OK Head Hurts. What have I missed?

PressX · January 2005

Have been doing to many things today and can not see what I have missed here:

I think have most covered but still seems to be something in here?

any thoughts would be great guys...

Logfile of HijackThis v1.99.0
Scan saved at 22:22:48, on 24/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Jude\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [CZFMDXPK] C:\PROGRA~1\FDD_FM~1\CZFMDXPK.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Relay Manager] prcgnv.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\Run: [Win32 FRT Driver] msfr32.exe
O4 - HKLM\..\Run: [Spool] C:\WINDOWS\TEMP\msvcreal.exe
O4 - HKLM\..\Run: [Microsoft Services] C:\WINDOWS\system32\bsc32.exe
O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Windows TM] rundlI32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [Microsoft Relay Manager] prcgnv.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [window2] wintime.exe
O4 - HKLM\..\RunServices: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Win32 FRT Driver] msfr32.exe
O4 - HKLM\..\RunServices: [Microsoft Services] C:\WINDOWS\system32\bsc32.exe
O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Windows TM] rundlI32.exe
O4 - HKLM\..\RunOnce: [Windows TM] rundlI32.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [window2] wintime.exe
O4 - HKCU\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [Win32 FRT Driver] msfr32.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [Windows TM] rundlI32.exe
O4 - HKCU\..\RunOnce: [Windows TM] rundlI32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: CZFMDSER.EXE - Unknown - C:\PROGRA~1\FDD_FM~1\CZFMDSER.EXE
O23 - Service: HP Deskjet 500 - Unknown - C:\WINDOWS\System32\HP_DeskJet_500.exe (file missing)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: MD Simple Burner Service - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · January 2005

You still have a few somethings there.

Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O4 - HKLM\..\Run: [Microsoft Relay Manager] prcgnv.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\Run: [Win32 FRT Driver] msfr32.exe
O4 - HKLM\..\Run: [Spool] C:\WINDOWS\TEMP\msvcreal.exe
O4 - HKLM\..\Run: [Microsoft Services] C:\WINDOWS\system32\bsc32.exe
O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Windows TM] rundlI32.exe
O4 - HKLM\..\RunServices: [Microsoft Relay Manager] prcgnv.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [window2] wintime.exe
O4 - HKLM\..\RunServices: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Win32 FRT Driver] msfr32.exe
O4 - HKLM\..\RunServices: [Microsoft Services] C:\WINDOWS\system32\bsc32.exe
O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Windows TM] rundlI32.exe
O4 - HKLM\..\RunOnce: [Windows TM] rundlI32.exe
O4 - HKCU\..\Run: [window2] wintime.exe
O4 - HKCU\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [Win32 FRT Driver] msfr32.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [Windows TM] rundlI32.exe
O4 - HKCU\..\RunOnce: [Windows TM] rundlI32.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist). Be careful of the exact spelling as you will find some similarly named files that are legit.

rundlI32.exe
crmss.exe
msfr32.exe
wualcts.exe
HP_DeskJet_500.exe
wintime.exe
C:\WINDOWS\system32\bsc32.exe
winmedplay.exe
prcgnv.exe
C:\WINDOWS\TEMP\msvcreal.exe

Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.

Reboot back to normal mode.

Please run these two online scans.
Make sure they are set to clean automatically:

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.

Reboot once more and post a new hijackthis log.

PressX · January 2005

Buckeye_Sam wrote:

You still have a few somethings there.

Thanks for that. After I had some sleep I went back and found the other stuff. I missed one which you pointed out though.

. Virus' mainly. Thanks for your time. Sometimes it needs a second pair of eyes. Especially working late... :o

Good job!

Buckeye_Sam · January 2005

Glad to help out.

OK Head Hurts. What have I missed?

Comments