About:Blank troubles and ad/spyware questions (don't worry, it isn't a Hijack log :))

Question

daosue 0 Newbie Poster

19 Years Ago

First, I want to thank you guys for offering so much help in general about these darn viruses/adware/spyware/crap. I have used a lot of the resources that have been posted to try and get rid of my About:Blank issues, and I think I may have actually gotten rid of it on my own (after about 15 hours here and there of googling and using the tutorials, etc). I have run About:Blaster, HijackThis, Spybot S&D, and Norton in addition to trying to run Ad Aware to try to clean everything up. Ad Aware freezes up after about a minute of running (after it found 14 things and started a deep registry scan, I think). I am also just starting to get messages that www.sexandpoker.com and www.allspyware.com are trying to contact the internet – I was hoping Spybot would get those…apparently not. The only thing it is picking up now is the DSO exploit IE problem….
So, I would like to know if you guys have any idea why Ad Aware freezes up (should I delete it and try loading it again?)
How do I get rid of all the other stuff that just popped up? Keep running the same programs to delete them?
What browser do you guys recommend other then Internet Explorer?
I am getting so tired of all of these awful nasty things…but I suppose I am learning more about my computer ;)
Thanks for the help, I will be posting a Hijackthis log if that About:Blank crap comes back! :D

windows-virus

5 Contributors
24 Replies
492 Views
3 Weeks Discussion Span
Latest Post 19 Years Ago Latest Post by DMR

All 24 Replies

crunchie 990 Most Valuable Poster

19 Years Ago

Post a log anyway, making sure it is the latest version (1,99) and that it is in it's own folder :).

One of the items of malware are possibly stopping adaware from running.

I recommend Opera as an alternative to IE, but the popular one at the moment appears to be FireFox.

dlh6213 27 Posting Maven

19 Years Ago

...how do I get around the malware issue to run the Ad Aware?

Try running Ad-Aware from Safe Mode.

You need to go to Windows Update and get all the Critical Updates for your system as this will help prevent infections. Hold off on SP2, however, until your system gets cleaned up.

dlh6213 27 Posting Maven

19 Years Ago

Since you have dial-up, you may want to order the CD from Microsoft rather than download it.

deonnanicole 5 Posting Whiz in Training

19 Years Ago

Since you have dial-up, you may want to order the CD from Microsoft rather than download it.

That is very true. After I got my computer straightened out last year and I was behind on my updates, it would "freeze" each time I tried to download them. It wasn't actually freezing though I don't think...it was just that I had so many to download it was taking forever. I ordered the CD, which was free, and got my updates from there. Ever since I have had no problem downloading any critical updates. :)

DMR 152 Wombat At Large

19 Years Ago

In terms of your log:

1. Verify that the IPs listed in this entry are your correct DNS sserver IPs:

O17 - HKLM\System\CCS\Services\Tcpip\..\{BAC5B70D-A401-439E-8F49-A7754842CD27}: NameServer = 69.50.188.180 195.225.176.31

If not, have HJT fix the entry and verify/reset your DNS settings in your network connection's properties page.

2. From the little info I can find on the "protect32.dll" file, it appears to be an "unwanted guest". Have HJT fix the following:

O18 - Filter: text/html - {A135230A-777A-4C1F-A71E-2329A63483DF} - C:\WINNT\System32\protect32.dll
O18 - Filter: text/plain - {A135230A-777A-4C1F-A71E-2329A63483DF} - C:\WINNT\System32\protect32.dll

Then delete the protect32.dll file. You may need to reboot, possible even into Safe Mode, to perform the deletion.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

daosue 0 Newbie Poster · Answer 1 · 2005-01-27T20:36:31+00:00

I went ahead and loaded Firefox because of a friend's recommendation, we shall see how it goes (so far no craziness)

here is the latest log, I always see a few things on there I am not too sure about, but it looks so much better without all those extra lines for about:blank and all those toolbars and stuff

Logfile of HijackThis v1.99.0
Scan saved at 8:33:36 AM, on 1/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\TPPALDR.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = oumail.ou.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster - {9E1128F1-53FA-11d5-8490-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Merriam-Webster - {9E1128F1-53FA-11D5-8490-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [dispex] C:\WINNT\System32\dispex.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Registration Myst Uru
O4 - Startup: Semagic.lnk = C:\Program Files\Semagic\LiveJournalU.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Collegiate &Dictionary - C:\Program files\Merriam-Webster Toolbar\dictionary.htm
O8 - Extra context menu item: Collegiate &Thesaurus - C:\Program files\Merriam-Webster Toolbar\thesaurus.htm
O9 - Extra button: Merriam-Webster - {BAC53F31-6090-11d5-8497-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {F798683C-FE05-436C-B0FF-35B9122E9787} - http://www.webster.com/tools/toolbar/cabs/m-w.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAC5B70D-A401-439E-8F49-A7754842CD27}: NameServer = 69.50.188.180 195.225.176.31
O18 - Filter: text/html - {A135230A-777A-4C1F-A71E-2329A63483DF} - C:\WINNT\System32\protect32.dll
O18 - Filter: text/plain - {A135230A-777A-4C1F-A71E-2329A63483DF} - C:\WINNT\System32\protect32.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

