Archived from groups: microsoft.public.windowsxp.help_and_support (
More info?)
You guys are awesome! It seems to be fixed, thanks to all of your advice. I
truly appreciate your help. Just for the sake of being careful, here is the
new Hijack log and I would appreciate it if you would give it the once over
and see how it looks to you.
Logfile of HijackThis v1.99.1
Scan saved at 12:22:13 AM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet
Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguiexe.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\HijackThis.exe
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and Settings\Michelle\Application
Data\Mozilla\Profiles\default\xt341en2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"http://www.google.com/"); (C:\Documents and Settings\Michelle\Application
Data\Mozilla\Profiles\default\xt341en2.slt\prefs.js)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet
Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet
Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure
Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper -
{F556A6EE-5601-493D-9829-965DFF511307} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{F556A6EE-5601-493D-9829-965DFF511307} - (no file) (HKCU)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114712068768
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: F-Secure product (BackWeb Plug-in - 4476822) - Unknown owner
- C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. -
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet
Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure
Corporation - C:\Program Files\F-Secure Internet
Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure
Internet Security\Common\FSMA32.EXE
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner -
C:\Program Files\Ahead\InCD\InCDsrv.exe
Thanks again!
KP
"Ken Pryor" wrote:
> Sorry I haven't checked back in till now. My ISP has been down. I'm at work
> right now, but will check on all mentioned above tonight hopefully and will
> advise. Thanks very much for the help.
> KP
>
> "pcbutts1" wrote:
>
> > Another thing I noticed is that the version of Hijackthis you used is not
> > current and it looks as if you may have ran it in safe mode. Download the
> > current version from here and run it while booted in normal mode. Posts the
> > results.
> > HijackThis
> >
http://www.pcbutts1.com/downloads/HijackThis.zip
> >
> > --
> >
> >
> > The best live web video on the internet
http://www.seedsv.com/webdemo.htm
> > NEW Embedded system W/Linux. We now sell DVR cards.
> > See it all at
http://www.seedsv.com/products.htm
> > Sharpvision simply the best
http://www.seedsv.com
> >
> >
> >
> > "Ken Pryor" <KenPryor@discussions.microsoft.com> wrote in message
> > news:5666F40F-BB66-493E-88E4-6EC9B8A1B6A8@microsoft.com...
> > > To: PCButts
> > > I missed your post above at first. I followed your instructions, but the
> > > problem is as soon as I delete or rename iexplore, a new copy of it is
> > > automatically placed in the folder to replace it.
> > > Thanks!
> > > KP
> > >
> > > "Ken Pryor" wrote:
> > >
> > >> Thanks everyone. Well, after running yet another virus scanner, I have
> > >> discovered another trojan and another virus that the other virus scanners
> > >> did
> > >> not find. I suspect this is the problem. I'm leaning towards
> > >> recommending a
> > >> format to the owner of this machine.
> > >> KP
> > >>
> > >> "RJ" wrote:
> > >>
> > >> >
> > >> >
> > >> > cs_satan@cnns.net wrote:
> > >> > > I think the reason is that the virus relate your iexplore.exe.When
> > >> > > you
> > >> > > run your IE,the virus is running again.You need repair your
> > >> > > IE,Securety
> > >> > > Expert can help you.Goto
http://securityexpert.cnns.net/IErepair.htm
> > >> > > to
> > >> > > kone more.
> > >> >
> > >> > Can you run explorer.exe via the task manager?
> > >> >
> > >> >
> >
> >
> >