Member Avatar for drummerboy

hi all i read your advise on these pages and you guys are doing a great service glad to see theres still decent peeps out there. Enough with the creeping.LOL
Anyway i came across this site as im having probs with ie6 being hijacked im using the usual precautions spybot,zonealarm pro,norton antivirus 2004. but i have been recently plagued with backweb i think it crept in on a keygen and NAV didnt spot it or something. My immune on spybot S&D is up to date. But i have this naffing searchsprint.com toolbar i disabled the toolbar but know when i browse the web i get a bar down the left hand page simmiliar to that of the history bar or favorites bar appear in my browser then popups started appearing now i have this p4mx4?? everytime i boot up i get an error msg saying "unable to load p4mx4 please specify the program exists" or words to that affect i used hijackthis.exe. but im not as wise as you boys so i dont know if ive sorted it or not i still have p4mx4 as i dont know what it is so i havent removed it.Please advise
I can see you guys are busy so please help when you can
heres the results of hijackthis.exe

Logfile of HijackThis v1.97.7
Scan saved at 2:47:27 PM, on 1/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\rgvzyahl.exe
C:\WINDOWS\fkcwyumi.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=c:\windows\system32\p4mx4.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23508026-B233-481F-8CA0-C92E58BCCF52} - C:\WINDOWS\jwtdplma.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: searchsprint - {AEE46806-2C5A-4A4E-A5DD-B4531F64A187} - C:\WINDOWS\rxshnczk.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [P4mx4] c:\windows\system32\p4mx4.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [eqmdrprp] C:\WINDOWS\rgvzyahl.exe
O4 - HKLM\..\Run: [dyellzii] C:\WINDOWS\fkcwyumi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/284f377e3972da950916/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37810.4491666667
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312

  • 2 Contributors
  • 10 Replies
  • 232 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by drummerboy

Recommended Answers

All 10 Replies

Member Avatar for drummerboy

<----twat heres the results
CWShredder v1.46.6 scan only report

Windows xp (5.01.2600 sp1)
windows dir:c:\windows
windows system dir:c:\windows\system32
appdata folder: c:\documents and settings\nigel\application data
username: nigel

found hosts file:c:\WINDOWS\system32\drivers\etc\hosts (734 bytes,A)
shell registry value: HKLM\..\Winlogon(shell)explorer.exe
userlnet registry value: HKLM\..\Winlogon (userlnet) c:\windows\system32userinit.exe,
foundwin.ini file: c:\windows\win.ini(1451 bytes,A)
found system.ini file: c:\windows\system.ini (375 bytes,A)

-END OF REPORT-

Thanks Nigel

Member Avatar for drummerboy

i know im probably becoming a pain in the ass but im trying to give you all revelant info to save time like.
The actual p4mx4 error goes like this
windows cannot find 'c:\windows\system32\p4mx4.exe'. make sure you typed the name correctly, and then try again. to search for a file, click the start button and then click search.

i clicked ok on the error box to be presented with this unsightly error box

could not load or run 'c:\windows\system32\p4mx4.exe' specified in the registry. make sure the file exists on your computer or remove the registry

i looked forward to a reply
Nigel

Member Avatar for caperjack

<----twat heres the results
CWShredder v1.46.6 scan only report

Windows xp (5.01.2600 sp1)
windows dir:c:\windows
windows system dir:c:\windows\system32
appdata folder: c:\documents and settings\nigel\application data
username: nigel

found hosts file:c:\WINDOWS\system32\drivers\etc\hosts (734 bytes,A)
shell registry value: HKLM\..\Winlogon(shell)explorer.exe
userlnet registry value: HKLM\..\Winlogon (userlnet) c:\windows\system32userinit.exe,
foundwin.ini file: c:\windows\win.ini(1451 bytes,A)
found system.ini file: c:\windows\system.ini (375 bytes,A)

-END OF REPORT-

Thanks Nigel

in cwshredder hit fix first not scan.
Also install and run Spybot and Ad-aware .someone who reads hijack log files will be around soon

Member Avatar for caperjack

i know im probably becoming a pain in the ass but im trying to give you all revelant info to save time like.
The actual p4mx4 error goes like this
windows cannot find 'c:\windows\system32\p4mx4.exe'. make sure you typed the name correctly, and then try again. to search for a file, click the start button and then click search.

i clicked ok on the error box to be presented with this unsightly error box

could not load or run 'c:\windows\system32\p4mx4.exe' specified in the registry. make sure the file exists on your computer or remove the registry

i looked forward to a reply
Nigel

First i didn't read your log i posted it on another help site and here is the fix.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=c:\windows\system32\p4mx4.exe
O2 - BHO: (no name) - {23508026-B233-481F-8CA0-C92E58BCCF52} - C:\WINDOWS\jwtdplma.dll
O3 - Toolbar: searchsprint - {AEE46806-2C5A-4A4E-A5DD-B4531F64A187} - C:\WINDOWS\rxshnczk.dll
O4 - HKLM\..\Run: [P4mx4] c:\windows\system32\p4mx4.exe
O4 - HKLM\..\Run: [eqmdrprp] C:\WINDOWS\rgvzyahl.exe
O4 - HKLM\..\Run: [dyellzii] C:\WINDOWS\fkcwyumi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/284f377e3972da...ip/RdxIE601.cab

Reboot to safe mode (tap F8 key at boot) and delete:

c:\windows\system32\p4mx4.exe <-- file ...See here: http://www.f-secure.com/v-descs/syscenter.shtml
C:\WINDOWS\rgvzyahl.exe <-- file
C:\WINDOWS\fkcwyumi.exe <-- file

NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
How to Show Hidden/System Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Then:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Post a fresh HijackThis log now please.

Member Avatar for drummerboy

cheers caperboy ive done what you said felt quite urgent. ran cwshredder properly and it said i was clean.
so heres the new hijackthis log

cheers nigel

Logfile of HijackThis v1.97.7
Scan saved at 8:29:54 PM, on 1/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Qurb\QSP-2.0.190.0\QOELoader.exe
C:\WINDOWS\System32\ctfmon.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sidesearching.com/xml3.php?w=kodak%2Bdx%2B3800%2Bdriver%2Bupdate
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.0.190.0\QOELoader.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37810.4491666667
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
this log

Member Avatar for drummerboy

im not getting the p4mx4 error anymore and also it was gone staight after and fix the hijackthis log when i searched for it in safe mode i nor windows search could find it

nigel

Member Avatar for drummerboy

thanks caperboy
you have been a saint rest assured i will donate to yours and your colleages corse.and thanks steam for your input im constantly shutting down quick time after bootup

thank you
Nigel

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.