thanks for your help :)

oh, and how do I get around the malware issue to run the Ad Aware? Is that a common problem?

daosue 0 Newbie Poster · Answer 2 · 2005-01-27T22:15:29+00:00

I will try that, thanks.
I went to windows and began to download all the updates (for some reason my automatic update hasn't been going...must have turned it off somehow), and it kept freezing up and disconnecting and generally not working - but perhaps it will work now that things are cleaned up a bit and my computer isn't super slow anymore (just dial-up slow).

daosue 0 Newbie Poster · Answer 3 · 2005-02-06T01:47:09+00:00

Thanks for all the help, I think I am pretty cleared up (although every time I get off the internet I run a spyware/adware search and come up with stuff quite frequently though not in the quantities I used to have). Is there anything that blocks all of that stuff or do I just have to live with constantly cleaning them off my computer?
Also, I ran a HJT log recently and came up with something on there that Norton says is a threat but cannot delete:
C:\WINNT\System32\sprestrst.exe
The weird thing is that when I go to see if I can manually delete it, the file is not there, and the closest thing is sprestrt.exe, although I cannot find info on either one of them on the internet. (I tried to delete the one showing up in the folder but it came back two seconds later). If anyone knows anything about this I really appreciate the help :)
Thanks again

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 4 · 2005-02-06T06:56:17+00:00

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Post another hijackthis log too.

Have you done your microsoft updates yet?

daosue 0 Newbie Poster · Answer 5 · 2005-02-07T00:26:02+00:00

I have ordered an update CD but it will probably be a while before it gets here. I don't know why I haven't been getting automatic updates, but I made sure that it is turned on as well.

The first log is the Silent Runner log - I still see that sprestrst.exe and don't think the rdspclips.exe looks any better (but I am still trying to learn what is bad and what is not).

I posted the current HJT log below the other.

I don't know what the nameserver (line 017) refers to, but trying to find those IP addresses leads me to a refused connection and an Apacheweb server page (or something). I try to have HJT fix that one every time I run it but it comes back. Is it bad? I don't think it matches to the server I am using. I think almost everything else looks OK (except, of course, for the sprestrst.exe which Norton said was bad but could not delete). I am at the point where I recognize most things on there, and if I don't recognize it, I start to worry. I really appreciate your time and your help on this.

Thanks again :)

"Silent Runners.vbs", revision 30
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" [file not found]
"CursorXP" = "C:\Program Files\CursorXP\CursorXP.exe" [" "]
"dispex" = "C:\WINNT\System32\dispex.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"GWMDMMSG" = "GWMDMMSG.exe" ["GTW"]
"IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"]
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"GWMDMpi" = "C:\WINNT\GWMDMpi.exe" [null data]
"Multi-function Keyboard" = "GWHotKey.exe" ["BillP Studios"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"TPP Auto Loader" = "C:\WINNT\TPPALDR.EXE" ["In-System Design, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Lexmark X1100 Series" = ""C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"" ["Lexmark International, Inc."]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"AcctMgr" = "C:\Program Files\Norton Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"rdspclips.exe" = "rdspclips.exe" [null data]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"sprestrst.exe" = "sprestrst.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{45CE2443-49CF-4313-9A61-25CE322BFF26}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\mscbz.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9E1128F1-53FA-11d5-8490-0048548030CA}\(Default) = "Merriam-Webster" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\m-wtoolbar.dll" ["www.typeless.com"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9E1128F1-53FA-11D5-8490-0048548030CA}" = "Merriam-Webster"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\m-wtoolbar.dll" ["www.typeless.com"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\Office\OLKFSTUB.DLL" [MS]
"{32A9D769-5B55-4a25-9A62-86B5683FE50A}" = "NikonView Drop Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nikon\NkView6\NkvDropExt.dll" ["Nikon Corporation"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel Corporation"]

