RE: Snapshot of running processes

Will46WL · Corporal Joined: Mar 04, 2004 Posts: 62 Location: USA

Hi,

I'm having problems with my computer---I wrote to you about this problem and was told that you would need a copy of my computer's running processes---you suggested that I download "HiJackthis" which I did and I did a scan---which you see below.

I would really appreciate a solution to this annoying problem (mainly what's been happening is that my computer is VERY slow in bringing up web sights and also, when I click on "New Document" on the "Start" menu--the Microsoft Word program comes up on the screen, but when I click on "Blank Document" nothing happens---same thing with "Open Document." Also, when I click on "Mail" on the upper tool bar--and click on "read mail" it takes almost a minute for it to appear.)

Here's the scan---thanks for your help! Will

Logfile of HijackThis v1.97.7
Scan saved at 1:09:42 PM, on 5/8/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DRMON\SMARTAGT\SMARTAGT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\OMNIPAGEPRO9\OPWARE32.EXE
C:\WINDOWS\SYSTEM\COMSMD.EXE
C:\OMNIPAGEPRO9\opware16.exe
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\SYSTEM\WINDOW.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\DESKTOP WEATHER\DESKTOPWEATHER_569000.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\PHOTOWISE\QUICKLNK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DRWATSON.EXE
C:\UTILITIES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:\WINDOWS\s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.linkfind.com/iebar/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\SYSTEM\MSMK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OmniPage] C:\OmniPagePro9\opware32.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\SYSTEM\pc32.exe bg
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\MCAFEE VIRUS SCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [Mass Storage Check Registry] rundll32.exe c:\windows\SYSTEM\ShellExt\MSDServ.dll,CheckRegistry
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\SYSTEM\window.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.NEW,Install
O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_569000.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Camio Viewer.lnk = C:\Program Files\PhotoWise\quicklnk.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {72133CC5-DE1E-42FE-B8B0-93D2C6C3472E} (FillerX Class) - http://www.formatta.com/download/pffloader.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...mv9VCM.CAB
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//396754/main.chm::/load.exe

CalamityJane · Posted: Sun May 09, 2004 3:41 pm Post subject:

Hi Will46WL,

First you are infected with a virus. Please go to your desktop and press press Ctrl>Alt>Del on a blank spot. This will bring up a box of your running processes. Locate any instances of the following in the list:

C:\WINDOWS\WINLOGON.EXE

C:\WINDOWS\SYSTEM\WINDOW.EXE

Click on one at a time of the those files listed above to highlight it and then press *end task*

Without rebooting go to one (prefereably two) of the following and get a free online AV scan. Choose to clean and let it delete any infected files found.

Panda's Active Scan
http://www.pandasoftware.com/activescan...ncipal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

Save the report at the end as a text file and copy back here so we can advise what further steps may be needed according to the infection found.

Then reboot your PC between cleanings.

Next you need to download and run a special tool for a coowebsearch hijacker you have:

CWShredder.
Download it here:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

Just download it, and click on it (You will need to have all browsers and any open windows closed). Hit the *Fix* button to run it. Let it fix what it finds. When done, press *next* and you will get the results, and then *exit*

Reboot your PC once, more. Scan again with HijackThis and post a new log back here in this thread (please do NOT start another new topic) along with the results of your AV scan. There will be more to do.

I suggest you bookmark this thread or put it in your favorites so it will be easy for you to find and reply to Smile

Will46WL · Corporal Joined: Mar 04, 2004 Posts: 62 Location: USA

Hi,

First of all, THANK-YOU for getting back to me so soon---I read your reply and went to my desktop and hit "CTRL-ALT-DEL" but I couldn't find either WINLOGON.EXE or WINDOW.EXE. I did find two things that said, "Window" and "Winlogon."

I had the idea to click on "Start" on the desktop and then "FIND" and then "files/folders" (or it could have been "computer.") Anyway, I typed in both "WINLOGON.EXE" and "WINDOW.EXE" and they both came up! This is how they came up: "C:\WINDOWS\WINLOGON.EXE" and "C:\WINDOWS\SYSTEM\WINDOW.EXE."

But, as I said, they don't come up when I type in "CTRL-ALT-DEL."

