I don't even know how I got it since I didn't click on anything at all yesterday.

Here's my log after running Hijack this
Help would be greatly appreciated!

Here is my log. Can someone please help me with this? Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 12:50:47 AM, on 12/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

Please can somebody help me???

Please I need help, my gf clicked on the link by mistake and now she has it to and her internet explorer browser is acting up.

Hi!

I'm not a spyware expert but the entries I say below are spyware so you can get rid of them with HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
O4 - HKLM\..\Run: [System Initialization]

Delete this file:
C:\WINNT\system32\msmsgri32.exe

Thanks man, gonna do that right now.

Hi!

I'm not a spyware expert but the entries I say below are spyware so you can get rid of them with HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
O4 - HKLM\..\Run: [System Initialization]

Delete this file:
C:\WINNT\system32\msmsgri32.exe


How do I delete this file?
C:\WINNT\system32\[B]msmsgri32.exe[/B

I can't even find C:\WINNT\system32\msmsgri32.exe. Am I searching wrong?

I can't even find C:\WINNT\system32\msmsgri32.exe. Am I searching wrong?

Make sure you can view hidden files and folders and look again. If not, go in to safe mode and look there. :)

How do I view hidden files?

Click here (http://short-media.com/forum/showthread.php?t=16748) and follow the images. When you are finshed make sure to hide the files and folders again.

If you cannot find the file, it may have been deleted with HJT :)

Post a new log.

I didn't find it, here's the new log


Logfile of HijackThis v1.98.2
Scan saved at 1:51:09 PM, on 12/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\TEMP\[-]73786.exe
C:\WINNT\System32\svchost.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

Does that mean everything is ok now?

All lookss good accept this line:

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?

I suggest you wait until someone has a proper look. :)

Ok thanks man! Can someone take a look at my latest log and this line in particular?


O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?



Logfile of HijackThis v1.98.2
Scan saved at 2:00:40 PM, on 12/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\TEMP\[-]73786.exe
C:\WINNT\System32\svchost.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

Help??

Please post a new hijackthis log and I will look at it now.

Here is my new log, please help me.


Logfile of HijackThis v1.98.2
Scan saved at 12:29:31 PM, on 12/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\AtiRage4dPro.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

Hi New_Guy.

Fix these entries with HJT.
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

Do you know what AtiRage4dPro is? If not then remove these entries with HJT.
O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe

Open Task Manager and look for any signs of msgfix.exe and End the process, then go here C:\WINNT\system32\msgfix.exe and delete the file msgfix.exe. There should be 5.

Post a new log

ATI Rage3d Pro is hardware related. Do not fix those entries.

C:\WINNT\system32\msgfix.exe is a worm. Follow the instructions on this page for removal.

http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.sn.html

As for the rest of your log, you can remove both 016's. But as SpywareShooter said, don't remove the 04's. The rest of your log looks good.

The away message from bestfriends started again.

New log

http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Hi New_Guy.

Fix these entries with HJT.
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

Do you know what AtiRage4dPro is? If not then remove these entries with HJT.
O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe

Open Task Manager and look for any signs of msgfix.exe and End the process, then go here C:\WINNT\system32\msgfix.exe and delete the file msgfix.exe. There should be 5.

Post a new log


I found 3 of them in the task manager but only could delete one of them. I stll can't find this C:\WINNT\system32\msgfix.exe. How do I search for it?

C:\WINNT\system32\msgfix.exe is a worm. Follow the instructions on this page for removal.

http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.sn.html

As for the rest of your log, you can remove both 016's. But as SpywareShooter said, don't remove the 04's. The rest of your log looks good.

I also can't use my symantec program. I had to uninstall because it just froze. I couldn't update nor could I go to symantec's home pages for some reason.

Start hijackthis and go to config\misc tools\delete a file on reboot and paste in; C:\WINNT\system32\msgfix.exe and reboot. Check to see if the file is still in task manager.

You need to stick to one thread too.

http://www.short-media.com/forum/showthread.php?t=24478

I ran the Panda scan free acitve scan and this i what was disinfected

Incident Status Location

Virus:Trj/Qhost.gen Disinfected C:\RECYCLER\S-1-5-21-1004336348-813497703-1708537768-1000\Dc1
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts
Virus:Trj/Delshare.I Disinfected C:\WINNT\Temp\secure.bat

However I restarted my computer and now I can't access symantec again.

