explorer problem

Author	All Replies
Valoche @36-200-80.adsl.skyne	explorer problem Hi there I have a "little" problem with explorer.exe. Every time I start my Computer I have to end explorer and launch it again to be able to see my desktop. But there's more... all kind of weird things are happening on my computer. So after reading a few threads I tried the Hijack thing... Can someone please help me out with the log because I honestly don't see anything inthere... I have to admit I don't know anything about computers so, if you are willing to help me, do it as if you were talking to a five year old! Thx a lot! Val
	to forum · permalink · 2003-12-13 06:30:21 ·
Valoche @36-200-80.adsl.skyne	Here's the log : Logfile of HijackThis v1.97.7 Scan saved at 12:04:40, on 13/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\QCONSVC.EXE C:\WINDOWS\System32\MsPMSPSv.exe C:\progra~1\ddm\sysu.exe C:\WINDOWS\explorer.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\mmc.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »fetew.rug.ac.be/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY O4 - HKLM\..\Run: [59481447.exe] C:\WINDOWS\System32\59481447.exe O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKLM\..\RunOnce: [sysu] "C:\progra~1\ddm\sysu.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - »www.flocom.be/iNotes.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - »www.installengine.com/engine/isetup.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - »sc.groups.msn.com/controls/Photo···Upld.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - »download.rfwnad.com/cab/crack.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{C6675A22-81F4-4D81-AC8B-578BAA33C849}: NameServer = 192.168.123.254
	to forum · permalink · 2003-12-13 06:42:19 ·
kpatz MY HEAD A SPLODE Premium join:2003-06-13 Manchester, NH	This entry looks suspicious: quote: O4 - HKLM\..\Run: [59481447.exe] C:\WINDOWS\System32\59481447.exe Follow the steps in this FAQ: »Security »I think my computer is infected or hijacked. What should I do? After following the steps above, if you still have the problem, generate another Hijack This log and post it.
	to forum · permalink · 2003-12-13 09:51:40 ·
dp Premium,MVM join:2000-12-08 Greensburg, PA kudos:7	reply to Valoche You appear to have Adware.DynamicUpdater. Information on it can be found at »www.symantec.com/avcenter/venc/d···ter.html C:\progra~1\ddm\sysu.exe O4 - HKLM\..\RunOnce: [sysu] "C:\progra~1\ddm\sysu.exe" Run an up-to-date antivirus program and if any files are detected as infected with Adware.DynamicUpdater, click Delete. Also, you can let Hijackthis fix: R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) The suspious file that Kpatz pointed out: O4 - HKLM\..\Run: [59481447.exe] C:\WINDOWS\System32\59481447.exe Some will probably be along and request that you send them that file for analysis. -- Write your questions down on the back of a $20 dollar bill and send them to me
	to forum · permalink · 2003-12-13 10:40:45 ·
valoche @240.xx.adsl.skynet.b	reply to Valoche I ran ad-aware, spybotS&D a few more times and I fixed a some of the suspicious things in hijack this... now my logfile looks like this: Logfile of HijackThis v1.97.7 Scan saved at 18:23:35, on 13/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\QCONSVC.EXE C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\tp4serv.exe C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE C:\WINDOWS\System32\RunDll32.exe C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\Program Files\Kazaa Lite K++\KazaaLite.kpp C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »fetew.rug.ac.be/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - »www.flocom.be/iNotes.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - »sc.groups.msn.com/controls/Photo···Upld.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C6675A22-81F4-4D81-AC8B-578BAA33C849}: NameServer = 192.168.123.254 Does that look ok?
	to forum · permalink · 2003-12-13 12:58:07 ·

Tablet Premium join:2003-01-15 Czech 2 edits	reply to Valoche Do you know what is this? It looks very suspicious: O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART. Could you please send me the C:\WINDOWS\System32\P2P Networking\P2P Networking.exe file to tablet@seznam.cz? I'll tell you if it is anything malicious.. Regards
	to forum · permalink · 2003-12-13 13:00:28 ·
Zupe Premium,MVM join:2001-11-29 New York, NY	said by Tablet: Do you know what is this? It looks very suspicious: O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART. It comes bundled with Kazaa, but isn't necessary for it to run - »www.kephyr.com/spywarescanner/li···ex.phtml -- Brain: Pinky, are you pondering what I'm pondering? Pinky: I think so, Brain, but "Snowball for Windows"?
	to forum · permalink · 2003-12-13 13:12:22 ·
Zupe Premium,MVM join:2001-11-29 New York, NY 1 edit	reply to valoche said by valoche: R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - »www.flocom.be/iNotes.cab Most of what you had is gone, but you can still get rid of these. First, go to add/remove programs and remove "P2P Networking" if it's listed there. Then, close all browser windows, put a check next to any of the items that I listed above that remain in Hijack This and click "Fix Checked". Reboot and rescan to make sure they're gone. Also, unless you need Kazaa to load at startup for some reason, you can get rid of this in Hijack This as well: O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY -- Brain: Pinky, are you pondering what I'm pondering? Pinky: I think so, Brain, but "Snowball for Windows"?
