Possible spy/adware problem

Question

Per Ivar 0 Newbie Poster

18 Years Ago

I have a annoying problem with IE6. Sometimes a blank page pops up and it will not close before I reboot or close it about 10-15 times. It occurs when I klick on a link in outlook express or if I run virus scan. Therefore I think it maybe can be a infection or malware or something. I have run adaware, microsofts beta security program, but it just continue to pop up. I put in my HJ log here if you maybe can pin down some problem for me please.

Logfile of HijackThis v1.99.1
Scan saved at 23:22:32, on 04.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Opera\Opera.exe
C:\DOCUME~1\PEROGA~1\LOKALE~1\Temp\Midlertidig mappe 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [awvycup] c:\windows\system32\awvycup.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Documents and Settings\Per og Ade\Mine dokumenter\iridium.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: Dialpad Webphone - https://televoip.dialpad.com/md/update/cham.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://rawflow.streamguys.net/rawflow/app/2.1.12.0/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106842191468
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe

windows-virus

3 Contributors
20 Replies
464 Views
1 Week Discussion Span
Latest Post 18 Years Ago Latest Post by DMR

All 20 Replies

dlh6213 27 Posting Maven

18 Years Ago

Get CWShredder from:
http://www.downloads.subratam.org/CWShredder.exe

Open CWShredder, click on Check for updates, and after it's finished updating, click on Fix.

Before fixing anything with hijackthis, you need to move it out of the Temp folder it's in to a permanent folder of it's own (like c:\HJT\hijackthis.exe).

After you've done that, close all browser windows, scan with hijackthis, and post a new log please.

dlh6213 27 Posting Maven

18 Years Ago

You still have HijackThis in a Temp folder (C:\DOCUME~1\PEROGA~1\LOKALE~1\Temp\Midlertidig mappe 5 for hijackthis.zip\HijackThis.exe); it should be in it's own permanent folder so it, and the backups it will create, don't accidently deleted.

You may wish to consider disabling CTHELPER.EXE -- quote from sysinfo:

CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it.

Please post a new log after you move HJT into a new folder.

DMR 152 Wombat At Large

18 Years Ago

1. I'm not sure what did happen when you ran CWShredder, but CTHELPER probably wasn't the cause.

2. Have HijackThis fix:

O4 - HKLM\..\Run: [awvycup] c:\windows\system32\awvycup.exe

3.Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Locate and delete the c:\windows\system32\awvycup.exe file.

4. Empty your Recycle Bin, reboot, and post a new HJT log.

DMR 152 Wombat At Large

18 Years Ago

I don't know if it will cure your specific problem, but you can try running IEFix.
It would probably be a good idea to uninstall the Window Maximizer before running IEFix, as it might cause conflicts with IEFix's repair process.

DMR 152 Wombat At Large

18 Years Ago

Iget this mmc.exe program error message where it say memory cant be read.

Can you give us specifics on that please (when do you get message, what the exact text of the message is, etc.)?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Per Ivar 0 Newbie Poster · Answer 1 · 2005-05-05T14:51:51+00:00

I did as you said. Here is the result.

Logfile of HijackThis v1.99.1
Scan saved at 10:48:59, on 05.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Outlook Express\msimn.exe
C:\DOCUME~1\PEROGA~1\LOKALE~1\Temp\Midlertidig mappe 5 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [awvycup] c:\windows\system32\awvycup.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Documents and Settings\Per og Ade\Mine dokumenter\iridium.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: Dialpad Webphone - https://televoip.dialpad.com/md/update/cham.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://rawflow.streamguys.net/rawflow/app/2.1.12.0/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106842191468
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe

Per Ivar 0 Newbie Poster · Answer 2 · 2005-05-05T15:13:12+00:00

It might be actual to mention that I had some problems with the IE6 before regarding hosts and runed Hoster. After that ie opens first as a small window and then maximizes.
Sometimes it did stay small and I tryed all the suggestions regarding window size on daniweb. But now I use a tool called Ie new window maximizer.

Per Ivar 0 Newbie Poster · Answer 3 · 2005-05-06T13:40:42+00:00

Now I think it`s right.

Logfile of HijackThis v1.99.1
Scan saved at 09:39:44, on 06.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Per og Ade\Mine dokumenter\Install og nytte\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [awvycup] c:\windows\system32\awvycup.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Documents and Settings\Per og Ade\Mine dokumenter\iridium.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: Dialpad Webphone - https://televoip.dialpad.com/md/update/cham.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://rawflow.streamguys.net/rawflow/app/2.1.12.0/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106842191468
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe

Per Ivar 0 Newbie Poster · Answer 4 · 2005-05-06T15:57:21+00:00

You still have HijackThis in a Temp folder (C:\DOCUME~1\PEROGA~1\LOKALE~1\Temp\Midlertidig mappe 5 for hijackthis.zip\HijackThis.exe); it should be in it's own permanent folder so it, and the backups it will create, don't accidently deleted.
You may wish to consider disabling CTHELPER.EXE -- quote from sysinfo:
CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it.
Please post a new log after you move HJT into a new folder.

I just ran this CWShredder and it caused in the end, after klicking the fix button, for this blank page to appear again. Can it be this you mention, CTHELPER, that cause this? It is extremly annoying!
Anyway, good at least to have a forum to attend.

Per Ivar 0 Newbie Poster · Answer 5 · 2005-05-07T00:56:00+00:00

Again I did like you said.