You know, I was so desperate for a solution that I looked on Google for anti-virus, etc. software and I found one that seemed that was recommended---it is called "NoAdware." NoAdware stated that they would do a free scan---well, I downloaded it and started their "free" scan---it took THREE hours to do the scan and it found 5 "parasites." When I went to delete these parasites, it took me to a screen where I would have to register to buy the program for $29.95! I almost bought it because I was so upset about my computer problems, but then I got Calamity Jane's e-mail and decided I would wait and see if Computer Cops wouldn't do a better job for me---so--I hope that you can help me and I DO appreciate any assistance that you can give.

Sincerely,

Will

CalamityJane · Posted: Sun May 09, 2004 11:02 pm Post subject:

Hi Will,

Do not spend money on those programs! We can do this here for free. There is no need to buy anything.

Ok. You did good. Let's try again.

Go to your desktop and press Ctrl>Alt>Del and where you see those files in the list:

"Window"

and

"Winlogon."

Yes, those are the bad ones. *Click* on those and it will be highlighted. Then *press End Process* - do the next one. Then close that box (the x in the upper right corner)

Next, go to these sites and get a free online AV scan and let them delete any infected files that they find. Save the report at the end.

Panda's Active Scan
http://www.pandasoftware.com/activescan...ncipal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Save the report at the end as a text file and copy back here so we can advise what further steps may be needed according to the infection found.

Then reboot your PC between cleanings.

Will46WL · Corporal Joined: Mar 04, 2004 Posts: 62 Location: USA

Hi again,

I tried to do as you asked but something seems to be wrong. I hit CRTL-ALT-DEL and the box came up---I highlighted "Window" and the buttons below read, "End Task," "Shut Down," and "Cancel." I clicked on "End Task," and another box popped up---it read, "This program is not responding. It may be busy, waiting for a response or it may be busy, waiting for a response or it may have stopped running.

- Click Cancel to ignore and return to Windows.

- To Close this program immediately, Click End Task. You will lose any unsaved information in this program.

End Task/Shut Down/Cancel."

HELP!

(I also get this message everytime I try to shut down the computer--then the screen freezes and I wind up just shutting off the switch to the computer to turn it off.)

ALSO--the following message just popped up on my computer when I was writing this message to you---

"eTrust EZ Antivirus real-time protection has found that C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\HRSBL4W6\MODULES[1].HTM is HTML.MHTMLRedir.exploit trojan. Not Cleaned."

I hope that you can help me---this is getting to be very frustrating & upsetting.

Thank-you!

Will

CalamityJane · Posted: Mon May 10, 2004 1:12 pm Post subject:

Ok, let's try another method.

Please follow these steps, print out a copy of this instruction so you have it to follow it while doing the fixes as they will need to be done in SAFE MODE

Make sure your PC is configured to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/ts...ec_doc_nam

Scan with HijackThis and when it finishes, put an x in the boxes next to these items, then press *fix checked*

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\SYSTEM\pc32.exe bg

O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\SYSTEM\window.exe

O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.NEW,Install

O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//396754/main.chm::/load.exe

While still in SAFE MODE - rename these files (replace the extension exe to old):

This one directly in the Windows folder
c:\windows\winlogon.exe <-- rename to winlogon.old

This on in the Windows\System folder
C:\WINDOWS\SYSTEM\window.exe <--rename to window.old

Reboot back into normal mode.

Get an online AV scan at one of the above sites to remove all infected files and reboot after cleaning.

Then download this small free tool
CWShredder.
Download it here:

http://www.spywareinfo.com/downloads/tools/CWShredder.exe

Just download it, and click on it (You will need to have all browsers and any open windows closed). Hit the *Fix* button to run it. Let it fix what it finds. When done, press *next* and you will get the results, and then *exit*

Reboot after cleaning with CWShredder

Then, please scan once more with HijackThis and let us see a new log Smile

Will46WL · Corporal Joined: Mar 04, 2004 Posts: 62 Location: USA

Hi again,

I understand all of the instructions about this "other method" except one:

About half way down your instructions, you ask me to "Rename these files (replace the extension exe to old):

This one directly in the Windows folder, etc.

My question is, "I don't know how to access the Windows folder, and---once I'm there, is it fairly straightforward to rename the file?"

I have the same question for how to get into the "Windows/System folder."

The rest of your instructions are very clear and I don't think that I'll have a problem going through them.

AGAIN---MANY thanks for your time & effort---it IS appreciated!

Will

Will46WL · Corporal Joined: Mar 04, 2004 Posts: 62 Location: USA

Hi again,

I think that I figured out how to go to the Windows folder and the Windows/System folder---so, I went into SAFE MODE, scanned with HiJack This and put x's in all of the boxes you wanted me to---I then went into the Windows & Windows/System folders and renamed those two files---I then rebooted and will now finish your instructions ("Get an online AV scan & download CWShredder.") I just wanted to post this to you so that you wouldn't have to send me the instructions for finding the Window folder on my computer.

