HELP!!!! Can't run anything

Avast Free Antivirus / Premium Security
21

Yes, I believe I’m clean now. Thanks to everyone who pitched in to help. I’ll definately be spreading the news about avast! The theory of providing free virus protection to the home users is brilliant. I could never afford to pay for 5 copies plus the updates $$$ to protect all of my home computers. I have them all over the house for convienence to me. Thanks again to everyone.

^Hawk^

22

Please search the registry for AHKRXBO.exe and say where it was found. You may have to do that in safe mode

23

Registry says it’s in C:\windows. What is this file? Should I be worried? :o

24

yes, a bit. In which regkeys was it found? You may try to let hijack fix the entry in safe mode

25

LocalMachine_Software_microsoft_windows_currentversion_run

26

If it is only there, let Hijack this fix it in safe mode and try to find the file

27

Ok Hijack fixed this, and now it no longer shows up in the hijack log. The file is nowhere to be found on my system.

28

Nice to here. Please post n actual HJT Log to see if everything is gone!

29

OK here’s the latest

30

hello…if I post my hijack this log…do I need to delete anything first…personal information?
thanks,
cojo

31

i dont think hijackthis displays passwords or account info

32

ok…here goes…'course everyone is sleeping now ;D

Logfile of HijackThis v1.97.7
Scan saved at 8:38:31 PM, on 1/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashdisp.exe
C:\Program Files\Alwil Software\Avast4\ashmaisv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DONNA HOLT\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O1 - Hosts: 127.98.9.1 b9.127.0.0.1.b9
O1 - Hosts: 127.98.9.2 b9.127.0.0.1
O1 - Hosts: 127.98.9.3 www.bellsouth.net.b9
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Window Shades - {B5B57F4F-EFA5-11D4-A971-444553540000} - C:\PROGRA~1\GMMCOM~1\WINDOW~1\WINDOW~1.DLL (file missing)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [IntelliType] “C:\Program Files\Microsoft Hardware\Keyboard\type32.exe”
O4 - HKLM..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM..\Run: [Lexmark X74-X75] “C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe”
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [Ad-watch] “C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe”
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [diagent] “C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe” startup
O4 - HKLM..\Run: [ccRegVfy] “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [ConMgr.exe] “C:\Program Files\EarthLink 5.0\conmgr.exe”
O4 - HKLM..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Ad-watch.lnk = ?
O4 - Startup: BCMSMMSG.lnk = ?
O4 - Startup: diagent.lnk = ?
O4 - Startup: IntelliType.lnk = ?
O4 - Startup: nwiz.lnk = ?
O4 - Startup: UpdReg.lnk = C:\WINDOWS\Updreg.EXE
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O9 - Extra button: Look for Spybot-S&&D updates (HKLM)
O9 - Extra ‘Tools’ menuitem: Look for Spybot-S&&D updates (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O15 - Trusted Zone: http://www.avast.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://*.lighthouse.com
O15 - Trusted Zone: .passport.net
O15 - Trusted Zone: http://.securityplace.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - http://www.support.fastaccess.com/sdccommon/download/tgctlpw.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1064673232437
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2678f4b3a8619fb4c522/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {86CEEAFA-AE5C-11D4-A4C8-00A0C9E79206} (ActiveXDemo Control) - http://www.finjan.com/mcrc/demos/ActiveXDemo.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37676.7180671296
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4307/mcfscan.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://install.wildtangent.com/bgn/partners/bellsouth/slyder/install.cab

cojo

33

I see no important info in there. raman will be along soon to tell you whats bad in it

34

ok, I shall wait for him to wake up ;D
cojo

35

There is nothing really dangerouse, but you maybe want to fix this:

O2 - BHO: Window Shades - {B5B57F4F-EFA5-11D4-A971-444553540000} - C:\PROGRA~1\GMMCOM~1\WINDOW~1\WINDOW~1.DLL (file missing)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - Startup: UpdReg.lnk = C:\WINDOWS\Updreg.EXE

and if you do not know why, get this fixed too:
O1 - Hosts: 127.98.9.1 b9.127.0.0.1.b9
O1 - Hosts: 127.98.9.2 b9.127.0.0.1
O1 - Hosts: 127.98.9.3 www.bellsouth.net.b9

36

Probably not… But you can send it first to a friend of you (or anybody you trust) by email to ask his/her opinion. ;D

After this, you’ll be fine if you ask raman opinion about your hijack :wink:

37

Raman,
thank you so much!!

I will fix these immediately…

My respect and affection for everyone of the experts here on the forum grows daily.
All of you have contributed to my learning in different ways…and your support has been incredible.
With all my heart, I thank you!

cojo

38

Won’t you thank me? :cry:

39

yes, Technical, I do thank you very much!

so many have helped me…I am afraid to say individual names because I know that I will forget someone–and I don’t want to forget anybody!

cojo
who thanks everyone on the forums for their wonderful help…and I really do mean everyone.