-
March 11th, 2007, 09:27 AM
#1
Junior Member
Explorer and several programmes have been experiencing errors,and closing themselves
I had a friend try to help me with Hijack this i fear he might have deleted something he shouldnt have but i am unsure.
windows explorer often shuts itself down, mid task ie.when i open My documents and a couple of other programmes have started doin this also(limewire and WMP11)i am wondering if someone could tell me if i have something i shouldnt have in my Hijackthis log file, and a possible reason for my error rate being so high(i origionally put it off as excess resource usage) but i fear i am wrong:
Logfile of HijackThis v1.99.1
Scan saved at 7:09:32 PM, on 10/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
c:\program files\ati technologies\ati.ace\cli.exe
c:\program files\java\jre1.5.0_10\bin\jusched.exe
c:\program files\common files\symantec shared\ccapp.exe
c:\program files\zone labs\zonealarm\zlclient.exe
c:\program files\picasa2\picasamediadetector.exe
c:\windows\system32\ctfmon.exe
c:\program files\logitech\setpoint\setpoint.exe
c:\program files\common files\logitech\khal\khalmnpr.exe
c:\program files\java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
c:\program files\msn messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\skype\phone\skype.exe
c:\program files\skype\plugin manager\skypepm.exe
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
c:\program files\internet explorer\iexplore.exe
c:\hijack this\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allmafia.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video Access ActiveX Object\isadd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\system32\message.exe
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Loader] C:\WINDOWS\System\loader.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "c:\program files\skype\phone\skype.exe" /nosplash /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab53083.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{23D10A82-D469-4BBA-9689-F8E84BD5E512}: NameServer = 85.255.116.136,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{81E46D45-30D2-49FA-AD09-74BFB232C23E}: NameServer = 85.255.116.136,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD3B5790-4657-497B-B775-625B97D409AF}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD3B5790-4657-497B-B775-625B97D409AF}: NameServer = 85.255.116.136,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBFDE7FE-6AE0-45BD-883D-DEF342F5C1B0}: NameServer = 85.255.116.136,85.255.112.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.136 85.255.112.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{23D10A82-D469-4BBA-9689-F8E84BD5E512}: NameServer = 85.255.116.136,85.255.112.13
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.136 85.255.112.13
O17 - HKLM\System\CS2\Services\Tcpip\..\{23D10A82-D469-4BBA-9689-F8E84BD5E512}: NameServer = 85.255.116.136,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.136 85.255.112.13
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
pls tell me if i am an idiot or my so called friend is!
Such is life,
- Ned kelly
-
March 11th, 2007, 11:44 AM
#2
I don't like the look of all that ActiveX stuff.
Submit your log here: http://www.hijackthis.de/#anl
and check out the things it reports as bad or suspicious.
Do an online scan with Panda or Trend Micro's PC-Cillin.
What are your hardware specs? also when you say "shut down" what exactly do you mean? Literally closes the app? freezes? or shuts down the whole PC? I would have a a look at your system logs in event viewer to see if there are any clues.
-
March 12th, 2007, 04:01 AM
#3
Junior Member
shut down :I mean it completely closes the app.Pc is still running
system specs are :-cel2.4, 1024mb ram 80Gb Hdd,ATI Radeon 9550 256mb video,Creativ live sound card, tv card
Also i will do the panda scan , and i visited the hijackthis site just then and when it said choose a file from ur computer, i clicked "browse" and IE closed... thinking it may be a little more serious than i thought. I have done a safe mode scanwith spybot and adaware and cleared a heap of junk.
But when it shuts IE completely i think it may be attached to windows explorer.....whatever "it" may be
But i am about to submit the log to hijackthis.de and so i will let u guys know then if there is anything suspicious.
