TechSpot

*HELP* Strange program errors & seizures - Read for more details!

By rwnewson
Dec 26, 2004
  1. Hi. I'm trying to clean up my little brother's computer. He has a fairly new Windows 2000 computer. The problem is that he has gotten spyware so many times, and has installed shareware from the internet so many times... that he now has strange error messages popping up at system startup and shutdown.

    I ran the standard disk check / defrag / virus check and cleaned up all that crap. But still these things happen:
    At startup:
    1) An error message says "Error: Program execution failed."
    2) The recycle bin opens (???? I know eh)
    At shutdown:
    3) Some unknown program freezes and I have to click "End Program"
    Also:
    4) There is a file "sbw9xup.exe" on the desktop that refuses to be deleted or moved... it says "There has been a sharing violation." so its stuck there.

    I have attached my HiJackThis scan below. Can somebody PLEASE PLEASE look at this and tell me what might be the problem(s)? Also I don't know how to get a list of the startup programs in Win2000... I used to just go to msconfig.exe but there seems to be no such thing in Win2000.
    Logfile of HijackThis v1.95.0
    Scan saved at 10:59:39 PM, on 12/26/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atiptaxx.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\system32\Grxp4exe.exe
    C:\QuickTime\qttask.exe
    C:\winnt\system32\drivers\etc\rundll32.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\daemon\daemon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINNT\system32\P2P Networking\P2P Networking.exe
    C:\Program Files\Messenger Plus\MsgPlus.exe
    C:\Program Files\MoodLogic\Service\Updater.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINNT\system32\winprotect.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Skype\Phone\Skype.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\My Documents\Web Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.syihkugfjctnr.com/GOmZG1rrrllt16UUsLfIJss8jZ_jMlFZQv0fFaDCIrjyeerRrixr_87NXFT4O6Qw.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=localhost:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
    F0 - system.ini: Shell=Explorer.exe C:\WINNT\svchosts.exe
    F1 - win.ini: load=C:\WINNT\svchosts.exe
    F1 - win.ini: run=C:\WINNT\svchosts.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
    O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [rundll32] c:\winnt\system32\drivers\etc\rundll32.exe
    O4 - HKLM\..\Run: [hidden32] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\svchost.exe c:\winnt\system32\drivers\etc\ir.conf
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\daemon\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus\MsgPlus.exe"
    O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
    O4 - HKLM\..\Run: [virtual] winprotect.exe
    O4 - HKLM\..\Run: [Generic Host Process] C:\WINNT\svchosts.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\RunServices: [virtual] winprotect.exe
    O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINNT\svchosts.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Skype] "C:\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {217234FC-041F-4F27-84AB-8329440C4DED} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4ca.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37962.5806597222
    O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    That system is so riddled with viruses and trojans, it is almost unbelievable.
    Having no active Antivirus on that PC is even more stupid!
    Go here first and follow the instructions: http://vil.nai.com/vil/stinger/

    Then go to my post How to remove Begin2Search / Coolwebsearch
    and follow everything EXACTLY.
    Then post back with an "attached" hijackthis.txt with the .txt extension.
     
  3. rwnewson

    rwnewson TS Rookie Topic Starter Posts: 44

    Okay, I followed all of those instructions EXACTLY. Problem (1) in my original post seems to be fixed, but (2) and (4) still exist (that damned program on the desktop is still stuck & recycle bin keeps opening!) and (3) I haven't checked yet. I have attached the latest HiJackThis scan so you can take a look at it. A couple entries I was a bit unsure of.

    Thanks a lot!
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Print this out.

    Reboot in Safe Mode.

    Run Hijackthis with NO other programs open and let it "fix"

    C:\WINNT\system32\regsvc.exe
    C:\winnt\system32\drivers\etc\rundll32.exe
    C:\WINNT\system32\winprotect.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=localhost:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
    F0 - system.ini: Shell=Explorer.exe C:\WINNT\svchosts.exe
    F1 - win.ini: load=C:\WINNT\svchosts.exe
    F1 - win.ini: run=C:\WINNT\svchosts.exe
    O4 - HKLM\..\Run: [rundll32] c:\winnt\system32\drivers\etc\rundll32.exe
    O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
    O4 - HKLM\..\Run: [virtual] winprotect.exe
    O4 - HKLM\..\Run: [Generic Host Process] C:\WINNT\svchosts.exe
    O4 - HKLM\..\RunServices: [virtual] winprotect.exe
    O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINNT\svchosts.exe
    O16 - DPF: {217234FC-041F-4F27-84AB-8329440C4DED} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4ca.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37962.5806597222
    O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

