My problem is like the others, only i dont understand what this "hijackthis" log file shows me, so im not gonna touch it until i can get some help:

Description of problem:
When i try to open my 'Task Manager', it doesnt appear, so i would go to start>>run>>taskmgr.exe, and it woudl say that another program is using it, even though i do not see a 'task manager' running.

Methods i have used:
This being my first time using Hijackthis, i am completely dumbfounded by its results. I have though, tried using my NAV, and AdAware software to find any viruses or Antiviruses, both in normal windows, and safe mode with system restore off. I have also tried using system restore, and on all 4 of the different dates i have tried, it has failed.

Allow me to post my Log file for Hijackthis: Please be aware it is pretty massive


Logfile of HijackThis v1.99.1
Scan saved at 11:57:57 PM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
C:\WINDOWS\system\driver\csrss.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wininet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\cmd32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\winupdates\winupdates.exe
C:\PROGRA~1\AIM95\aim.exe
C:\WINDOWS\System32\scapubw.exe
C:\Program Files\apsi\wtta.exe
C:\Program Files\Juno\bin\juno.exe
C:\WINDOWS\System32\win32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.832\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\wininet.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [wininet] C:\WINDOWS\System32\wininet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ap56RiH2O] scapubw.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [SinglesSetup.exe] C:\DOCUME~1\Owner\Desktop\SINGLE~1.EXE /r
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.windupdates.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AF24AE3-2835-4DCB-AEEC-27A1566FB0C5}: NameServer = 64.136.20.121 64.136.28.121
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O21 - SSODL: Mozilla Firefox (1.0.1) - {58D28B10-E5C2-D602-9208-76204F6D786D} - c:\program files\mozilla firefox\winfxsvoo32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

If anyone knows what this junk means, please help (I am a little fearful of the results i have recieved, it seems a lot, i jsut hope there isn't a lot of problems.

Thank you for your assistance
-Confused Geek

Hello and welcome to Techspot.

Go HERE and follow the instructions carefully.

When you have done that, go HERE for instructions on how to post your Hijackthis log. Then post a new log.

Regards Howard

I did as was stated on that thread, here is the new hijackthis log file...


The task manager seems to work now, i should probably reboot just to check, if it does not work again, won't be the first time it has done this to me.

I do have some more problems, when i tried to boot my pc in safe mode, i asked me if i wanted to cancel the booting of a file called 'D346bus.sys', is anyone fimiliar with this, and is this suppost to happen?

Also when i ran my anti spyware software, it keeps finding this file, each and every time, since i dont know where to post my picture, ill just discribe the file.

Adaware shows it as

Name: Windows
Type: RegData
Category: vulnerability
Object: HKEY_LOCAL_MACHINE:so...

Should i just run windows update or do something else, i dont know if this is some sort of spyware, or virus. My NAV does not seem to notice this vulnerability.

Thank you.

Attached Files

hijackthis.txt (5.1 KB, 5 views)

Turn off system restore.

Your system is seriously infected by a couple of real nasties.

One of which is the winupdates.exe added by the gaobot bc worm

Go HERE and follow the instructions.

When you are done, please post another HJT log.

Regards Howard

You did NOT follow it all: Move HJT to its own directory, NOT in bleeding Temp!
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.572\Hijac kThis.exe

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
wininet.exe
winupdates.exe
scapubw.exe
win32.exe
wtta.exe
SINGLE~1.EXE

Next, click Start/Run and type services.msc and click OK. Look for the service:
ntuser.exe
ntsrv.exe
openvpnserv.exe <<== unless you installed it ==
svcproc.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, try and UNinstall (not delete yet) anything to do with:
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\apsi\wtta.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
........................................................................... ........................
C:\WINDOWS\System32\wininet.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *new-search.net*;*x-google.net*
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\wininet.exe
O4 - HKLM\..\Run: [wininet] C:\WINDOWS\System32\wininet.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [ap56RiH2O] scapubw.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [SinglesSetup.exe] C:\DOCUME~1\Owner\Desktop\SINGLE~1.EXE /r
O15 - Trusted Zone: *.windupdates.com (HKLM)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
I don't know/trust this Firefox file. If you know it or installed it, OK, otherwise 'FIX'.
O21 - SSODL: Mozilla Firefox (1.0.1) - {58D28B10-E5C2-D602-9208-76204F6D786D} - c:\program files\mozilla firefox\winfxsvoo32.dll
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
If you installed OpenVPN, OK, otherwise 'FIX' it.
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
........................................................................... ........................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.

Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].

Boot normal. When all OK, switch System Restore back on.

Ok i did as you said, i turned off system restore and rebooted in safe mode, and moved the hijackthis into C:\hijackthis folder. When i tried to end process some of the programs, they didnt show up.
Also the

Next, click Start/Run and type services.msc and click OK. Look for the service:
ntuser.exe
ntsrv.exe
openvpnserv.exe <<== unless you installed it ==
svcproc.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

only one service was found 'openserv.exe'

Here is the end result, i should probably get to know what all this stuff means, lol.

Thanks for your help
P.S., i dont understand why [wupd]win32.exe still shows up, i checked, fixed it, and deleted it.

Attached Files

hijackthis.txt (4.1 KB, 6 views)

Please help me. Here is an image, or you can see it here.

http://img150.imageshack.us/img150/8715/tasmgrnm5.jpg