*HELP* Strange program errors & seizures - Read for more details!

[rwnewson]

Hi. I'm trying to clean up my little brother's computer. He has a fairly new Windows 2000 computer. The problem is that he has gotten spyware so many times, and has installed shareware from the internet so many times... that he now has strange error messages popping up at system startup and shutdown.

I ran the standard disk check / defrag / virus check and cleaned up all that crap. But still these things happen:
At startup:
1) An error message says "Error: Program execution failed."
2) The recycle bin opens (???? I know eh)
At shutdown:
3) Some unknown program freezes and I have to click "End Program"
Also:
4) There is a file "sbw9xup.exe" on the desktop that refuses to be deleted or moved... it says "There has been a sharing violation." so its stuck there.

I have attached my HiJackThis scan below. Can somebody PLEASE PLEASE look at this and tell me what might be the problem(s)? Also I don't know how to get a list of the startup programs in Win2000... I used to just go to msconfig.exe but there seems to be no such thing in Win2000.
Logfile of HijackThis v1.95.0
Scan saved at 10:59:39 PM, on 12/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\Grxp4exe.exe
C:\QuickTime\qttask.exe
C:\winnt\system32\drivers\etc\rundll32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\daemon\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\Messenger Plus\MsgPlus.exe
C:\Program Files\MoodLogic\Service\Updater.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\winprotect.exe
C:\WINNT\system32\ctfmon.exe
C:\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\WINNT\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Documents\Web Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.syihkugfjctnr.com/GOmZG1rrrllt16UUsLfIJss8jZ_jMlFZQv0fFaDCIrjyeerRrixr_87NXFT4O6Qw.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
F0 - system.ini: Shell=Explorer.exe C:\WINNT\svchosts.exe
F1 - win.ini: load=C:\WINNT\svchosts.exe
F1 - win.ini: run=C:\WINNT\svchosts.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rundll32] c:\winnt\system32\drivers\etc\rundll32.exe
O4 - HKLM\..\Run: [hidden32] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\svchost.exe c:\winnt\system32\drivers\etc\ir.conf
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus\MsgPlus.exe"
O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [virtual] winprotect.exe
O4 - HKLM\..\Run: [Generic Host Process] C:\WINNT\svchosts.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\RunServices: [virtual] winprotect.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINNT\svchosts.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Skype] "C:\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {217234FC-041F-4F27-84AB-8329440C4DED} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4ca.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37962.5806597222
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

 

[RealBlackStuff]

That system is so riddled with viruses and trojans, it is almost unbelievable.
Having no active Antivirus on that PC is even more stupid!
Go here first and follow the instructions: http://vil.nai.com/vil/stinger/

Then go to my post How to remove Begin2Search / Coolwebsearch
and follow everything EXACTLY.
Then post back with an "attached" hijackthis.txt with the .txt extension.

 

[rwnewson]

Okay, I followed all of those instructions EXACTLY. Problem (1) in my original post seems to be fixed, but (2) and (4) still exist (that damned program on the desktop is still stuck & recycle bin keeps opening!) and (3) I haven't checked yet. I have attached the latest HiJackThis scan so you can take a look at it. A couple entries I was a bit unsure of.

Thanks a lot!

 

[RealBlackStuff]

Print this out.

Reboot in Safe Mode.

Run Hijackthis with NO other programs open and let it "fix"

C:\WINNT\system32\regsvc.exe
C:\winnt\system32\drivers\etc\rundll32.exe
C:\WINNT\system32\winprotect.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
F0 - system.ini: Shell=Explorer.exe C:\WINNT\svchosts.exe
F1 - win.ini: load=C:\WINNT\svchosts.exe
F1 - win.ini: run=C:\WINNT\svchosts.exe
O4 - HKLM\..\Run: [rundll32] c:\winnt\system32\drivers\etc\rundll32.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [virtual] winprotect.exe
O4 - HKLM\..\Run: [Generic Host Process] C:\WINNT\svchosts.exe
O4 - HKLM\..\RunServices: [virtual] winprotect.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINNT\svchosts.exe
O16 - DPF: {217234FC-041F-4F27-84AB-8329440C4DED} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4ca.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37962.5806597222
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

