Adware Problems - HJT.txt included

Status
Not open for further replies.
N

nlongfors

I am having issues with adware. About every five or ten minutes my active window will become innactive and a new process will have started in my task manager named "iexplorer". If I leave my computer for a few hours, it will continue to open more of the same task until it eats up all the memory in my computer. I have run Ad-Aware SE, SbyBot - Search & Destroy, and Norton Anti-virus. All the results are the same stating that my computer is not infected. But I still get the same problem. Below is my HJT log.

----------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:43:58 AM, on 6/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000

---------------------------------------------------------------------

Any help would be appreciated.

Thank you.
 
Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
loadqm.exe
Next, run a HJT scan and place a tick-mark in the little square before (if still there):
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
Now click on the Fix Checked button in HJT.

When done, delete the highlighted bold file.

Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].

Boot normal. When all OK, switch System Restore back on.
 
Please download CleanUp .CleanUp! is a tool for taking care of all those uuencoded files on your system. This program will find and delete all temporary files that are taking up your disk space.Click yes to log off when asked.
 
No Luck. I re-ran HJT. Here are the results.

------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:49:52 AM, on 6/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000

-----------------------------------------------------------------------

Here is a list of items in my task manager when the problem occurs.

Zapro
Devldr16
Navapw32
Atiptaxx
Systray
Rundll32
Ahqtb

Do you think it could be related to Norton Antivirus or ZoneAlarm?

Thank you for your help.
 
Name: [Systray driver]
Status: X
File: systray.exe

Added by the IRC.MUTEBOT
-------------------------------------
Name: [Systray]
Status: X
File: Systray_.Exe

Added as a result of the http://securityresponse.symantec.com/avcenter/venc/data/w32.kergez.a@mm.html KERGEZ.;; VIRUS!
----------------------------------------
Name: [SystemTray]
Status: X
File: SysTray.exe

Added by the IRC.ALADINZ.P http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.p.html TROJAN! ** Note - Note - this is not the legitimate systray.exe
-------------------------------------------
Name: [SystemTray]
Status: X
File: SystemTray.exe

Added by the BIGFOOT http://www.symantec.com/avcenter/venc/data/backdoor.bigfoot.html TROJAN! Note - this is not the valid SystemTray ( SysTray.exe
------------------------------------------

So i guess it must be fixed!
 
Ill just say, I had a program called lexplore running which was definetely a virus, im not sure if you meant that as iexplore is usually internet explorer, but I had it for ages, ran spy-bot, ad-aware and norton and couldnt get rid of it, searched for it and couldnt find any related files, then one day it just vanished, i hadnt done anything and it just stopped loading. Not sure how relavant this is but if anyone knows whats going on id appreciate it as well, so i know what to do if it comes back, and hopefully anyone else who gets it can deal with it.
 
I removed the SysTray from my Startup using HJT. This did not fix the problem. The name that is displayed in the task manager is "Iexplorer", and I was not referring to Internet Explorer, although they could be related. rv13uk, did your computer create another "Iexplorer" approximately every 5 minutes? I have been timing mine, and that seems to be the duration between them loading.

I thank everyone for their input so far.
 
RE: Adware Problems

An answer was finally found. You can see the entire thread at http://www.forum.chip.com.my/showthread.php?p=40649#post40649

I did a scan at "http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm" and found a program called Look2Me and a couple of other adware programs that were not found with SpyBot or AdAware SE. After removing the infected items, my problems are solved.

Thank you to everyone here who helped me.
 
Steve05 said:
Try post your whole HijackThis in here! That will definitely solve your problem...there's many HT expert out there and they won't point you to use HijackThis Analysis Site! :cool:
Click to expand...

Someone seems to be pissed off here, just because someone was asked to take the finger out and do something by someone self! Someone can get a log checked at that analysis site, if that is all someone wants (and that is all someone asked).
No further comments, your honour.
 
Status
Not open for further replies.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
774
uber_beetle
uber_beetle
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni

Latest posts

Back