My problem is like the others, only i dont understand what this "hijackthis" log file shows me, so im not gonna touch it until i can get some help:

Description of problem:
When i try to open my 'Task Manager', it doesnt appear, so i would go to start>>run>>taskmgr.exe, and it woudl say that another program is using it, even though i do not see a 'task manager' running.

Methods i have used:
This being my first time using Hijackthis, i am completely dumbfounded by its results. I have though, tried using my NAV, and AdAware software to find any viruses or Antiviruses, both in normal windows, and safe mode with system restore off. I have also tried using system restore, and on all 4 of the different dates i have tried, it has failed.

Allow me to post my Log file for Hijackthis: Please be aware it is pretty massive


Logfile of HijackThis v1.99.1
Scan saved at 11:57:57 PM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
C:\WINDOWS\system\driver\csrss.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wininet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\cmd32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\winupdates\winupdates.exe
C:\PROGRA~1\AIM95\aim.exe
C:\WINDOWS\System32\scapubw.exe
C:\Program Files\apsi\wtta.exe
C:\Program Files\Juno\bin\juno.exe
C:\WINDOWS\System32\win32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.832\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\wininet.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [wininet] C:\WINDOWS\System32\wininet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ap56RiH2O] scapubw.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [SinglesSetup.exe] C:\DOCUME~1\Owner\Desktop\SINGLE~1.EXE /r
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.windupdates.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AF24AE3-2835-4DCB-AEEC-27A1566FB0C5}: NameServer = 64.136.20.121 64.136.28.121
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O21 - SSODL: Mozilla Firefox (1.0.1) - {58D28B10-E5C2-D602-9208-76204F6D786D} - c:\program files\mozilla firefox\winfxsvoo32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

If anyone knows what this junk means, please help (I am a little fearful of the results i have recieved, it seems a lot, i jsut hope there isn't a lot of problems.

Thank you for your assistance
-Confused Geek

[B]Hello and welcome to Techspot.[/B]

Go [URL=http://www.techspot.com/vb/topic17297.html]HERE[/URL] and follow the instructions carefully.

When you have done that, go [URL=http://www.techspot.com/vb/topic19133.html]HERE[/URL] for instructions on how to post your Hijackthis log. Then post a new log.

Regards Howard

I did as was stated on that thread, here is the new hijackthis log file...


The task manager seems to work now, i should probably reboot just to check, if it does not work again, won't be the first time it has done this to me.

I do have some more problems, when i tried to boot my pc in safe mode, i asked me if i wanted to cancel the booting of a file called 'D346bus.sys', is anyone fimiliar with this, and is this suppost to happen?

Also when i ran my anti spyware software, it keeps finding this file, each and every time, since i dont know where to post my picture, ill just discribe the file.

Adaware shows it as

Name: Windows
Type: RegData
Category: vulnerability
Object: HKEY_LOCAL_MACHINE:so...

Should i just run windows update or do something else, i dont know if this is some sort of spyware, or virus. My NAV does not seem to notice this vulnerability.

Thank you.

Attached Files

hijackthis.txt (5.1 KB, 5 views)

Turn off system restore.

Your system is seriously infected by a couple of real nasties.

One of which is the winupdates.exe added by the gaobot bc worm

Go [URL=http://www.brightmail.com/avcenter/venc/data/pf/w32.hllw.gaobot.bc.html]HERE[/URL] and follow the instructions.

When you are done, please post another HJT log.

Regards Howard

You did NOT follow it all: Move HJT to its own directory, NOT in bleeding Temp!
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.572\Hijac kThis.exe

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
wininet.exe
winupdates.exe
scapubw.exe
win32.exe
wtta.exe
SINGLE~1.EXE

Next, click Start/Run and type services.msc and click OK. Look for the service:
ntuser.exe
ntsrv.exe
openvpnserv.exe <<== unless you installed it ==
svcproc.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, try and UNinstall (not delete yet) anything to do with:
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\apsi\wtta.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
........................................................................... ........................
C:\WINDOWS\System32\wininet.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *new-search.net*;*x-google.net*
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\wininet.exe
O4 - HKLM\..\Run: [wininet] C:\WINDOWS\System32\wininet.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [ap56RiH2O] scapubw.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [SinglesSetup.exe] C:\DOCUME~1\Owner\Desktop\SINGLE~1.EXE /r
O15 - Trusted Zone: *.windupdates.com (HKLM)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
I don't know/trust this Firefox file. If you know it or installed it, OK, otherwise 'FIX'.
O21 - SSODL: Mozilla Firefox (1.0.1) - {58D28B10-E5C2-D602-9208-76204F6D786D} - c:\program files\mozilla firefox\winfxsvoo32.dll
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
If you installed OpenVPN, OK, otherwise 'FIX' it.
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
........................................................................... ........................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.

Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].

Boot normal. When all OK, switch System Restore back on.

Ok i did as you said, i turned off system restore and rebooted in safe mode, and moved the hijackthis into C:\hijackthis folder. When i tried to end process some of the programs, they didnt show up.
Also the

Next, click Start/Run and type services.msc and click OK. Look for the service:
ntuser.exe
ntsrv.exe
openvpnserv.exe <<== unless you installed it ==
svcproc.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

only one service was found 'openserv.exe'

Here is the end result, i should probably get to know what all this stuff means, lol.

Thanks for your help
P.S., i dont understand why [wupd]win32.exe still shows up, i checked, fixed it, and deleted it.

Attached Files

hijackthis.txt (4.1 KB, 6 views)

Please help me. Here is an image, or you can see it here.

http://img150.imageshack.us/img150/8715/tasmgrnm5.jpg