0

hi all i read your advise on these pages and you guys are doing a great service glad to see theres still decent peeps out there. Enough with the creeping.LOL
Anyway i came across this site as im having probs with ie6 being hijacked im using the usual precautions spybot,zonealarm pro,norton antivirus 2004. but i have been recently plagued with backweb i think it crept in on a keygen and NAV didnt spot it or something. My immune on spybot S&D is up to date. But i have this naffing searchsprint.com toolbar i disabled the toolbar but know when i browse the web i get a bar down the left hand page simmiliar to that of the history bar or favorites bar appear in my browser then popups started appearing now i have this p4mx4?? everytime i boot up i get an error msg saying "unable to load p4mx4 please specify the program exists" or words to that affect i used hijackthis.exe. but im not as wise as you boys so i dont know if ive sorted it or not i still have p4mx4 as i dont know what it is so i havent removed it.Please advise
I can see you guys are busy so please help when you can
heres the results of hijackthis.exe

Logfile of HijackThis v1.97.7
Scan saved at 2:47:27 PM, on 1/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\rgvzyahl.exe
C:\WINDOWS\fkcwyumi.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=c:\windows\system32\p4mx4.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23508026-B233-481F-8CA0-C92E58BCCF52} - C:\WINDOWS\jwtdplma.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: searchsprint - {AEE46806-2C5A-4A4E-A5DD-B4531F64A187} - C:\WINDOWS\rxshnczk.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [P4mx4] c:\windows\system32\p4mx4.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [eqmdrprp] C:\WINDOWS\rgvzyahl.exe
O4 - HKLM\..\Run: [dyellzii] C:\WINDOWS\fkcwyumi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/284f377e3972da950916/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37810.4491666667
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312

2
Contributors
10
Replies
11
Views
13 Years
Discussion Span
Last Post by drummerboy
0

<----twat heres the results
CWShredder v1.46.6 scan only report

Windows xp (5.01.2600 sp1)
windows dir:c:\windows
windows system dir:c:\windows\system32
appdata folder: c:\documents and settings\nigel\application data
username: nigel

found hosts file:c:\WINDOWS\system32\drivers\etc\hosts (734 bytes,A)
shell registry value: HKLM\..\Winlogon(shell)explorer.exe
userlnet registry value: HKLM\..\Winlogon (userlnet) c:\windows\system32userinit.exe,
foundwin.ini file: c:\windows\win.ini(1451 bytes,A)
found system.ini file: c:\windows\system.ini (375 bytes,A)

-END OF REPORT-

Thanks Nigel

0

i know im probably becoming a pain in the ass but im trying to give you all revelant info to save time like.
The actual p4mx4 error goes like this
windows cannot find 'c:\windows\system32\p4mx4.exe'. make sure you typed the name correctly, and then try again. to search for a file, click the start button and then click search.

i clicked ok on the error box to be presented with this unsightly error box

could not load or run 'c:\windows\system32\p4mx4.exe' specified in the registry. make sure the file exists on your computer or remove the registry

i looked forward to a reply
Nigel

0

<----twat heres the results
CWShredder v1.46.6 scan only report

Windows xp (5.01.2600 sp1)
windows dir:c:\windows
windows system dir:c:\windows\system32
appdata folder: c:\documents and settings\nigel\application data
username: nigel

found hosts file:c:\WINDOWS\system32\drivers\etc\hosts (734 bytes,A)
shell registry value: HKLM\..\Winlogon(shell)explorer.exe
userlnet registry value: HKLM\..\Winlogon (userlnet) c:\windows\system32userinit.exe,
foundwin.ini file: c:\windows\win.ini(1451 bytes,A)
found system.ini file: c:\windows\system.ini (375 bytes,A)

-END OF REPORT-

Thanks Nigel

in cwshredder hit fix first not scan.
Also install and run Spybot and Ad-aware .someone who reads hijack log files will be around soon

0

i know im probably becoming a pain in the ass but im trying to give you all revelant info to save time like.
The actual p4mx4 error goes like this
windows cannot find 'c:\windows\system32\p4mx4.exe'. make sure you typed the name correctly, and then try again. to search for a file, click the start button and then click search.

i clicked ok on the error box to be presented with this unsightly error box

could not load or run 'c:\windows\system32\p4mx4.exe' specified in the registry. make sure the file exists on your computer or remove the registry

i looked forward to a reply
Nigel

First i didn't read your log i posted it on another help site and here is the fix.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=c:\windows\system32\p4mx4.exe
O2 - BHO: (no name) - {23508026-B233-481F-8CA0-C92E58BCCF52} - C:\WINDOWS\jwtdplma.dll
O3 - Toolbar: searchsprint - {AEE46806-2C5A-4A4E-A5DD-B4531F64A187} - C:\WINDOWS\rxshnczk.dll
O4 - HKLM\..\Run: [P4mx4] c:\windows\system32\p4mx4.exe
O4 - HKLM\..\Run: [eqmdrprp] C:\WINDOWS\rgvzyahl.exe
O4 - HKLM\..\Run: [dyellzii] C:\WINDOWS\fkcwyumi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/284f377e3972da...ip/RdxIE601.cab

Reboot to safe mode (tap F8 key at boot) and delete:

c:\windows\system32\p4mx4.exe <-- file ...See here: http://www.f-secure.com/v-descs/syscenter.shtml
C:\WINDOWS\rgvzyahl.exe <-- file
C:\WINDOWS\fkcwyumi.exe <-- file

NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
How to Show Hidden/System Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Then:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Post a fresh HijackThis log now please.

0

cheers caperboy ive done what you said felt quite urgent. ran cwshredder properly and it said i was clean.
so heres the new hijackthis log

cheers nigel

Logfile of HijackThis v1.97.7
Scan saved at 8:29:54 PM, on 1/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Qurb\QSP-2.0.190.0\QOELoader.exe
C:\WINDOWS\System32\ctfmon.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sidesearching.com/xml3.php?w=kodak%2Bdx%2B3800%2Bdriver%2Bupdate
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.0.190.0\QOELoader.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37810.4491666667
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
this log

0

im not getting the p4mx4 error anymore and also it was gone staight after and fix the hijackthis log when i searched for it in safe mode i nor windows search could find it

nigel

0

thanks caperboy
you have been a saint rest assured i will donate to yours and your colleages corse.and thanks steam for your input im constantly shutting down quick time after bootup

thank you
Nigel

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.