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"PowerReg Scheduler.exe" [empty string]
"Registration Myst Uru" [null data]
"Semagic" -> shortcut to: "C:\Program Files\Semagic\LiveJournalU.exe" ["Alexey Semenov"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader.exe" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"NkvMon.exe" -> shortcut to: "C:\Program Files\Nikon\NkView6\NkvMon.exe" ["Nikon Corporation"]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Windows Update" -> launches: "C:\WINNT\system32\wupdmgr.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
LexBce Server, LexBceS, "C:\WINNT\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Logfile of HijackThis v1.99.0
Scan saved at 11:34:43 AM, on 2/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\TPPALDR.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\sprestrst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oumail.ou.edu/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster - {9E1128F1-53FA-11d5-8490-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Merriam-Webster - {9E1128F1-53FA-11D5-8490-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [dispex] C:\WINNT\System32\dispex.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Registration Myst Uru
O4 - Startup: Semagic.lnk = C:\Program Files\Semagic\LiveJournalU.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Collegiate &Dictionary - C:\Program files\Merriam-Webster Toolbar\dictionary.htm
O8 - Extra context menu item: Collegiate &Thesaurus - C:\Program files\Merriam-Webster Toolbar\thesaurus.htm
O9 - Extra button: Merriam-Webster - {BAC53F31-6090-11d5-8497-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {F798683C-FE05-436C-B0FF-35B9122E9787} - http://www.webster.com/tools/toolbar/cabs/m-w.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAC5B70D-A401-439E-8F49-A7754842CD27}: NameServer = 69.50.188.180 195.225.176.31
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2005-02-07T03:12:00+00:00

Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
sprestrst.exe

Go to C:\WINNT\System32 and delete the file manually.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [dispex] C:\WINNT\System32\dispex.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

Reboot into safe mode following the instructions here and navigate to and delete the following if found:

C:\WINNT\System32\dispex.exe<----file

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

daosue 0 Newbie Poster · Answer 7 · 2005-02-08T12:36:01+00:00

They seem to be gone....hopefully...
(and on a possibly unrelated topic - I know wuauclt.exe is windows auto update in my task manager and in my system32 folder, but I don't know what the other file I found is - what is a prefetch? Also, I found a lot of conflicting iinfo about whether or not it is supposed to be in Windows XP at all...sorry to be such a bother, but I don't know what to trust on the internet about what is and isn't a virus/malware anymore. You guys are awesome. :)

Logfile of HijackThis v1.99.0
Scan saved at 12:13:57 AM, on 2/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\TPPALDR.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\alg.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oumail.ou.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster - {9E1128F1-53FA-11d5-8490-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Merriam-Webster - {9E1128F1-53FA-11D5-8490-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Registration Myst Uru
O4 - Startup: Semagic.lnk = C:\Program Files\Semagic\LiveJournalU.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Collegiate &Dictionary - C:\Program files\Merriam-Webster Toolbar\dictionary.htm
O8 - Extra context menu item: Collegiate &Thesaurus - C:\Program files\Merriam-Webster Toolbar\thesaurus.htm
O9 - Extra button: Merriam-Webster - {BAC53F31-6090-11d5-8497-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F798683C-FE05-436C-B0FF-35B9122E9787} - http://www.webster.com/tools/toolbar/cabs/m-w.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAC5B70D-A401-439E-8F49-A7754842CD27}: NameServer = 69.50.188.180 195.225.176.31
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

dlh6213 27 Posting Maven Team Colleague · Answer 8 · 2005-02-08T15:49:07+00:00

Virus creators often make files that resemble legit ones in order to make them harder to detect. Sprestrt.exe is legit; quote from Microsoft: Sprestrt.exe, which runs at the start of GUI mode, determines if GUI mode ran previously and failed. If so, Undo_Guimode.txt is used to bring files back to the state appropriate for the beginning of GUI mode.

sprestrst.exe and rdspclips.exe are pests.

Here's some info about prefetch:
http://techrepublic.com.com/5100-6270_11-5165773.html?tag=e064

daosue 0 Newbie Poster · Answer 9 · 2005-02-11T04:07:28+00:00

I though I had posted a reply just now, but it isn't showing up so I am going to re-reply. If it pops up later, I apologize for any repetition.

I am curious if it is possible to restore the sprestrt.exe file, because although I was being careful to get the right one (sprestrst.exe), I am human and made a mistake and deleted the legit one. Doh!

Also, I still have a question about whether I should delete wuauclt.exe since I do not have windows ME and I saw a thread that says that I should not have that program on XP.

Also, while in safemode to run Ad-Aware, I was browsing around my Windows/System 32 folder and saw sprestrst.exe with an icon like the auto update shield symbol I see when I go to turn on/off my windows auto updater, and I didn't delete it because I wanted to doublecheck the spelling (after last time I am realllly trying to be careful) - but when I went to find it in normal mode it was not there. Any reason that would happen?