	to forum · permalink · 2003-12-13 13:18:13 ·
whizkid3 Premium,MVM join:2002-02-21 Queens, NY kudos:6	reply to Valoche Your PC is bloated with programs that run at startup. This may make your PC slow, slow booting up, and unstable. These startup programs use valuable resources, and can cause potential conflicts. Most of them need only be run when and if you absolutely need them. (Realsched is known to use over 75% of your CPU resources.) Here are items from the startup log of hjt, with my reccommendations and information courtesy of: »www.answersthatwork.com/ »www.sysinfo.org/startuplist.php O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe - For ATI video cards. System Tray access to display mode changing. Do you need this running every time you use the PC? O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE IBM Thinkpad related utility - not sure what it does nor if you need it. I suggest removing it, and then using your computer for a while. If you don't notice anything different, you didn't need it. You may notice something different right away, perhaps something you don't use and don't need. O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE -System Tray icon providing access to the "IBM Access Connections" wizard on ThinkPad laptops and also allows to change the network environment. Not the same as QCWLIcon, which is pertinent only to the Wireless LAN - you may or may not need this. (If you don't use it, you don't need it running fulltime.) O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE Used by IBM Thinkpad laptops with built-in wireless card (802.11). System Tray icon that provides a shortcut to "Wireless Connection Status" and allows to turn WL on and off - if you're not using this, you don't need it. O4 - HKLM\..\Run: [TP4EX] tp4ex.exe - Adds accessibility options for an IBM TrackPoint - if you don't use these options (primarily for handicapped people) than you don't need this. O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe - Activates "ThinkPad Help" when the "Thinkpad key" is pressed on an IBM ThinkPad laptop. Also activates the audio buttons (volume up/down, mute) on models such as the Thinkpad T30 - ??? O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" - Possible OBSORB VIRUS! or part of valid Norton AntiVirus. Check this for more details: O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE Checks when you install a new version of a Norton product that you have uninstalled all previous versions. Serves as a reminder if you forget - Did you just previously install a new version of Norton Antivirus? This shouldn't be running all the time. O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot This is a resource killer, get rid of it at all costs - Real Networks Scheduler which gets installed with RealOne Player. Under Win9x/ME this task shows as TKBELLEXE, and as EVNTSVC under Windows 2000/XP or REALSCHED depending on which version of RealOne Player you have installed. From our experience, everything that applies to EVNTSVC below, also applies to REALSCHED. RNDAL elsewhere in these Task List pages is a good starting point to read about RealOne Player. Next, a 15-Jun-2002 extract from the RealOne Player License Agreement that is specific to EVNTSVC (the said License Agreement was updated on 25-Nov-2002 by Real Networks and EVNTSVC was replaced by REALSCHED in that version of the License Agreement) : An application Scheduler, known as "evntsvc.exe," is installed along with RealOne Player. Once installed, it runs independently of RealOne Player. The Scheduler does not collect personal information or communicate with RealNetworks’ servers. It is used to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals. The Scheduler is also used to automatically launch RealNetworks’ Media Type Helper. The Media Type Helper ensures the system is configured for correct operation of the RealOne Player with Multi-Purpose Internet Mail Extensions ("MIME") types, file extensions, Internet protocols and other media types. If a media type has been assigned a different action by a different application, Media Type Helper may override the association and substitute its own association. Recommendation : If reading about RNDAL did not put you off, then read on. RealPlayer Classic used to be one of the most needed pieces of software on a PC. Its successor, RealOne Player, is vying for the title of the most hated piece of software. For a start, on many PCs EVNTSVC slows down boot-ups unacceptably, using up to 90% of CPU time at times. There have also been reports of EVNTSVC dropping advertising shortcuts onto the desktop during idle times. Next, if you try to disable EVNTSVC via Startup Manager or MSCONFIG, RealOne Player checks to see if it has been deleted from the Registry and re-instates it as a startup item ! To be fair, there is a facility within RealOne Player to "only perform automatic services while RealOne Player is in use". As stated in our write-up for RNDAL, our recommendation is to de-install RealOne Player and either use the classic RealPlayer, or something else such as WinAmp. If you absolutely want to keep RealOne Player, we suggest you rename EVNTSVC.EXE to EVNTSVC.EXE.OLD (or REALSCHED.EXE to REALSCHED.OLD) as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it. O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART Networking software which enables a program to access the PeerEnabler P2P Networking network, the file sharing network started by the developers of Kazaa. This program will have typically been installed by the KaZaA file sharing program, but there are other file sharing programs which also access the same network and which might have installed this component. Recommendation : You need it if you are using KaZaA, or a program which accesses the same PeerEnabler network. It can be de-installed via the "Add/Remove Programs" in the Control Panel. Note: the de-installation of Kazaa or similar programs does not automatically de-install P2P NETWORKING. If you use a file sharing program, and most specifically KaZaA, ensure you have up-to-date antivirus software that updates itself automatically daily ! Additionally, run a full manual virus scan of your PC on a weekly basis – you have been warned ! O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY - Kazaalite is a file sharing client - not to be confused with the original Kazaa program. Unlike the original, this one does not contain any advertising or tracking mechanisms O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE - For Creative Soundblaster Live! series soundcards. Reminds you to register your card with Creative - you definitely don't need this. O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background - MSN Messenger utility. If you don't use MSN Messenger, this can be annoying. Available via Start -> Programs. Go to MS Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts"
	to forum · permalink · 2003-12-13 14:04:22 ·
Tablet Premium join:2003-01-15 Czech	reply to Zupe said by Zupe: said by Tablet: Do you know what is this? It looks very suspicious: O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART. It comes bundled with Kazaa, but isn't necessary for it to run - »www.kephyr.com/spywarescanner/li···ex.phtml You are right, I didn't know this. The location in C:\WINDOWS\SYSTEM32 seemed suspicious to me.
