View Full Version : windows closing uncommanded
All of a sudden my computer is closing my current window if I click on a link - so I am unable to have several windows open at once. This was not happening yesterday and I haven't installed any software or changed anything that I am aware of. I am using XP
Any suggestions????:confused:
E-Liam
3rd Jul 2004, 10:42
Hi Piton,
Could be IE getting old.. :)
Try a repair. Click on Start | Settings | Control Panel | Add/Remove Programs, then scroll down the list and highlight Internet Explorer 6.0 and Internet Tools by clicking once. A button will illuminate under the list saying Add/Remove program. Click on that and then click on the option to Repair, and click OK.
Sometimes that option doesn't work. If so, try this way...
Go to Start | Programs | Accessories | System Tools | System Information | Tools (On menu bar) | Internet Explorer Repair Tool and do it from there.
See how you get on with that.
Cheers
Liam
When I go to Add/Remove programs the listing is
Internet Explorer Q831167
and there is no option to repair - just remove!
For your second option the Tools menu also does not contain an IE repair tool option! Could I have an old version of XP or something?
I tried a system restore and that seems to have done the trick for now - I guess I'll just have to wait and see what goes wrong next!
E-Liam
3rd Jul 2004, 12:05
Hi Piton,
That Q831167 is a patch, so it wouldn't have worked. :) I'm surprised that option 2 didn't work, but without an XP machine to check, I don't know why?
Still, if it's working now then all's well. :ok:
Cheers
Liam
Well thanks for trying Liam! :D
cheers
piton
deltafoxtrot
8th Jul 2004, 23:47
Hi, I am having a problem with the open windows dropping out too, it has been happening for a while and is getting worse all the time. I also have no repair option on either of the places you suggested Liam. (and the same patch as piton)
I looked at systerm repair, but i cant get that to open beyond the last restore point, and it would need to be restored way before that to work better.
As far as I can tell IE is all up to date (latest version etc).
This problem is starting to drive me crazy.
:(
Thanks Delta
E-Liam
9th Jul 2004, 11:47
Hi Delta, and Piton,
Let's see what's happening on your machines.. :)
Please download 'Hijack This!' from here (http://www.thespykiller.co.uk/), unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.
Please disable smileys before posting.
Cheers
Liam
Yep! Its started happening here too! W2000 IE6. Spooky, or what?
deltafoxtrot
11th Jul 2004, 01:30
Hi Liam, here is the log file..there are a couple of things in there that i thought had been removed from the system...interesting..not that i really understand it hee hee.
Also when i was tryiing to open hijack this norton kept detecting a malicious script (as i opened my computer) and when i oked it to close it shut down active desktop as well. Eventually it all worked ok
Thanks heaps for your help
delta
Logfile of HijackThis v1.98.0
Scan saved at 11:07:14 AM, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-au\msnappau.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Save\Save.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\WINDOWS\System32\LVComS.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll
O2 - BHO: prjBHO_New.CBrowserHelpObj - {A2E1AE65-BB68-11D6-B1B2-96787719A248} - C:\Program Files\Simcast Media\Simcast\Simcast.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-au\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-au\msntb.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Simcast] C:\Program Files\Simcast Media\Simcast\SimcastAlerts.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-au\msnappau.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: StarUpdater.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.digichat.com
O15 - Trusted Zone: *.Staffcv.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.simcast.com.au/install/Install.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9F66891-694B-4F48-944B-BB81AF4C74C6}: NameServer = 203.194.56.150 203.194.27.57
E-Liam
11th Jul 2004, 07:52
Hi Delta,
The first thing you need to do is stop one of the AV programs from running. No need to get rid of either, as you always have a backup should it be needed, but two running together will quite possibly cause conflicts.
I would also highly recommend getting rid of Messenger+3. See here (http://www.spywareinfo.com/newsletter/archives/june-2003/3.php) for info.
Now, please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: StarUpdater.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O15 - Trusted Zone: http://www.digichat.com
O15 - Trusted Zone: *.Staffcv.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\Windows\Temp (or C:\WINNT\Temp) folder, but not the folder itself. Next please find and delete the following bolded folder...
C:\Program Files\Save
Then please boot back into normal mode and download AdAware 6 181 from here (http://www.lavasoftusa.com/support/download/).
Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts.
Now to set it up for optimum performance...
Make sure the following settings are configured. Remember that ON=GREEN.
From main window click Start | Activate in-depth scan.
Then click Use custom scanning options | Customize and have these options switched ON...
Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files
Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..
Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.
and uncheck..
Automatically try to unregister objects prior to deletion.
Then click Proceed, to save your settings.
Now click the Scan button.
When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them.
Next, reboot again and download Spybot - Search & Destroy 1.3 from here (http://security.kolla.de).
Click on Updates | Download Updates, and follow the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Next reboot and go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.
Cheers
Liam
piton
11th Jul 2004, 11:35
Hello again Liam - here is my log file - Help!