Such is life,
- Ned kelly
-
March 12th, 2007, 04:20 AM
#4
Junior Member
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
was classed as extremely nasty by the visitors to the hijackthis.de site- it has been deleted
these entries were removed:-
[?] - O17 - HKLM\System\CCS\Services\Tcpip\..\{23D10A82-D469-4BBA-9689-F8E84BD5E512}: NameServer = 85.255.116.136,85.255.112.13
[?] - O17 - HKLM\System\CCS\Services\Tcpip\..\{81E46D45-30D2-49FA-AD09-74BFB232C23E}: NameServer = 85.255.116.136,85.255.112.13
[?] - O17 - HKLM\System\CCS\Services\Tcpip\..\{AD3B5790-4657-497B-B775-625B97D409AF}: NameServer = 85.255.116.136,85.255.112.13
[?] - O17 - HKLM\System\CCS\Services\Tcpip\..\{FBFDE7FE-6AE0-45BD-883D-DEF342F5C1B0}: NameServer = 85.255.116.136,85.255.112.13
[?] - O17 - HKLM\System\CS1\Services\Tcpip\..\{23D10A82-D469-4BBA-9689-F8E84BD5E512}: NameServer = 85.255.116.136,85.255.112.13
[?] - O17 - HKLM\System\CS2\Services\Tcpip\..\{23D10A82-D469-4BBA-9689-F8E84BD5E512}: NameServer = 85.255.116.136,85.255.112.13
Last edited by mattiolio; March 12th, 2007 at 04:25 AM.
Such is life,
- Ned kelly
-
March 12th, 2007, 10:02 PM
#5
Junior Member
ok i did an online scan with trend micro - no adware,virus or malware found, only low rating spyware .....this is starting to make less sence,.... i have found my window disk but i have never reformatted b4......i am a little scared lol.
I cant find the driver disks for the mobo or the vid card either.
there is around 14 gb of stuff to back up in my documents. Could someone pls give me some advice
Last edited by mattiolio; March 12th, 2007 at 10:04 PM.
Such is life,
- Ned kelly
-
March 13th, 2007, 01:10 AM
#6
Originally Posted by mattiolio
ok i did an online scan with trend micro - no adware,virus or malware found, only low rating spyware .....this is starting to make less sence,.... i have found my window disk but i have never reformatted b4......i am a little scared lol.
I cant find the driver disks for the mobo or the vid card either.
there is around 14 gb of stuff to back up in my documents. Could someone pls give me some advice
O4 - HKLM\..\Run: [Loader] C:\WINDOWS\System\loader.exe
Trend Micro didn't find this little jewel...
loader.exe - loader - Process Information
Process File: loader.exe or loader
Process Name: Backdoor.Prorat Virus
Description:
loader.exe is a process which is registered as Backdoor.Prorat Virus. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
It's part of the coolwebsearch family of miscreants, you may need to download CWshredder, I would recommend you go to AUMHA Forums
and submit your HJT log, be sure to read their intro as it may help you to rid your PC of unwanted stuff prior to submitting the log.
Oh yeah nihil mentions it but you should remove these from your add/remove programs:
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
isamntr.exe Isamntr.exe is Trojan.Zlob.M.
http://www.greatis.com/appdata/d/i/isamntr.exe.htm
They are all bad, also see if any of these are in there:
p2pnetworks
AltPayments
PartyGaming
PartyPoker
Your also showing you have Norton...dollars to doughnuts it hasn't been updated in eons, IMHO...you should do a repair of your Windows XP...
http://www.michaelstevenstech.com/XPrepairinstall.htm
Last edited by dalek; March 13th, 2007 at 01:19 AM.
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
March 18th, 2007, 05:51 AM
#7
Junior Member
application Win32/Hoax.Renos.NAQ found in operating memory. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. No action can be taken while the file is in memory. Click "Leave" to continue and subsequently run the cleaning of all local disks. System memory infection originated from file :C:\WINDOWS\system32\geplxss.dll.
googled that and cannot find any info:
C:\WINDOWS\system32\geplxss.dll.
Adaware,xoftspy,regcure,are all encountering an error wheather they r in safe mode or normal .i cannot back up any files to do a format , and i am about to test my new gravity method of removal
Such is life,
- Ned kelly
-
March 18th, 2007, 06:01 AM
#8
-
March 18th, 2007, 06:02 AM
#9
Junior Member
i have also done a repair install it was useless
Such is life,
- Ned kelly
-
March 18th, 2007, 06:07 AM
#10
Yes, it only repairs the Windows OS. Your problem seems to be malware. Follow that link and check the removal instructions
EDIT: Try this site:
http://www.malwarebytes.org/
"Rogue Remover" might help.
Last edited by nihil; March 18th, 2007 at 11:26 AM.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|