	to forum · permalink · 2003-12-13 14:35:02 ·
Valoche @199-136-217.adsl.sky	reply to Valoche Damn guys... you are great! Thank you so much! My laptop is reborn! xxx Val
	to forum · permalink · 2003-12-13 17:33:52 ·
whizkid3 Premium,MVM join:2002-02-21 Queens, NY kudos:6	reply to Valoche Glad to hear it is working better. I wrote previously: quote: O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" - Possible OBSORB VIRUS! or part of valid Norton AntiVirus. But forgot to give you the link. Here it is: »securityresponse.symantec.com/av···orb.html
	to forum · permalink · 2003-12-13 17:39:09 ·
valocheke @202-201-80.adsl.skyn	mmmm... i did to live-scans (panda and housecall...) I did a norton scan yesterday and nothing was found... should i delete it anyway? I made a few of the adjustments you told me to do. Here's the result: Logfile of HijackThis v1.97.7 Scan saved at 15:43:06, on 14/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\tp4serv.exe C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE C:\WINDOWS\System32\RunDll32.exe C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\QCONSVC.EXE C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Kazaa Lite K++\KazaaLite.kpp C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »fetew.rug.ac.be/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2003···an53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - »sc.groups.msn.com/controls/Photo···Upld.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C6675A22-81F4-4D81-AC8B-578BAA33C849}: NameServer = 192.168.123.254 How does it look?
	to forum · permalink · 2003-12-14 09:57:52 ·
Zupe Premium,MVM join:2001-11-29 New York, NY	Looks clean to me. CCAPP in that context is an integral part of NAV, you don't want to remove that. The entry would be different if it had anything to do with that virus. As mentioned, you do have some things running that you may not need, but nothing else I'd consider spyware/malware. -- Brain: Pinky, are you pondering what I'm pondering? Pinky: I think so, Brain, but "Snowball for Windows"?
	to forum · permalink · 2003-12-14 13:34:43 ·
valocheke @3-201-80.adsl.skynet	reply to Valoche It ain't over yet... I was surfing, when suddenly my screen turned blue, saying windows had to be shut down... "Driver IRQL not less or equal" After starting up again, i got a warning: recovered from serious error (send error report, I did) "Error Caused by a Device Driver Thank you for submitting an error report. Unfortunately, we cannot provide you with specific information about how to resolve this problem at this time. The information that you and other users submit will be used to investigate this problem. Analysis A device driver installed on your system caused the problem, but we cannot determine the precise cause. blablabla... " so I tried a windows update as recommended and booted again... same message: recovered from serious error... (didn't send error report... ) So now everything looks allright but this really freaked me out because this is how all the problems started like a month ago... Any idea what this is due to, or things i should do? x Val
	to forum · permalink · 2003-12-15 06:57:53 ·
whizkid3 Premium,MVM join:2002-02-21 Queens, NY kudos:6	reply to Valoche quote: I was surfing, when suddenly my screen turned blue, saying windows had to be shut down... "Driver IRQL not less or equal" Was there an external (or internal) device that suddenly started to be used at that time? Like perhaps a fax was coming in, etc? What site were you visiting when it happened?
	to forum · permalink · 2003-12-15 12:40:58 ·
Valocheke @201-201-80.adsl.skyn	reply to Valoche I was on the site of my university (Ghent, Belgium) so I don't think that's the cause. The only new hardware i have is a wireless network card... I rang the guy who installed it and he'll come by saturday to see if anything is wrong. If that doesn't help I'll get back to you! Thx val
	to forum · permalink · 2003-12-16 06:43:09 ·

Broadband Tech > Security > Security > explorer problem