I know I am a bother but I really do appreciate everyone's help - this is so frustrating, having to spend hours a day just to try to use my computer (it takes foreeeever right now to open firefox - I don't know if it is because of wuaulct.exe, but the slowness started when I noticed that in my task manager). I have tried looking online for answers to these issues, but haven't found anything definitive.
Thanks again.

DMR 152 Wombat At Large Team Colleague · Answer 10 · 2005-02-11T05:49:40+00:00

I am curious if it is possible to restore the sprestrt.exe file

You may not need to worry about that; I'm pretty sure the file is only used at installation time. I'll try to verify this and post an update.

Also, I still have a question about whether I should delete wuauclt.exe since I do not have windows ME and I saw a thread that says that I should not have that program on XP.

Information concerning wuauclt.exe being only for ME is out of date; a file of that name is now also a component of AutoUpdate features in XP.

I was browsing around my Windows/System 32 folder and saw sprestrst.exe with an icon like the auto update shield symbol...

Reboot into safe mode, locate sprestrst.exe, right-click on it, and choose "Properties" from the pop-up menu. Look through the General, Version, Summary, etc. tabs in the Properties window for any information which might identify the file (company name, size, creation date, etc.). Post whatever info you find.

daosue 0 Newbie Poster · Answer 11 · 2005-02-11T21:11:43+00:00

I found the info but the only thing it really said was that it was created yesterday while I was on the computer. That makes me think it is not a happy little file. It might have happened when I opened IE to see if it was running as slow as Firefox (probably a bad idea, because as soon as I did I started getting popups).
Then, Microsoft word started terminating abnormally....will this ever end? I am trying to do everything right and I don't even get on the internet that often....sigh.
Thanks for the help

DMR 152 Wombat At Large Team Colleague · Answer 12 · 2005-02-12T05:58:21+00:00

I found the info but the only thing it really said was that it was created yesterday while I was on the computer. That makes me think it is not a happy little file.

Agreed- that does not sound like a happy little file at all.

Did you follow the instructions crunchie posted earlier to delete that file, only to have it "automagically" return? That sounds like the case, but I just want to verify..

daosue 0 Newbie Poster · Answer 13 · 2005-02-12T07:19:43+00:00

Agreed- that does not sound like a happy little file at all.
Did you follow the instructions crunchie posted earlier to delete that file, only to have it "automagically" return? That sounds like the case, but I just want to verify..

I did follow the instructions, and it did delete from the folder (in safe and normal mode), but maybe after I reopened IE (after using firefox for the last few weeks) it got reloaded into the system from another place (though I thought I emptied and remptied everything I could since then), because when it came back it was hidden in normal mode even though I had all my hidden files showing (i think) - can files do that? It only appeared in the folder in safe mode. I have deleted it and ran spybot and ad-aware and checked what was appearing in my task manager and even ran hijack this again to see if I saw any bad files, but so far I have not had anything appear since I deleted it. I just hope deleting the other legit one won't affect my computer at some critical point.

dlh6213 27 Posting Maven Team Colleague · Answer 14 · 2005-02-12T16:18:10+00:00

Can you please post new HJT and Silent Runners logs?

I don't know if you need the file you accidently deleted, but you can probably copy from your XP CD... or your update CD, when you get it, may have it.

daosue 0 Newbie Poster · Answer 15 · 2005-02-12T23:10:54+00:00

Here are some new logs. I haven't seen this in my HJT before:
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

THanks again

Logfile of HijackThis v1.99.0
Scan saved at 10:54:48 AM, on 2/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\TPPALDR.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\alg.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oumail.ou.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster - {9E1128F1-53FA-11d5-8490-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Merriam-Webster - {9E1128F1-53FA-11D5-8490-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Registration Myst Uru
O4 - Startup: Semagic.lnk = C:\Program Files\Semagic\LiveJournalU.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Collegiate &Dictionary - C:\Program files\Merriam-Webster Toolbar\dictionary.htm
O8 - Extra context menu item: Collegiate &Thesaurus - C:\Program files\Merriam-Webster Toolbar\thesaurus.htm
O9 - Extra button: Merriam-Webster - {BAC53F31-6090-11d5-8497-0048548030CA} - C:\WINNT\Downloaded Program Files\m-wtoolbar.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F798683C-FE05-436C-B0FF-35B9122E9787} - http://www.webster.com/tools/toolbar/cabs/m-w.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAC5B70D-A401-439E-8F49-A7754842CD27}: NameServer = 69.50.188.180 195.225.176.31
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

