Forum Home
Press F1
 
Thread ID: 69379 2006-05-30 21:32:00 Help with task manager not opening please dave8098 (10477) Press F1
Post ID Timestamp Content User
459167 2006-05-30 21:32:00 My task manager only opens for 2 seconds, i have run hijack this and here is my log. Please someone help me my pc is dying here.....


Logfile of HijackThis v1.99.1
Scan saved at 20:37:10, on 30/05/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Business Broadband
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\winsock\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\w insock\csrss.exe
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\system32\iexplore.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] winsvc.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows TCP/IP Socket Driver] C:\WINNT\winsock\csrss.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.ex e -t
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Compaq Service Drivers] winsvc.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Compaq Service Drivers] winsvc.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] winsvc.exe
O8 - Extra context menu item: & Yahoo! Search - file:///C:\Program Files\ Yahoo! \Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\ Yahoo! \Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\ Yahoo! \Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\ Yahoo! \Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\ Yahoo! \Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\ Yahoo! \Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\ Yahoo! \Messenger\YahooMessenger.exe
O9 - Extra button: BT - {60487B92-87EE-44B8-9AFD-244D2E970754} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {7B695BB4-E498-4E2D-B1D9-B32BC9BADE8E} - www.btopenworld.com (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ak.exe.imgfarm.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\ Yahoo! \Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Belkin Wireless Notebook Card Service (BLKWLNB) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless AG Notebook Network Card\Wireless Utility\WLService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINNT\winsock\csrss.exe 		dave8098 (10477)
459168 2006-05-30 21:47:00 You've got My websearch, trojans and worms .

Boot into safe mode, turn system restore OFF . Run hijackthis again, tick these entries and tick fix checked .

See if My websearch or similar appears in Add/remove programs . Uninstall it .

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1 . bin\MWSSRCAS . DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1 . bin\MWSSRCAS . DLL

O4 - HKLM\ . . \Run: [Microsoft Internet Explorer] C:\WINNT\system32\iexplore . exe

O4 - HKLM\ . . \Run: [Compaq Service Drivers] winsvc . exe

O4 - HKLM\ . . \Run: [Microsoft (R) Windows TCP/IP Socket Driver] C:\WINNT\winsock\csrss . exe

O4 - HKLM\ . . \Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1 . bin\mwsoemon . exe

O4 - HKLM\ . . \RunServices: [Compaq Service Drivers] winsvc . exe

O4 - HKCU\ . . \Run: [Compaq Service Drivers] winsvc . exe

O4 - HKCU\ . . \Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1 . bin\mwsoemon . exe

O4 - HKCU\ . . \RunServices: [Compaq Service Drivers] winsvc . exe

O9 - Extra button: BT - {60487B92-87EE-44B8-9AFD-244D2E970754} - http://www . bt . com (file missing) (HKCU)

O9 - Extra button: Homepage - {7B695BB4-E498-4E2D-B1D9-B32BC9BADE8E} - . btopenworld . com/default" target="_blank">www . btopenworld . com (file missing) (HKCU)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - . exe . imgfarm . com/images/no . . . tup1 . 0 . 0 . 15 . cab" target="_blank">ak . exe . imgfarm . com

I think this is nasty too

O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINNT\winsock\csrss . exe

F2 - REG:system . ini: Shell=Explorer . exe C:\WINNT\winsock\csrss . exe

F2 - REG:system . ini: UserInit=C:\WINNT\system32\userinit . exe,C:\WINNT\w insock\csrss . exe

O4 - HKLM\ . . \Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr . exe

O4 - HKLM\ . . \Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1 . 5 . 0_06\bin\jusched . exe

O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime



I would also get this ( . filekicker . com/send/file/168259-1P80/trsetup . exe" target="_blank">dl . filekicker . com)

Which is from here ( . simplysup . com/tremover/download . html" target="_blank">www . simplysup . com)

Download / install run this then click on scan .

Then select the 3rd-7th option under the utilities menu .

If you do online banking with this PC, DON'T log onto any bank site .

One of these entries / trojans is a password stealer . 		Speedy Gonzales (78)
459169 2006-05-30 21:51:00 Hi and welcome to F1.
A quick look at your log and it is full of undisireables.

...no doubt speedy will fix you up in a giff. :thumbs: 		Nyuuji (5460)
459170 2006-05-30 22:06:00 Thanks speedy and thanks for the welcome, just printing off your instructions to try. i dont seem to have the system restore section in my system properties tab, when i double click system in control panel it doesnt seem to be there, i will try without disabling just now unless u have a suggestion.


Dave 		dave8098 (10477)
459171 2006-05-30 22:07:00 And install a firewall. After the previous entries have been fixed. Speedy Gonzales (78)
459172 2006-05-30 22:44:00 Speedy many thanks, Pc is running like a dream now .

Thanks Again

Dave 		dave8098 (10477)
459173 2006-05-30 22:48:00 And change the online banking password(s). They may already have been compromised. Erayd (23)
459174 2006-05-30 23:05:00 No worries Dave.

Good to hear its up and running again :) 		Speedy Gonzales (78)
1