dlh6213
Posting Maven
Team Colleague
3,117 posts since Jul 2004
Reputation Points: 63
Solved Threads: 214
Hardware and Software
>
Microsoft Windows
>
Viruses, Spyware and other Nasties
>
Possible spy/adware problem
Have something to say? Contribute New Article Reply to this Article Possible spy/adware problem
I have a annoying problem with IE6. Sometimes a blank page pops up and it will not close before I reboot or close it about 10-15 times. It occurs when I klick on a link in outlook express or if I run virus scan. Therefore I think it maybe can be a infection or malware or something. I have run adaware, microsofts beta security program, but it just continue to pop up. I put in my HJ log here if you maybe can pin down some problem for me please.
Logfile of HijackThis v1.99.1
Scan saved at 23:22:32, on 04.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Opera\Opera.exe
C:\DOCUME~1\PEROGA~1\LOKALE~1\Temp\Midlertidig mappe 3 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [awvycup] c:\windows\system32\awvycup.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Documents and Settings\Per og Ade\Mine dokumenter\iridium.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: Dialpad Webphone - https://televoip.dialpad.com/md/update/cham.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://rawflow.streamguys.net/rawflow/app/2.1.12.0/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106842191468
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
I did as you said. Here is the result.
Logfile of HijackThis v1.99.1
Scan saved at 10:48:59, on 05.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Outlook Express\msimn.exe
C:\DOCUME~1\PEROGA~1\LOKALE~1\Temp\Midlertidig mappe 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [awvycup] c:\windows\system32\awvycup.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Documents and Settings\Per og Ade\Mine dokumenter\iridium.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: Dialpad Webphone - https://televoip.dialpad.com/md/update/cham.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://rawflow.streamguys.net/rawflow/app/2.1.12.0/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106842191468
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
It might be actual to mention that I had some problems with the IE6 before regarding hosts and runed Hoster. After that ie opens first as a small window and then maximizes.
Sometimes it did stay small and I tryed all the suggestions regarding window size on daniweb. But now I use a tool called Ie new window maximizer.
You still have HijackThis in a Temp folder (C:\DOCUME~1\PEROGA~1\LOKALE~1\Temp\Midlertidig mappe 5 for hijackthis.zip\HijackThis.exe); it should be in it's own permanent folder so it, and the backups it will create, don't accidently deleted.
You may wish to consider disabling CTHELPER.EXE -- quote from sysinfo:
CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it.
Please post a new log after you move HJT into a new folder.
dlh6213
Posting Maven
Team Colleague
3,117 posts since Jul 2004
Reputation Points: 63
Solved Threads: 214
Now I think it`s right.
Logfile of HijackThis v1.99.1
Scan saved at 09:39:44, on 06.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Per og Ade\Mine dokumenter\Install og nytte\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [awvycup] c:\windows\system32\awvycup.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Documents and Settings\Per og Ade\Mine dokumenter\iridium.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: Dialpad Webphone - https://televoip.dialpad.com/md/update/cham.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://rawflow.streamguys.net/rawflow/app/2.1.12.0/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106842191468
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
You still have HijackThis in a Temp folder (C:\DOCUME~1\PEROGA~1\LOKALE~1\Temp\Midlertidig mappe 5 for hijackthis.zip\HijackThis.exe); it should be in it's own permanent folder so it, and the backups it will create, don't accidently deleted.
You may wish to consider disabling CTHELPER.EXE -- quote from sysinfo:
CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it.
Please post a new log after you move HJT into a new folder.
I just ran this CWShredder and it caused in the end, after klicking the fix button, for this blank page to appear again. Can it be this you mention, CTHELPER, that cause this? It is extremly annoying!
Anyway, good at least to have a forum to attend.
1. I'm not sure what did happen when you ran CWShredder, but CTHELPER probably wasn't the cause.
2. Have HijackThis fix:
O4 - HKLM\..\Run: [awvycup] c:\windows\system32\awvycup.exe
3.Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
Locate and delete the c:\windows\system32\awvycup.exe file.
4. Empty your Recycle Bin, reboot, and post a new HJT log.
DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
Again I did like you said.
