0

I think after installing the patch for football manager i made a mess o my computer. I´m receiving an error messegge when i start windows and the system is slowing down. As i don´t know what to delete please I need somebodys help to know what to delete, my hijackthis logfile is the following.

Logfile of HijackThis v1.99.0
Scan saved at 04:10:06 p.m., on 15/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.exe
C:\TotalRecorder\TotRecSched.exe
C:\PestPatrol\PPControl.exe
C:\PestPatrol\PPMemCheck.exe
C:\PestPatrol\CookiePatrol.exe
C:\Archivos de programa\Pop-Up Stopper\PopUpStopperProfessional.exe
C:\windows\system32\srvany.exe
C:\windows\System32\tcpsvcs.exe
C:\windows\system32\resetservice.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAVPersonal50] C:\Kaspersky Anti-Virus\kav.exe /minimize
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PestPatrol\CookiePatrol.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Archivos de programa\Pop-Up Stopper\PopUpStopperProfessional.exe"
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=bfef0b2a528b91928edcd29464b84891acceeb23d2ed0abe04b4c68c60f5f05401eb42c32da863452d9dcd3f6524f022e9cd782b033d9556373797521e465c0731:4bf9e5f754d65d14399f92c372c739a3
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105813478539
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\windows\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\windows\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Kaspersky Anti-Virus\kavsvc.exe
O23 - Service: DDE de red - Unknown - C:\windows\system32\netdde.exe
O23 - Service: Plug and Play - Unknown - C:\windows\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Reset 5 - Unknown - C:\windows\system32\srvany.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\windows\System32\vssvc.exe

Thanks for your help
Marcos from Buenos Aires (Argentina)

2
Contributors
3
Replies
4
Views
12 Years
Discussion Span
Last Post by callejeros
0

Sorry mi logfile is the following:

Logfile of HijackThis v1.99.0
Scan saved at 07:25:57 p.m., on 15/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.exe
C:\TotalRecorder\TotRecSched.exe
C:\Archivos de programa\Pop-Up Stopper\PopUpStopperProfessional.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\windows\system32\srvany.exe
C:\windows\system32\resetservice.exe
C:\windows\system32\tcpsvcs.exe
C:\windows\system32\wuauclt.exe
C:\eMule\emule.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Kaspersky Anti-Virus\kav.exe /minimize
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [PPMemCheck] C:\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PestPatrol\CookiePatrol.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Archivos de programa\Pop-Up Stopper\PopUpStopperProfessional.exe"
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=bfef0b2a528b91928edcd29464b84891acceeb23d2ed0abe04b4c68c60f5f05401eb42c32da863452d9dcd3f6524f022e9cd782b033d9556373797521e465c0731:4bf9e5f754d65d14399f92c372c739a3
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105813478539
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\windows\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\windows\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Kaspersky Anti-Virus\kavsvc.exe
O23 - Service: Plug and Play - Unknown - C:\windows\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Reset 5 - Unknown - C:\windows\system32\srvany.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\windows\System32\vssvc.exe

0

Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\WINDOWS\System32\svcnet.exe
C:\WINDOWS\dxsetu.exe
c:\windows\winsock.scr
c:\windows\dxsetu.exe
c:\windows\system32\winlog.com
c:\windows\system32\dxwinex.exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

F2 - REG:system.ini: Shell=Explorer.exe winsock.scr

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...99f92c372c739a3
Blazefind Windupdates Adware

Reboot again and post another log.

0

To begin with, thank you for your help and sorry for my English.
When i tried to delete the files with kill box, the prg told me that those files didnt existed in my system. Could that be because i run the antivirus and deletes some files?
After that i did waht you told me with hijackthis and it was ok. My new logfile is:

Logfile of HijackThis v1.99.0
Scan saved at 11:20:04 p.m., on 16/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\TotalRecorder\TotRecSched.exe
C:\Archivos de programa\Pop-Up Stopper\PopUpStopperProfessional.exe
C:\windows\system32\srvany.exe
C:\windows\system32\resetservice.exe
C:\windows\system32\tcpsvcs.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Kaspersky Anti-Virus\kav.exe /minimize
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\TotalRecorder\TotRecSched.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Archivos de programa\Pop-Up Stopper\PopUpStopperProfessional.exe"
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105813478539
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\windows\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\windows\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Kaspersky Anti-Virus\kavsvc.exe
O23 - Service: Plug and Play - Unknown - C:\windows\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Reset 5 - Unknown - C:\windows\system32\srvany.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\windows\System32\vssvc.exe


And if is not a problem i would like to know if you know how to solve the following problem: when my machine starts i recieve a messege under DOS? saying: "invalid boot.ini file sarting system from c:windows". After that windows starts normally but i dont know if that may slow down the system. Thank you again

MArcos

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.