Forum Home
Press F1

Thread ID: 59007	2005-06-18 23:41:00	Common Startup	Christopher (365)	Press F1

Post ID	Timestamp	Content	User
365152	2005-06-18 23:41:00	Hi, I recently bought Ashampoo products like PowerUp XP, Winoptimizer etc... Suddenly on startup now the following is being loaded and never has before: .fonts ml1 ml2 ntuser_this one is .dat ntuser.dat ntuser_this one is .ini tempdiff.txt Can anyone tell me how they got there.msconfig just doesnt remove them.I can only think of my recent installations of Ashampoo Products. Thanks all	Christopher (365)
365153	2005-06-19 00:32:00	Download HijackThis from here (www.majorgeeks.com), create a folder HJT in Program Files and upzip your downloaded file to that folder. Now close all running programs and get HJT to do a scan and post the log here for examination.	FoxyMX (5)
365154	2005-06-19 02:24:00	Thank-you FoxyMX.I have done what you said and here is my log file: Logfile of HijackThis v1.99.1 Scan saved at 1:14:02 p.m., on 19/06/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe C:\Documents and Settings\Owner\My Documents\Importance\Program Setup Files\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nz10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = g.xtramsn.co.nz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nz10.hpwis.com/ O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\ Yahoo! \COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~2\PopUp.dll O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-nz\msntb.dll O3 - Toolbar: & Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\ Yahoo! \COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [AutoTBar.exe] "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoTBar.exe" O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\ PCHButton.exe O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe O8 - Extra context menu item: & Yahoo! Search - file:///C:\Program Files\ Yahoo! \Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\ Yahoo! \Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\ Yahoo! \Common/ycmap.htm O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\ Yahoo! \Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\ Yahoo! \Messenger\yhexbmes0521.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\ Yahoo! \Common\yinsthelper.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe	Christopher (365)
365155	2005-06-19 02:51:00	C:\WINDOWS\ALCXMNTR.EXE Leave this entry. O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE BUT, I would tick this and click on fix. So, it doesnt run on startup. Looks like this file has something to do with your soundcard, but it is also spyware which sends data back to realtek.	Speedy Gonzales (78)
365156	2005-06-19 06:16:00	I cannot see anything in your log to explain the files you have noticed in Startup but there are two entries that need to be fixed that may have something to do with the files. Please do the following: Make sure in Windows Explorer that you have your folders set to show all hidden and system files. Start up in Safe Mode (see how to do this here ( service1.symantec.com)). Delete all of your "Temp" files (not the folders, just the contents) as well as Cookies and Temporary Internet files and off-line cache from within Internet Options in Control Panel. In Task Manager (Ctrl+Alt+Delete) look in Processes and if you see navapp.exe and/or ALCXMNTR.EXE running, click on them and stop them by clicking the "End Process" button. Run HJT again and put a tick next to these lines: O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE This one here can also be ticked as it is not necessary: O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe Regarding the following three lines: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nz10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = g.xtramsn.co.nz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nz10.hpwis.com/ Would they be your chosen Home Page for Internet Explorer? If not, put a tick beside those as well. Now press the "Fix checked" button. Use Explorer to search your disk for and delete these if found: C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe C:\WINDOWS\System32\NavLogon.dll ALCXMNTR.EXE When you have done all that reboot your computer, run HJT again and post another log here. Please also tell us if those files are still being loaded or not.	FoxyMX (5)
1