Liz (piton)
Logfile of HijackThis v1.98.0
Scan saved at 12:32:33, on 11-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\ADSLUS~1\BIN\WIN2K\tidslmon.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\sllights.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\explorer.exe
C:\unzipped\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Visual Marks - {3F753E5A-DF80-4850-801C-35880F80756C} - C:\PROGRA~1\VISUAL~1\VMarks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\ADSLUS~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{329C6D93-3423-483C-B3A6-B47CFB5D0D4A}: NameServer = 195.92.195.95 195.92.195.94
E-Liam
12th Jul 2004, 12:09
Hi Liz,
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-
EA101271BC25} - (no file)
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cab
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\Windows\Temp (or C:\WINNT\Temp) folder, but not the folder itself. Next please find and delete the following bolded files...
C:\Program Files\TV Media
Then please boot back into normal mode and download AdAware 6 181 from here (http://www.lavasoftusa.com/support/download/).
Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts.
Now to set it up for optimum performance...
Make sure the following settings are configured. Remember that ON=GREEN.
From main window click Start | Activate in-depth scan.
Then click Use custom scanning options | Customize and have these options switched ON...
Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files
Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..
Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.
and uncheck..
Automatically try to unregister objects prior to deletion.
Then click Proceed, to save your settings.
Now click the Scan button.
When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them.
Next, reboot again and download Spybot - Search & Destroy 1.3 from here (http://security.kolla.de): if you haven't already got the program.
Click on Updates | Download Updates, and follow the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Next, please reboot and post a new log for a final once over.
Cheers
Liam
deltafoxtrot
13th Jul 2004, 00:55
Hi Liam. here is the logfile after following your instructions. I am still having problems with the malicious script when i open my computer, i am not sure what to do about that. Also i am not sure if avg has stopped running, though i disabled everything i could see.
Thanks for your help
Delta
Logfile of HijackThis v1.98.0
Scan saved at 10:50:13 AM, on 13/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-au\msnappau.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\LVComS.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll
O2 - BHO: prjBHO_New.CBrowserHelpObj - {A2E1AE65-BB68-11D6-B1B2-96787719A248} - C:\Program Files\Simcast Media\Simcast\Simcast.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-au\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-au\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Simcast] C:\Program Files\Simcast Media\Simcast\SimcastAlerts.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-au\msnappau.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.simcast.com.au/install/Install.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9F66891-694B-4F48-944B-BB81AF4C74C6}: NameServer = 203.194.56.150 203.194.27.57
E-Liam
13th Jul 2004, 17:01
Hi Delta,
You've still got AVG running there. Go to Start | Run and type in msconfig. Click OK, and then scroll down the list and uncheck..
Avgcc32 (may be AVG_CC)
Avgserv.exe (may be Avgserv9.exe)
Reboot, and that will stop AVG from running. Then let me know if you still get the script.
I also just reread my post concerning a repair of IE.. a typo has reared it's ugly head.. :(
Please have another look at the program list in Add/Remove Programs for..
Microsoft Internet Explorer 6.0 and Internet Tools
Still, at least we know that all the malware has been cleared from the machine now, so if the above hasn't done it, then we are probably looking at a reinstall of IE6.
Cheers
Liam
deltafoxtrot
14th Jul 2004, 07:30
Hi Liam, thanks so much for your help with this. The malicious script seems to be ok (hopefully). It is fantastic to get rid of that save thing...
Windows are still closing so i assume it must be an ie issue..i went to add/remove programs and there is nothing under microsoft internet explorer, so i may have to reinstall it. Help!! :D
Also the system cofig is opening on selective ..do i need to change it back to normal? and should i change the hidden folders and os files folder back to hidden?
Ta
Delta
Naples Air Center, Inc.
14th Jul 2004, 14:01
deltafoxtrot,
Since you are still having Windows close on you, I was wondering if you ever had a destructive Virus on your computer? It is possible that a Virus damaged your OS System Files.
Take Care,
Richard
deltafoxtrot
15th Jul 2004, 06:57
Hi Richard, yes it is possible. In Feb AVG detected the JS/Psyme virus (2 variations)
and a dialler. Norton didnt detect these, and it was at the suggestion of a friend
when i mentioned my computer going nuts, that i ran AVG. This is why i had the 2 avs.
I have no idea if this caused any damage. It is in AVGs virus vault. i dont know if
that means it has fixed any problem caused or what. I tried to find ifo
about it but there doesnt seem to be much.
I thought the windows closing had started about the time i installed sunjava, but this
was about
the same time as the virus (maybe a little bit later). The windows are closing when you click a link
(sometimes-and also blank windows open often rather than the one you want) and mostly when you
close on window, it closes the lot. It is definately getting worse. I didnt know if this was just
something that happens sometimes
or if it is something thats fixable.
I am still havin the malicious script notice when i try to access my computer (or my docs or or pics)
from the start menu...it says its a file system object--activity -open text file, file - explorer.exe.
This has only recently started happening, though i have had the warning before, but very occasionally on
open internet windows. Now it is also occuring when i open web pages grrrrrrrr.
Thanks heaps for your interest. It is so frustrating when you have no idea if something is a problem
or just a part of the whole deal.
Delta
Naples Air Center, Inc.
15th Jul 2004, 15:40
deltafoxtrot,
You could spend many hours and days messing around, trying to get your OS back and there is a chance you will not get it back to 100% again. I think it would be worth doing a fresh install. Just have all your drivers downloaded before you start the install and it will save you a lot of time.
Get the latest drivers from the net and have them on a CD so you can load them as soon as you finish the install.
Take Care,
Richard