com;d ownload.microsoft.com;codecs.
    microsoft.com;activex.microsoft.com;liveupdate.sym antecliveupdate.com;liveupdate.sym
    antec.com;service1.symantec.com;*.nai.com;*.networ kassociates.com
    O3 - Toolbar: (no name) - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - (no file)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) -
    http://www107.coolsavings.com/download/cscmv5X.cab

    Click Fix Checked

    Reboot and post a fresh log
  4. 03-04-2005  #3
    jimmyw
    jimmyw is offline Newbie
    Logfile of HijackThis v1.99.1
    Scan saved at 2:07:23 PM, on 4/3/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP
    SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP
    SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\NIKON\PICTUREPROJECT\NKBMONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\CMMON32.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
    C:\WINDOWS\WUAUCLT.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.in4web.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.in4web.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.in4web.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer
    = http=127.0.0.1:5400
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
    Settings,ProxyOverride =
    ;*windowsupdate.microsoft.com;*windowsupdate.com;d ownload.microsoft.com;codecs.
    microsoft.com;activex.microsoft.com;liveupdate.sym antecliveupdate.com;liveupdate.sym
    antec.com;service1.symantec.com;*.nai.com;*.networ kassociates.com
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} -
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\PBHELPER.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
    Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
    -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor]
    C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [KB891711]
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"
    O4 - Startup: NkbMonitor.exe.lnk = C:\Program
    Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common
    Files\efax\HotTray.exe
    O4 - Startup: SlipStream Web Accelerator.lnk = C:\Program Files\SlipStream Web
    Accelerator\slipaccel.exe
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM
    FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/227
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM
    FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/250
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links -
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.in4web.com
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX
    Control) -
    http://a840.g.akamai.net/7/840/5805/...includes/Conte
    ntAuditControl.cab
    O16 - DPF: {BFD3760D-36DB-4385-B10C-387A3D647092} (StubInstaller_ActiveX
    Control) -
    http://download.weather.com/web/desk...bInstaller.cab
  5. 03-04-2005  #4
    owen
    owen is offline D-A-L Team Member (UK)
    Boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
    Settings,ProxyOverride =
    ;*windowsupdate.microsoft.com;*windowsupdate.com;d ownload.microsoft.com;codecs.
    microsoft.com;activex.microsoft.com;liveupdate.sym antecliveupdate.com;liveupdate.sym
    antec.com;service1.symantec.com;*.nai.com;*.networ kassociates.com

    Click Fix Checked

    Reboot and post a fresh log
  6. 06-04-2005  #5
    jimmyw
    jimmyw is offline Newbie
    Logfile of HijackThis v1.99.1
    Scan saved at 1:11:50 AM, on 4/6/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP
    SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP
    SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\NIKON\PICTUREPROJECT\NKBMONITOR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\CMMON32.EXE
    C:\WINDOWS\WUAUCLT.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.in4web.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.in4web.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.in4web.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer
    = http=127.0.0.1:5400
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
    Settings,ProxyOverride =
    ;*windowsupdate.microsoft.com;*windowsupdate.com;d ownload.microsoft.com;codecs.
    microsoft.com;activex.microsoft.com;liveupdate.sym antecliveupdate.com;liveupdate.sym
    antec.com;service1.symantec.com;*.nai.com;*.networ kassociates.com
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} -
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\PBHELPER.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
    Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
    -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor]
    C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [KB891711]
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"
    O4 - Startup: NkbMonitor.exe.lnk = C:\Program
    Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common
    Files\efax\HotTray.exe
    O4 - Startup: SlipStream Web Accelerator.lnk = C:\Program Files\SlipStream Web
    Accelerator\slipaccel.exe
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM
    FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/227
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM
    FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/250
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links -
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.in4web.com
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX
    Control) -
    http://a840.g.akamai.net/7/840/5805/...includes/Conte
    ntAuditControl.cab
    O16 - DPF: {BFD3760D-36DB-4385-B10C-387A3D647092} (StubInstaller_ActiveX
    Control) -
    http://download.weather.com/web/desk...bInstaller.cab
  7. 08-04-2005  #6
    owen
    owen is offline D-A-L Team Member (UK)
    Download the attached remove.zip. Leave it now, we'll use it later.

    Boot into Safe Mode.

    Unzip remove.zip and double click the unzipped file and confirm the merge with the registry.

    Reboot and post a fresh log.
    Attached Files
    Last edited by owen; 08-04-2005 at 06:25 PM.
  8. 10-04-2005  #7
    jimmyw
    jimmyw is offline Newbie
    Note: Had to disable Norton AV from Startup to get back on.