    When done, delete the bold files:
    C:\winnt\system32\drivers\etc\rundll32.exe ===>> only the file at this location!!!
    C:\WINNT\system32\winprotect.exe
    C:\WINNT\svchosts.exe ===>> do not mix up with the REAL svchost.exe WITHOUT s after svchost
    C:\WINNT\satmat.exe

    Rightclick the "My Computer" icon on the desktop, select "Manage", click on the + in front of "Services and Applications", select "Services". In the screen on the right, scroll down until you find "Remote Registry Service".
    (This is the program regsvc.exe). Rightclick it, select Properties. Click on the "Stop" button and confirm
    Now click on the selector next to the Startup Type and select "Disabled". Click Apply and OK at the bottom.

    Finally, go to www.grisoft.com and D/L and install the (free) AVG7 antivirus software.
     
  5. rwnewson

    rwnewson TS Rookie Topic Starter Posts: 44

    Okay, I did all that except:
    i) I don't think I should delete my proxy settings since proxomitron needs those in order for the internet to work
    ii) I could not find the files
    C:\WINNT\system32\winprotect.exe
    C:\WINNT\svchosts.exe
    anywhere on my computer... i searched the whole thing... nothing.

    Other than that I did everything but still problems (1), (3), & (4) remain.
    I even have AVG antivirus running as you said.

    Here's the latest scan. Any suggestions?
     
  6. rwnewson

    rwnewson TS Rookie Topic Starter Posts: 44

    I tried one more thing... I copied the msconfig.exe utility from a windows xp computer into my c:\winnt\system32 folder and now it seems to work perfectly. (I was annoyed that this utility didn't exist in Win2000 and I heard you can do this).

    Anyways, I ran it and saw that svchosts.exe was set to startup 3 times on that startup list, so I unchecked it as well as many other things I didn't need. But upon restart, svchosts.exe again popped up again on that list! Please see the attached screenshot.

    I cannot find this file anywhere on my computer. I have "show hidden files" on, and I have searched for it in every folder, and I have even typed
    "del c:\winnt\svchosts.exe" in command prompt - it says file not found.

    And recycle bin still opens and I can't delete this exe file on my desktop. The desktop file seems to be an archive of drivers for a soundblaster card... I must have downloaded it sometime... but I don't think I even need those...

    Thanks!
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Get rid of proxomitron, the program is no longer supported (dead in other words).

    Look in the c:\winnt\win.ini at the start. Those 2 command lines should have nothing behind them:
    load=
    run=

    Run Regedit and do a "find" for runonce. Above it, you will find the key run with the entries of svchosts.exe. highlight the key and press the Del key, then OK. Press F3 (=repeat find of runonce) and check other run-keys.

    You should repeat the HJT proces from before. Those svchosts.exe entries should be gone now.

    I am suspicious about anything like C:\Program Files\NavNT\vptray.exe etc.
    That is not the normal installation pathname for Symantec/Norton stuff.
    Try to uninstall that, it is rubbish anyway. It will also clash with AVG.
    Do this first, then report back with a new HJT-log please.
     
  8. rwnewson

    rwnewson TS Rookie Topic Starter Posts: 44

    Okay, here's the deal.
    I restarted in safe mode and did everything you said. I deleted all of those "run" keys and I also searched for all entries of scvhosts and deleted them too just in case. I ran hijackthis and deleted all the scvhosts entries again. The problem is that my win.ini file does not have any entries of "run=" or "load=" as the HiJackThis scan suggests. I have attached the win.ini file that I have just so you can see what I mean. I see no lines like that. Also I simply cannot find that scvhosts.exe file anywhere still. It's like all this stuff is invisible... weird.

    Just as I think that all instances of svchosts.exe are gone, as soon as I restart they appear again! You can see in my latest HiJackThis scan that they are still there! I deleted them before the restart... this is annoying.
     
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Logfile of HijackThis v1.95.0

    I did not catch this before, but YOU did NOT follow the instructions!
    Your Hijackthis is a couple of versions behind! Update it NOW!

    Then check in C:\WINNT\system.ini for Shell=Explorer.exe C:\WINNT\svchosts.exe
    In theory, there should be no such Shell= line, but that could be a quirk from an older HJT.
    The same probably applies to the win.ini file

    Also, get rid of Proxomitron as I told you. The author of that program sadly died, so it is no longer supported. http://computercops.biz/article-topic-41.html

    And uninstall those programs from C:\Program Files\NavNT\....
    Then post a fresh HJT.txt
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...