"Silent Runners.vbs", revision 30
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" [file not found]
"CursorXP" = "C:\Program Files\CursorXP\CursorXP.exe" [" "]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"GWMDMMSG" = "GWMDMMSG.exe" ["GTW"]
"IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"]
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"GWMDMpi" = "C:\WINNT\GWMDMpi.exe" [null data]
"Multi-function Keyboard" = "GWHotKey.exe" ["BillP Studios"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"TPP Auto Loader" = "C:\WINNT\TPPALDR.EXE" ["In-System Design, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Lexmark X1100 Series" = ""C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"" ["Lexmark International, Inc."]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"AcctMgr" = "C:\Program Files\Norton Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"rdspclips.exe" = "rdspclips.exe" [null data]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"sprestrst.exe" = "sprestrst.exe" [file not found]
"UserFaultCheck" = "C:\WINNT\system32\dumprep 0 -u" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{45CE2443-49CF-4313-9A61-25CE322BFF26}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\mscbz.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9E1128F1-53FA-11d5-8490-0048548030CA}\(Default) = "Merriam-Webster" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\m-wtoolbar.dll" ["www.typeless.com"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9E1128F1-53FA-11D5-8490-0048548030CA}" = "Merriam-Webster"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\m-wtoolbar.dll" ["www.typeless.com"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\Office\OLKFSTUB.DLL" [MS]
"{32A9D769-5B55-4a25-9A62-86B5683FE50A}" = "NikonView Drop Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nikon\NkView6\NkvDropExt.dll" ["Nikon Corporation"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel Corporation"]

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"PowerReg Scheduler.exe" [empty string]
"Registration Myst Uru" [null data]
"Semagic" -> shortcut to: "C:\Program Files\Semagic\LiveJournalU.exe" ["Alexey Semenov"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader.exe" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"NkvMon.exe" -> shortcut to: "C:\Program Files\Nikon\NkView6\NkvMon.exe" ["Nikon Corporation"]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Windows Update" -> launches: "C:\WINNT\system32\wupdmgr.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
LexBce Server, LexBceS, "C:\WINNT\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

dlh6213 27 Posting Maven Team Colleague · Answer 16 · 2005-02-13T13:11:37+00:00

[UserFaultCheck] %systemroot%\system32\dumprep 0 -u should be gone after your next reboot, or it can safely be fixed with Hijackthis. More info on this here: http://forums.techguy.org/showthread.php?t=151574

I don't see any problems in your HJT or Norton logs, but you need to wait for someone else to review your Silent Runners log as I'm not familiar with it.

I would suggest you avoid using Internet Explorer until you get your updates installed.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 17 · 2005-02-13T15:31:20+00:00

Hi. Cannot see anything other than a couple of registry entries that need fixing. Do a system restore before going ahead.

Download the zip file and unzip fixme.reg. Double click to run it and when asked if you want to merge with your registry, answer yes.

daosue 0 Newbie Poster · Answer 18 · 2005-02-24T03:51:34+00:00

Hi. Cannot see anything other than a couple of registry entries that need fixing. Do a system restore before going ahead.
Download the zip file and unzip fixme.reg. Double click to run it and when asked if you want to merge with your registry, answer yes.

I ran the fixme.reg without doing a system restore first - I don't know why, though it probably has to do with me trying to do too many things at once - is that a problem, did I just mess anything up? I had planned on doing it yesterday, but I just opened the window and saw the post and remembered I had to download that before rereading about restoring....though I am not sure what date or whatever to restore to....sorry to be so dense about this stuff.

I also got the Windows update CD (finally). I am about to load it so I can get caught up with that.

I know this has gone on for a while, I apologize, but I think things are clearing up. Thanks again.

DMR 152 Wombat At Large Team Colleague · Answer 19 · 2005-02-24T06:48:33+00:00

... though I am not sure what date or whatever to restore to....sorry to be so dense about this stuff.

Definitely no need for apologies- until this tidal wave of "spyware" crud washed ashore few years ago, regular computer users never had to worry about or know about the stuff that they need to delve in to these days. It's a Thing That Should Not Be.

In terms of the system restore, crunchie meant that you should make a new Restore Point, not go back to a previous Restore Point. The way that you get to the option where you can set a new restore point varies depending on whether you are using Win XP's "default" Start menu configuration or the "classic" (win 2000-type) configuration. The following link gives instructions for both:

http://support.gateway.com/s/SOFTWARE/MICROSOF/7509595/System_Restore/SystemRestore.shtml

About:Blank troubles and ad/spyware questions (don't worry, it isn't a Hijack log :))

Recommended Answers Collapse Answers

All 24 Replies

Recommended Answers