    Logfile of HijackThis v1.99.1
    Scan saved at 1:23:52 PM, on 4/10/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP
    SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\HOTBAR\BIN\4.5.0.0\WEATHERONTRAY.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\HOTBAR\BIN\4.5.0.0\SBINST.EXE
    C:\PROGRAM FILES\HOTBAR\BIN\4.5.0.0\HBINST.EXE
    C:\PROGRAM FILES\NIKON\PICTUREPROJECT\NKBMONITOR.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP
    SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\CMMON32.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.in4web.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.in4web.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.in4web.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer
    = http=127.0.0.1:5400
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
    Settings,ProxyOverride =
    ;*windowsupdate.microsoft.com;*windowsupdate.com;d ownload.microsoft.com;codecs.
    microsoft.com;activex.microsoft.com;liveupdate.sym antecliveupdate.com;liveupdate.sym
    antec.com;service1.symantec.com;*.nai.com;*.networ kassociates.com
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} -
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\PBHELPER.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe
    /reminder
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
    Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
    -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [WeatherOnTray] C:\PROGRAM
    FILES\HOTBAR\BIN\4.5.0.0\WEATHERONTRAY.EXE
    O4 - HKLM\..\Run: [Spam Blocker for Outlook Express]
    C:\PROGRA~1\HOTBAR\BIN\450~1.0\SBInst.exe
    O4 - HKLM\..\Run: [Hotbar] C:\PROGRAM
    FILES\HOTBAR\BIN\4.5.0.0\HBINST.EXE /Upgrade
    O4 - HKLM\..\RunServices: [StillImageMonitor]
    C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [KB891711]
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
    Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"
    O4 - Startup: NkbMonitor.exe.lnk = C:\Program
    Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common
    Files\efax\HotTray.exe
    O4 - Startup: SlipStream Web Accelerator.lnk = C:\Program Files\SlipStream Web
    Accelerator\slipaccel.exe
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM
    FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/227
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM
    FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/250
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links -
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.in4web.com
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX
    Control) -
    http://a840.g.akamai.net/7/840/5805/...includes/Conte
    ntAuditControl.cab
    O16 - DPF: {BFD3760D-36DB-4385-B10C-387A3D647092} (StubInstaller_ActiveX
    Control) -
    http://download.weather.com/web/desk...bInstaller.cab
  9. 13-04-2005  #8
    owen
    owen is offline D-A-L Team Member (UK)
    Go to Start> Run and type regedit.

    On the left navigate to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
    Settings

    Then on the right, right click ProxyOverride and click Delete.#

    Then go to Start> Settings> Control Panel and then double click Internet Options. Click the Programs tab and then click Reset Web Settings.

    Reboot and post a fresh log.
  10. 18-04-2005  #9
    jimmyw
    jimmyw is offline Newbie
    Logfile of HijackThis v1.99.1
    Scan saved at 12:39:42 AM, on 4/18/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP
    SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\HOTBAR\BIN\4.5.0.0\WEATHERONTRAY.EXE
    C:\PROGRAM FILES\HOTBAR\BIN\4.5.0.0\SBINST.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\HOTBAR\BIN\4.5.0.0\HBINST.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP
    SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NIKON\PICTUREPROJECT\NKBMONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\CMMON32.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.in4web.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.in4web.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.in4web.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.in4web.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer
    = http=127.0.0.1:5400
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} -
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\PBHELPER.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe
    /reminder
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
    Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
    -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [WeatherOnTray] C:\PROGRAM
    FILES\HOTBAR\BIN\4.5.0.0\WEATHERONTRAY.EXE
    O4 - HKLM\..\Run: [Spam Blocker for Outlook Express]
    C:\PROGRA~1\HOTBAR\BIN\450~1.0\SBInst.exe
    O4 - HKLM\..\Run: [Hotbar] C:\PROGRAM
    FILES\HOTBAR\BIN\4.5.0.0\HBINST.EXE /Upgrade
    O4 - HKLM\..\RunServices: [StillImageMonitor]
    C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [KB891711]
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
    Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"
    O4 - HKCU\..\RunServices: [MSMSGS] "C:\PROGRAM
    FILES\MESSENGER\MSMSGS.EXE"
    O4 - Startup: NkbMonitor.exe.lnk = C:\Program
    Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common
    Files\efax\HotTray.exe
    O4 - Startup: SlipStream Web Accelerator.lnk = C:\Program Files\SlipStream Web
    Accelerator\slipaccel.exe
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM
    FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/227
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM
    FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/250
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links -
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.in4web.com
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX
    Control) -
    http://a840.g.akamai.net/7/840/5805/...includes/Conte
    ntAuditControl.cab
    O16 - DPF: {BFD3760D-36DB-4385-B10C-387A3D647092} (StubInstaller_ActiveX
    Control) -
    http://download.weather.com/web/desk...bInstaller.cab
  11. 18-04-2005  #10
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    O4 - HKLM\..\Run: [Spam Blocker for Outlook Express]
    C:\PROGRA~1\HOTBAR\BIN\450~1.0\SBInst.exe
    O4 - HKLM\..\Run: [Hotbar] C:\PROGRAM
    FILES\HOTBAR\BIN\4.5.0.0\HBINST.EXE /Upgrade

    Click Fix Checked

    Go to the Control Panel and double click Add/Remove programs and uninstall:
    Hotbar

    Reboot and post a fresh log.
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« dog gone computer !! | Computer doesn't start up properly »