New log

ogfile of HijackThis v1.98.2
Scan saved at 10:15:59 AM, on 12/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\AtiRage4dPro.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKCU\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Can someone please help? I'm going home this Friday for vacation from college and I need to fixed or else the school networking will disable my infected computer. Please help.

Boot into Safe Mode then do the following:

O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKCU\..\Run: [Kaspersky Antivirus] KasperskyAV.exe

Fix those entries then find and delete kasperskyAV.exe, boot back into normal mode, and post a new log.

I'm doing it now.

How to I find kasperskyAV.exe

Use the Windows "Find" feature located in your start menu to find it.

I did and it wasn't found.

I'm still in safe mood too.

When you're in safe mode, you shouldnt' be able to access the Internet. Do you have hidden files and folders enabled?

I'm in safe mode with networking on and I had them enable before but I'll try again.

I enabled and still can't find it when I do search.

What should I do now? I have to leave in 20 mins for a final.

Here is my log and never found kasperskyav.exe


Logfile of HijackThis v1.98.2
Scan saved at 1:19:02 PM, on 12/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\AtiRage4dPro.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Did you reboot between the last two logs? If you did, your system should be clean. Are you stll having any problems?

Did you reboot between the last two logs? If you did, your system should be clean. Are you stll having any problems?

I used Stinger in safe mode got rid Qhost and was able to get on symantec.com, i then rebooted and i can't get on symantec again.

New Log

Logfile of HijackThis v1.98.2
Scan saved at 3:55:39 PM, on 12/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\AtiRage4dPro.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\revcobb\Local Settings\Temporary Internet Files\Content.IE5\I1KVC5Q9\stinger[1].exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Download the Hoster

http://members.aol.com/toadbee/hoster.zip

This will restore your original Host files.
Run the program and press “Restore Original Hosts” and press “OK”


Now try to access symantec.com

K I haven't done this yet but bestfriens.pif came back again.

What is AtiRage4dPro.exe? I keep seeing this in hijack log

Ati Rage4D Pro is hardware related, possibly your graphics adapter.

Have you run this tool yet?

http://jayloden.com/AIMFix.exe

If not, try it.

Ati Rage4D Pro is hardware related, possibly your graphics adapter.

Have you run this tool yet?

http://jayloden.com/AIMFix.exe

If not, try it.
I ran it yesterday and the day before.

New log

Logfile of HijackThis v1.98.2
Scan saved at 10:34:39 PM, on 12/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\AtiRage4dPro.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

I don't see anything bad in your latest log. Are you still experiencing problems? Can you connect to sites that you couldn't before?

I don't see anything bad in your latest log. Are you still experiencing problems? Can you connect to sites that you couldn't before?
I can connect them now but I'm afraid that if I reboot the Qhost will be back. Also, I'm using avast and it keeps blocking an attack called DCOM I believe that occurs on and earth.

Download sysclean (free) from Trend Micro, allow it to clean up any bad files it finds. It may take a while :).

http://www.trendmicro.com/download/dcs.asp

Be sure to download and install the latest pattern file. There's a link to it at the lower left-hand colum of the page. It will not run without the pattern file.

From Trend:

Note that for the Trend Micro Sysclean Package to be effective, you must download and place the latest pattern file in the same folder as the Trend Micro Sysclean Package.

Download sysclean (free) from Trend Micro, allow it to clean up any bad files it finds. It may take a while :).

http://www.trendmicro.com/download/dcs.asp

Be sure to download and install the latest pattern file. There's a link to it at the lower left-hand colum of the page. It will not run without the pattern file.

From Trend:

Note that for the Trend Micro Sysclean Package to be effective, you must download and place the latest pattern file in the same folder as the Trend Micro Sysclean Package.

I can't access the page.

Msgfix.exe is back and I can't get rid of it, what do I do???

New Log


Logfile of HijackThis v1.98.2
Scan saved at 12:35:18 AM, on 12/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Hi! msgfix.exe doesn't show in your log. How are you sure it's back? Your log is clean.

Do you have anything disabled on Startup? If so then enable everything in MSCONFIG (start > run > type *msconfig* without the * and then click the startup tab and click 'enable all').