Logfile of HijackThis v1.99.1
Scan saved at 20:54:08, on 06.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Opera\Opera.exe
C:\Programfiler\Outlook Express\msimn.exe
C:\Documents and Settings\Per og Ade\Mine dokumenter\Install og nytte\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Documents and Settings\Per og Ade\Mine dokumenter\iridium.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: Dialpad Webphone - https://televoip.dialpad.com/md/update/cham.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://rawflow.streamguys.net/rawflow/app/2.1.12.0/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106842191468
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
And when I cliked the link for the forum in your reply, two windows open. One blank and one with the forum.The difference now is that it seem to close on the first atempt, the blank one I mean.
And when I cliked the link for the forum in your reply, two windows open. One blank and one with the forum.The difference now is that it seem to close on the first atempt, the blank one I mean.
No it doesent close...Irritating thing this!
I don't know if it will cure your specific problem, but you can try running IEFix .
It would probably be a good idea to uninstall the Window Maximizer before running IEFix, as it might cause conflicts with IEFix's repair process.
DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
It did not help. But I suspect maybe it can be a registry problem. Iget this mmc.exe program error message where it say memory cant be read. I read some on microsoft that this also had some connection to outlook express and IE. What do you think?
Iget this mmc.exe program error message where it say memory cant be read.
Can you give us specifics on that please (when do you get message, what theexact text of the message is, etc.)?
DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
It occurs when I open admin tools for example. The error message says: The instruction in "0x7c9105f8"reffers to adress "0x00940010". Memory could not be read. Klick ok to finish the program.
This is in Norwegian, so i have translated the best I could. Every time I use something that use mmc this message appears.
It occurs when I open admin tools for example. The error message says: The instruction in "0x7c9105f8"reffers to adress "0x00940010". Memory could not be read. Klick ok to finish the program.
This is in Norwegian, so i have translated the best I could. Every time I use something that use mmc this message appears.
It occurs also when I run diskeeper light naturally because it also use mmc.exe, right?
I just found out that it possible is something wrong with sysedit.exe too. It will not open I get a error message like this: C:\windows\system32\autoexec.NT. System file does fit for MS-DOS- and windows programs.
Pretty messed up I understand now. Maybe a reinstall is in order?
I just found out that it possible is something wrong with sysedit.exe too. It will not open I get a error message like this: C:\windows\system32\autoexec.NT. System file does fit for MS-DOS- and windows programs.
Pretty fucked up I understand now. Maybe a reinstall is in order?
I realizenI have some spelling error here. It should be: does not fit...
And maybe this has developed to a different place in the tech talk?
The autoexec.nt error translates as follows:
"C:\windows\system32\autoexec.NT. The System file is not suitable for running MS-DOS and MS-Windows applications. Choose "Close" to terminate the application".
That error can be the result corruption or modification to that file, perhaps done by the infection(s) you had. Reinstalling a fresh copy of the file is usually the recommended first approach; there are a few ways to do this:
1. A backup copy of the file might exist in your C:\Windows\repair folder. If so, replace the autoexec.NT file in \system32 with a copy of the one in the repair folder.
2. Run the System File Checker. It will scan for missing or corrupt system files (you may have more than one) and if any are found, it will prompt you to insert your XP CD and will extract fresh copies of the file(s) from there.
If you don't have the XP CD, but you do have a C:\Windows\i386 folder on your machine, point the File Checker to that folder; fresh copies of the file(s) it needs may exist in that location.
To run the System File Checker, click on the "Run..." option in your Start menu and type the following command in the "Open:" box:
sfc /scannow
3. You can try to repair the damage manually by extrracting fresh copies of autoexec.NT and gtwo other core files:
Insert your XP installation CD, open an MS-DOS window, and type the following three commands (hit Enter after each):
expand e:\i386\config.nt_ c:\windows\system32\config.nt
expand e:\i386\autoexec.nt_ c:\windows\system32\autoexec.nt
expand e:\i386\command.co_ c:\windows\system32\command.com
Obviously, substitute your CD's drive letter if it is not "E:"
DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
It fixed the sysedit problem, exept that I got a message that said: c:\autoexec.bat. can not open this file. The problem wit mcc program error is still there. This blank page thing seem to be gone. So far so good. Any suggestions on that?(mmc.exe) I will try to translate as good as possible. It pops up a message who says:
mmc.exe - program error.
Isntruction in "0x7c9105f8" reffered to adress "0x00940010". Memory could not be read.
Klick ok to finish the program.
What do you think?
And thank you very much for all help so far.
This article has been dead for over three months
You
© 2012 DaniWeb® LLC