I will now finish doing all of the rest of your instructions & post a new log for you to take a look at.

Many thanks,

Will

CalamityJane · Posted: Mon May 10, 2004 3:51 pm Post subject:

Hi Will, no problem Smile

Go to *My Computer* on your desktop and click on it. Then click on your ( C: ) drive. Look for the folder *Windows*. Open the folder and then click on *show files* under the big name WINDOWS on the left. Scoll down past the yellow folders until you see a file named winlogon.exe. Rightclick on it once (do NOT left click). A menu will pop up....down near the bottom of the menu choose *rename*. and you will get a little box with the name of the file in there. just type in: winlogon.old that will rename it.

Next, while you are in the Windows folder, scroll up to a yellow folder named System (not system32 - just system). Open that and click on *show files* under the big name SYSTEM on the left. Find the file named window.exe and rename it to window.old Then exit. You will need to do that while you are in safe mode so copy and print out these instructions so you have them handy to follow.

Will46WL · Corporal Joined: Mar 04, 2004 Posts: 62 Location: USA

Hi again,

Well, I tried two of the anti virus programs---one was downloading and then stopped downloading and gave me an error message---and the other one---I downloaded it alright, but when I hit the scan button---it brought up the "scan" screen---but, after 10 minutes, it still had not scanned anything (it showed "0" files scanned for about 10 minutes.) Then I just got out of the web site.

So, I will go to one of the other AV programs that you have kindly listed above (I used Panda and House Call.)

As I said, I did find the Window & Window/System folder and renamed the files you wanted me to ---but I see that most recent reply is giving me instructions on how to find the folders and rename them---I am going to follow those instructions just to be sure that the files really did get renamed.

Thanks AGAIN!

Will

CalamityJane · Posted: Mon May 10, 2004 5:21 pm Post subject:

Sounds good Will. Sometimes Panda and Housecall do get a bit too busy and their servers won't work well, so do try the others - they should find those infections as well.

Oh, I forgot to tell you - after you rename them Reboot your PC and then go get the online scans...otherwise they can't delete the infect ones.

I could have had you delete those files but felt it was safer to rename them incase you accidentally got the wrong one (we can undo a rename, but can't undelete).

Renaming it disables the infected file so the worm can't run and then the online AV scanners will find and delete the right ones just to be sure Smile

So if they say they can't "repair" a file, choose "delete" when they find an infected file.

Will46WL · Corporal Joined: Mar 04, 2004 Posts: 62 Location: USA

Hi again,

Well, I tried House Call again and it worked fine---it found two infected files---each file stated that they were "uncleanable" so I thought that I should just delete them---I pressed "delete" and got this message (for both files:)

"Unable to delete the infected entire contents of the compressed file 'C:\WINDOWS\TEMP\TemporaryInternetFiles.\Content lE5\CVE94FCN\track[1].jsejA---Do you want to delete whole file?" Yes or No.

I was afraid to say Yes, so I said No---I was concerned that I would be deleting an important program on my computer---so, I just need to know---should I go back and do the scan again, and choose "YES" when asked to delete the whole file?

Many Thanks (Your service is really incredibly helpful!)

Will

CalamityJane · Posted: Mon May 10, 2004 6:28 pm Post subject:

Yes, you want to delete the whole file. So do scan again and then reboot after you are done. Then scan again with HijackThis and post a new log so I can see where we are at that point Smile

Will46WL · Corporal Joined: Mar 04, 2004 Posts: 62 Location: USA

Hi again,

I did a scan with House Call and deleted the infected files---I also cleaned with CWShredder---I did a scan with HiJack This and tried to save it in "My Documents" but I got the following message:

"An error occurred while loading the file C:\MyDocuments\hijackthis.log."

"The file is damaged or is not a valid Dr. Watson log file."

I'm not sure how to show you the new log without copying each entry by hand and typing it in here---is there a way to copy it so that I can paste it here?

Many thanks,

Will

CalamityJane · Posted: Tue May 11, 2004 11:21 pm Post subject:

Ok. Scan with HijackThis and save the file to somewhere you can remember. Then reply here and attach it to your reply (scroll down and you will see a box to browse to the file name to attach Smile


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 955 pages served in previous 5 minutes. Page Rendered: 0.731 seconds.