Logfile of HijackThis v1.99.1
Scan saved at 20:54:08, on 06.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Opera\Opera.exe
C:\Programfiler\Outlook Express\msimn.exe
C:\Documents and Settings\Per og Ade\Mine dokumenter\Install og nytte\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Programfiler\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Documents and Settings\Per og Ade\Mine dokumenter\iridium.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: Dialpad Webphone - https://televoip.dialpad.com/md/update/cham.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://rawflow.streamguys.net/rawflow/app/2.1.12.0/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106842191468
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe

Per Ivar 0 Newbie Poster · Answer 6 · 2005-05-07T01:00:35+00:00

And when I cliked the link for the forum in your reply, two windows open. One blank and one with the forum.The difference now is that it seem to close on the first atempt, the blank one I mean.

Per Ivar 0 Newbie Poster · Answer 7 · 2005-05-07T06:32:57+00:00

And when I cliked the link for the forum in your reply, two windows open. One blank and one with the forum.The difference now is that it seem to close on the first atempt, the blank one I mean.

No it doesent close...Irritating thing this!

Per Ivar 0 Newbie Poster · Answer 8 · 2005-05-08T19:00:44+00:00

It did not help. But I suspect maybe it can be a registry problem. Iget this mmc.exe program error message where it say memory cant be read. I read some on microsoft that this also had some connection to outlook express and IE. What do you think?

Per Ivar 0 Newbie Poster · Answer 9 · 2005-05-09T12:41:50+00:00

It occurs when I open admin tools for example. The error message says: The instruction in "0x7c9105f8"reffers to adress "0x00940010". Memory could not be read. Klick ok to finish the program.

This is in Norwegian, so i have translated the best I could. Every time I use something that use mmc this message appears.

Per Ivar 0 Newbie Poster · Answer 10 · 2005-05-09T19:15:04+00:00

It occurs when I open admin tools for example. The error message says: The instruction in "0x7c9105f8"reffers to adress "0x00940010". Memory could not be read. Klick ok to finish the program.
This is in Norwegian, so i have translated the best I could. Every time I use something that use mmc this message appears.

It occurs also when I run diskeeper light naturally because it also use mmc.exe, right?

Per Ivar 0 Newbie Poster · Answer 11 · 2005-05-10T20:56:34+00:00

I just found out that it possible is something wrong with sysedit.exe too. It will not open I get a error message like this: C:\windows\system32\autoexec.NT. System file does fit for MS-DOS- and windows programs.

Pretty messed up I understand now. Maybe a reinstall is in order?

Per Ivar 0 Newbie Poster · Answer 12 · 2005-05-11T03:24:29+00:00

I just found out that it possible is something wrong with sysedit.exe too. It will not open I get a error message like this: C:\windows\system32\autoexec.NT. System file does fit for MS-DOS- and windows programs.
Pretty fucked up I understand now. Maybe a reinstall is in order?

I realizenI have some spelling error here. It should be: does not fit...

And maybe this has developed to a different place in the tech talk?

DMR 152 Wombat At Large Team Colleague · Answer 13 · 2005-05-12T00:05:09+00:00

The autoexec.nt error translates as follows:

"C:\windows\system32\autoexec.NT. The System file is not suitable for running MS-DOS and MS-Windows applications. Choose "Close" to terminate the application".

That error can be the result corruption or modification to that file, perhaps done by the infection(s) you had. Reinstalling a fresh copy of the file is usually the recommended first approach; there are a few ways to do this:

1. A backup copy of the file might exist in your C:\Windows\repair folder. If so, replace the autoexec.NT file in \system32 with a copy of the one in the repair folder.

2. Run the System File Checker. It will scan for missing or corrupt system files (you may have more than one) and if any are found, it will prompt you to insert your XP CD and will extract fresh copies of the file(s) from there.
If you don't have the XP CD, but you do have a C:\Windows\i386 folder on your machine, point the File Checker to that folder; fresh copies of the file(s) it needs may exist in that location.

To run the System File Checker, click on the "Run..." option in your Start menu and type the following command in the "Open:" box:

sfc /scannow

3. You can try to repair the damage manually by extrracting fresh copies of autoexec.NT and gtwo other core files:

Insert your XP installation CD, open an MS-DOS window, and type the following three commands (hit Enter after each):

expand e:\i386\config.nt_ c:\windows\system32\config.nt
expand e:\i386\autoexec.nt_ c:\windows\system32\autoexec.nt
expand e:\i386\command.co_ c:\windows\system32\command.com

Obviously, substitute your CD's drive letter if it is not "E:"

Per Ivar 0 Newbie Poster · Answer 14 · 2005-05-13T02:29:15+00:00

It fixed the sysedit problem, exept that I got a message that said: c:\autoexec.bat. can not open this file. The problem wit mcc program error is still there. This blank page thing seem to be gone. So far so good. Any suggestions on that?(mmc.exe) I will try to translate as good as possible. It pops up a message who says:

mmc.exe - program error.
Isntruction in "0x7c9105f8" reffered to adress "0x00940010". Memory could not be read.
Klick ok to finish the program.

What do you think?

And thank you very much for all help so far.

DMR 152 Wombat At Large Team Colleague · Answer 15 · 2005-05-13T02:55:55+00:00

1. Microsoft has a KnowledgeBase article on that mmc error here.

2. Also, you can try reinstalling/upgrading the mmc component. The download from MS is here.

Possible spy/adware problem

Recommended Answers Collapse Answers

All 20 Replies

Recommended Answers