Post a new log :)

Hi! msgfix.exe doesn't show in your log. How are you sure it's back? Your log is clean.

Do you have anything disabled on Startup? If so then enable everything in MSCONFIG (start > run > type *msconfig* without the * and then click the startup tab and click 'enable all').

Post a new log :)

When I opened Task Manager and clicked the processes tab I saw msgfix.exe running but couldn't end the process. I see it this morning too but my computer seems to be running fine now. Crud that stupid Kapersky antivirus thing is back again, here's my log


Logfile of HijackThis v1.98.2
Scan saved at 8:24:37 AM, on 12/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\msgfix.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Try to download and install AVG anti-virus.

http://free.grisoft.com/softw/70free/setup/avg70free_289a392.exe

If you can access this url and get it installed you'll have to disable Norton(Symantec) to run a scan. Run it and it should find and remove your virus.

Maybe you are getting re-infected from a PC on the network?

Maybe you are getting re-infected from a PC on the network?
I don't know how to tell if I am. I ran silent runners here is a log

"Silent Runners.vbs", revision 27, launched at: 12:25
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~2\VPTray.exe" ["Symantec Corporation"]
"Kaspersky Antivirus" = "KasperskyAV.exe" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINNT\system32\NETSHELL.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINNT\system32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "stobject.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "NavLogon\DLLName" = "C:\WINNT\system32\NavLogon.dll" ["Symantec Corporation"]


Startup items in "revcobb" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"At1" -> launches: "msgfix.exe" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Management, AppMgmt, "C:\WINNT\system32\services.exe" [MS]
Automatic Updates, wuauserv, "C:\WINNT\system32\svchost.exe -k wugroup" {"C:\WINNT\System32\wuauserv.dll" [MS]}
Background Intelligent Transfer Service, BITS, "C:\WINNT\System32\svchost.exe -k BITSgroup" {"C:\WINNT\System32\qmgr.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINNT\System32\services.exe" [MS]
DHCP Client, Dhcp, "C:\WINNT\System32\services.exe" [MS]
Distributed Link Tracking Client, TrkWks, "C:\WINNT\system32\services.exe" [MS]
DNS Client, Dnscache, "C:\WINNT\System32\services.exe" [MS]
Event Log, Eventlog, "C:\WINNT\system32\services.exe" [MS]
IPSEC Policy Agent, PolicyAgent, "C:\WINNT\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINNT\System32\services.exe" [MS]
Messenger, Messenger, "C:\WINNT\System32\services.exe" [MS]
Network Connections, Netman, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\netman.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINNT\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINNT\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINNT\system32\services.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINNT\system32\svchost -k rpcss" {"C:\WINNT\system32\rpcss.dll" [MS]}
Remote Registry Service, RemoteRegistry, "C:\WINNT\system32\regsvc.exe" [MS]
Removable Storage, NtmsSvc, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\NtmsSvc.dll" [MS]}
RunAs Service, seclogon, "C:\WINNT\system32\services.exe" [MS]
SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"]
Security Accounts Manager, SamSs, "C:\WINNT\system32\lsass.exe" [MS]
Server, lanmanserver, "C:\WINNT\System32\services.exe" [MS]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
System Event Notification, SENS, "C:\WINNT\system32\svchost.exe -k netsvcs" {"C:\WINNT\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINNT\system32\MSTask.exe" [MS]
TCP/IP NetBIOS Helper Service, LmHosts, "C:\WINNT\System32\services.exe" [MS]
Telephony, TapiSrv, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\tapisrv.dll" [MS]}
Windows Management Instrumentation, WinMgmt, "C:\WINNT\System32\WBEM\WinMgmt.exe" [MS]
Windows Management Instrumentation Driver Extensions, Wmi, "C:\WINNT\system32\Services.exe" [MS]
Workstation, lanmanworkstation, "C:\WINNT\System32\services.exe" [MS]

"Kaspersky Antivirus" = "KasperskyAV.exe" [file not found]

That is bestfriends

"Kaspersky Antivirus" = "KasperskyAV.exe" [file not found]

That is bestfriends
So bestfriends is gone? I haven't had it pop up at all but what about the msgfix.exe? It says nul datal what does that mean?

Sorry, it has been a long time since anyone has helped you, are you still having problems? If so, please post a fresh HJT log and we will keep helping you.

Dexter...