When done, delete the bold files:
C:\winnt\system32\drivers\etc\rundll32.exe ===>> only the file at this location!!!
C:\WINNT\system32\winprotect.exe
C:\WINNT\svchosts.exe ===>> do not mix up with the REAL svchost.exe WITHOUT s after svchost
C:\WINNT\satmat.exe

Rightclick the "My Computer" icon on the desktop, select "Manage", click on the + in front of "Services and Applications", select "Services". In the screen on the right, scroll down until you find "Remote Registry Service".
(This is the program regsvc.exe). Rightclick it, select Properties. Click on the "Stop" button and confirm
Now click on the selector next to the Startup Type and select "Disabled". Click Apply and OK at the bottom.

Finally, go to www.grisoft.com and D/L and install the (free) AVG7 antivirus software.

 

[rwnewson]

Okay, I did all that except:
i) I don't think I should delete my proxy settings since proxomitron needs those in order for the internet to work
ii) I could not find the files
C:\WINNT\system32\winprotect.exe
C:\WINNT\svchosts.exe
anywhere on my computer... i searched the whole thing... nothing.

Other than that I did everything but still problems (1), (3), & (4) remain.
I even have AVG antivirus running as you said.

Here's the latest scan. Any suggestions?

 

[rwnewson]

I tried one more thing... I copied the msconfig.exe utility from a windows xp computer into my c:\winnt\system32 folder and now it seems to work perfectly. (I was annoyed that this utility didn't exist in Win2000 and I heard you can do this).

Anyways, I ran it and saw that svchosts.exe was set to startup 3 times on that startup list, so I unchecked it as well as many other things I didn't need. But upon restart, svchosts.exe again popped up again on that list! Please see the attached screenshot.

I cannot find this file anywhere on my computer. I have "show hidden files" on, and I have searched for it in every folder, and I have even typed
"del c:\winnt\svchosts.exe" in command prompt - it says file not found.

And recycle bin still opens and I can't delete this exe file on my desktop. The desktop file seems to be an archive of drivers for a soundblaster card... I must have downloaded it sometime... but I don't think I even need those...

Thanks!

 

[RealBlackStuff]

Get rid of proxomitron, the program is no longer supported (dead in other words).

Look in the c:\winnt\win.ini at the start. Those 2 command lines should have nothing behind them:
load=
run=

Run Regedit and do a "find" for runonce. Above it, you will find the key run with the entries of svchosts.exe. highlight the key and press the Del key, then OK. Press F3 (=repeat find of runonce) and check other run-keys.

You should repeat the HJT proces from before. Those svchosts.exe entries should be gone now.

I am suspicious about anything like C:\Program Files\NavNT\vptray.exe etc.
That is not the normal installation pathname for Symantec/Norton stuff.
Try to uninstall that, it is rubbish anyway. It will also clash with AVG.
Do this first, then report back with a new HJT-log please.

 

[rwnewson]

Okay, here's the deal.
I restarted in safe mode and did everything you said. I deleted all of those "run" keys and I also searched for all entries of scvhosts and deleted them too just in case. I ran hijackthis and deleted all the scvhosts entries again. The problem is that my win.ini file does not have any entries of "run=" or "load=" as the HiJackThis scan suggests. I have attached the win.ini file that I have just so you can see what I mean. I see no lines like that. Also I simply cannot find that scvhosts.exe file anywhere still. It's like all this stuff is invisible... weird.

Just as I think that all instances of svchosts.exe are gone, as soon as I restart they appear again! You can see in my latest HiJackThis scan that they are still there! I deleted them before the restart... this is annoying.

 

[RealBlackStuff]

Logfile of HijackThis v1.95.0

I did not catch this before, but YOU did NOT follow the instructions!
Your Hijackthis is a couple of versions behind! Update it NOW!

Then check in C:\WINNT\system.ini for Shell=Explorer.exe C:\WINNT\svchosts.exe
In theory, there should be no such Shell= line, but that could be a quirk from an older HJT.
The same probably applies to the win.ini file

Also, get rid of Proxomitron as I told you. The author of that program sadly died, so it is no longer supported. http://computercops.biz/article-topic-41.html

And uninstall those programs from C:\Program Files\NavNT\....
Then post a fresh HJT.txt