02-28-2005, 02:56 PM | #1 (permalink) |
peekaboo
Location: on the back, bitch
|
OK, G, give it your best shot!
I have been having a problem with my XP home. seems the cmd prompt window keeps flashing on my screen, but not long enough to catch a glimpse of from where it's coming! The one time it stayed, my computer froze and I had to shut it off completely. I have run: Spybot, Norton, Registry Mechanic and Xoftspy. Many things have been found and deleted, but that damned flashing window remains. It pauses SNOOD and stops me in midtyping-it's like an auto-refresh. At any rate, here's the log from Hijack This.
Logfile of HijackThis v1.98.2 Scan saved at 5:50:30 PM, on 2/28/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\WINDOWS\GWMDMMSG.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\VISION~1\ONETOU~2.EXE C:\WINDOWS\system32\WirelessUSB.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\GTDesktop\Plugins\GTRipple.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\mIRC\mirc.exe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\Program Files\Common Files\Aol\aoltpspd.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\DOCUME~1\Louise\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe O4 - HKLM\..\Run: [Wireless USB Adapter] WirelessUSB.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\RunServices: [Wireless USB Adapter] WirelessUSB.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [GTRipple] C:\Program Files\GTDesktop\Plugins\GTRipple.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101605468730 O17 - HKLM\System\CCS\Services\Tcpip\..\{C7841D22-2C36-4774-A857-734112D49524}: NameServer = 205.188.146.145 |
02-28-2005, 03:36 PM | #2 (permalink) | |
Talk nerdy to me
Location: Flint, MI
|
Quote:
The ones I left from the log above are the ones that concern me. I don't know what they are and look like random file names that are left from spyware programs. Get rid of them and see what happens.
__________________
I reject your reality, and substitute my own -- Adam Savage |
|
02-28-2005, 03:51 PM | #3 (permalink) |
Crazy
|
I work on computers everyday identifying and removing numerous pieces of spyware, and as per my reccomendations I would remove the following
the O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray is definately going to be a piece of spyware if its not your isp, the O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe concerned me, the nwiz is actually norton's setup program so you can leave that one, O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - O17 - HKLM\System\CCS\Services\Tcpip\..\{C7841D22-2C36-4774-A857-734112D49524}: NameServer = 205.188.146.145 I would also remove any programs such as real, quicktime, winamp, ect, that you use, but can open by yourself, it saves a lot of resources. o and a great preventive messure even though i hate microsoft is ms antispy, get it off their website, its in beta right now, but is rather effective.
__________________
-snooch to the nooch |
03-01-2005, 06:06 AM | #4 (permalink) |
Insane
|
I wouldn't be so confident in removing GWMDMMSG.exe It might be necessary for your modem here's some info on the process.
|
03-01-2005, 09:41 AM | #5 (permalink) |
Registered User
|
the problem entries have been stated by other users already so I'm not going to repeat them. What I want to know is 1. Why the fuck are you using AOL.. jesus christ.. 2. Why do you have a google toolbar, an aol toolbar and yahoo buttons on your browser?
|
03-01-2005, 10:05 AM | #6 (permalink) | |
Talk nerdy to me
Location: Flint, MI
|
Quote:
I do agree however that running all of the tool bars are a little too much. While they are not causing your original problem, they are taking up memory and slowing your PC down. The less you have running in memory, the faster your PC will run. In general you can remove a lot of un-needed apps from that list.
__________________
I reject your reality, and substitute my own -- Adam Savage |
|
03-01-2005, 10:31 AM | #7 (permalink) | |
Registered User
|
Quote:
|
|
03-01-2005, 02:12 PM | #8 (permalink) |
peekaboo
Location: on the back, bitch
|
I ended the processes of a few of those mentioned. I also went into add/remove and removed the multiple toolbars and most of Yahoo, except messenger. Then I went into Start menu, changed preferences there including unchecking run/cmd. No black box flash so far!!
Thanks for the advice, everyone! |
03-02-2005, 10:49 AM | #10 (permalink) |
Sauce Puppet
|
Another thing to check is to go to Run and type msconfig. Go to the startup tab, and uncheck any processes that look fishy, or you don't want to start on Startup. Check liutilities, or google the processes to see if it is something that should be running off of startup.
Another process I'm worried about is the nvsvc32.exe. If it's nvsvc32 there's no big deal, if it's nvsc32.exe you may have a Bropia.A variant virus. |
03-04-2005, 10:28 PM | #11 (permalink) |
peekaboo
Location: on the back, bitch
|
i found this in liutilities( now called Uniblue) regarding nvsvc32.exe:
nvsvc32 - nvsvc32.exe - Process Information Process File: nvsvc32 or nvsvc32.exe Process Name: NVIDIA Driver Helper Service Description: nvsvc32.exe is a process that belongs to the NVIDIA graphics card drivers. This process should not be removed to ensure that your graphics card drivers is working properly. After 4 days without, my little flashing run/cmd box is back. I think I'm getting used to it now. |
03-04-2005, 10:33 PM | #12 (permalink) |
Tilted F*ckhead
Location: New Jersey
|
ngdawg, here's a site that I frequent a lot. It may help you out some. And btw, nwiz is fine, its just something with Norton.
http://www.answersthatwork.com/Taskl...s/tasklist.htm I hope this helps!
__________________
Through counter-intelligence, it should be possible to pinpoint potential trouble makers, and neutralize them. |
03-05-2005, 06:18 PM | #14 (permalink) |
Tilted F*ckhead
Location: New Jersey
|
It very well could be a work, but judging by the abbreviated location, I'd say its just norton liveupdate being a pain in the ass. See what happens when you disable liveupdate. Just disable it for a day or two, and see if this stops. If it does stop, that doesn't necessarily mean you aren't infected, but it does mean that it could be using liveupdate to tunnel through your firewall.
__________________
Through counter-intelligence, it should be possible to pinpoint potential trouble makers, and neutralize them. |
Tags |
give, ok, shot |
|
|