|
Is my daughters computer hooped continued
|
Bill
08/22/04
|
Hello Gentlemen I am back from my trip and have since started working on my daughters computer once again. I have managed to pull a hijack this log off of her computer, only to realize she is running norton antivirus, I am sorry i thought i installed McAfee. Here is the log file you have been after all along.
Logfile of HijackThis v1.97.7
Scan saved at 4:25:51 PM, on 22/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\WINDOWS.000\TEMP\RAR$EX03.896\HijackTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
I hope this helps get to the bottom of our problem thanks again.
|
Mark
08/22/04
|
Hey Bill. I can only remember bits of your previous thread... (too much on my mind lately !). From the log you're showing here, there isn't much.. only one entry to fix, so please have ONLY HijackThis! running on her box, and fix this one :
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
Reboot. Can't remember, but were you able to run Ad-Aware on her computer before ? Try doing a scan now, using the new version (get it here : Ad-Aware SE - Personal). Reboot once done, then scan with HJT again and post a new log.
|
Bill
08/22/04
|
Hi mark I d/l the new ad-aware and did a scan on my own machine it found 78 new things, was i ever unimpressed as i did a spybot last night and it said i was clean. As i looked at the entries most of them came from my wifes user name she still must be using IE, will have to give her a briefing on mozilla. Thanks for the info right after this i will get to my daughters and send you a new log. Well i do remeber saying i had no internet on her computer and we were having a heck of a time getting a hijack log together, but as you see i managed to figure that hijack thing out and will be burning a disc so she can have the new ad-aware put in, oh yes she did have ad-aware in place.
|
Mark
08/22/04
|
I do remember a few things, like trying to run any tool on her comp was impossible... that's why I was wondering about Ad-Aware ! Let me know what turns up !
|
Bill
08/22/04
|
Hi mark
Have installed the new ad-aware SE and did a reboot, she had 25 entries that are now in quarantine. Here is the new hijack post
Logfile of HijackThis v1.97.7
Scan saved at 11:11:54 PM, on 22/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\WINDOWS.000\TEMP\RAR$EX03.896\HijackTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
I did see something i have never noticed before or should i say took notice of. Right after the splash screen for 98 a screen appears and reads as this. c:/c: Essolo.com. And says this is not a recognized command and then starts her comp like it should going to her desktop, any light on this situation?
|
Mark
08/22/04
|
Hey Bill ; from what I read, that message means that there is a "syntax error" in that line, which is a command in "autoexec.bat". Don't ask me more, because I don't know !! The only thing I got from reading about is this : if Windows boots up ok, then don't worry about it. BTW, that "Essolo" thing appears to be related to her sound card. There are ways to edit the "autoexec.bat" routine, but that's out of my league. Perhaps someone else may have an idea ?
You should fix this entry (with HijackThis!) :
R3 - Default URLSearchHook is missing
Reboot her box. Let me know how it is running !
|
Bill
08/23/04
|
Here is my daughters newest file thanks again.
Logfile of HijackThis v1.97.7
Scan saved at 6:59:01 PM, on 23/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\WINDOWS.000\TEMP\RAR$EX03.896\HijackTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
|
Mark
08/23/04
|
Hey Bill. No nasties, from what I can see. How is her box doing ?? (and why was the "Windows" directory/folder renamed to "Windows.000" ???)
|
Bill
08/23/04
|
Sorry to say no internet yet, i am not sure where to go from here. It runs still very slowly but maybe that's because i am measuring it to mine which is about 10 times faster. I have a 2.4 Ghtz with 512 mb of ram heres on the other hand barely makes a P1 and am not to sure about ram although i do suspect its only 128. As far as directory folder beiing windows.000 I'm not sure actually i was going to ask you if you knew that qustion. If that's in the settings is there a way to set it back?
|
Mark
08/23/04
|
I've never seen the Windows directory renamed like that.. Did you ever have that machine serviced by a tech ? bring it to a shop ?? My guess is that someone created a new system directory, because of problems with the original one. Just a guess though. Now, I don't see why she can't connect to the net ; can you tell me again how she connects (type of connection, network/router/shared connection. etc...) ?? Do you get errors onscreen ?
|
Bill
08/23/04
|
Hi mark as far as having it in to a tech, i have had this machine since new and passed it down to my daughter when i upgraded and i can say without a doubt it has never been to a tech. The only way that she connects to the net is through my router which is only set up through to my hi speed modem. In the past i have taken my pc off line to plug hers in and run direct through my connection still not able to connect. When i do open a browser it just goes to page unavailable i have tried her start page and google and even here to no avail. On a different note i tried to install a firefox browser tonight as you once suggested before and here is the error i received.
D: Firefox setup-0.9.3.exe is not a valid win 32 application.
Anymore ideas?
|
mikeyb
08/24/04
|
Hi people,
regarding the windows.000 directory. I can help you there, I have actually sen this on a machine i was working on myself.
It appeared after a fdisk and reformat. A new fat32 partition was created and all looked ok, then the OS went on.. and when it asked for the windows directory, It was called windows.000 rather than windows, renaming it to 'windows' says the name is already in use.
microsoft article says you can rename it..
http://support.microsoft.com/?kbid=142545
regards
mikeyb
|
Mark
08/24/04
|
Mike ! Boy, was I hoping you'd see this...
Great info as always. I'm confused as to why the computer cannot connect to the internet though ; can't install FireFox ? darnit, that was my next suggestion. I'll try and find something..
|
Bill
08/24/04
|
Thanks Mikeyb that makes a little more sense now. With that being said i should take it that this machine is missing some critical files, and will not be easily fixed. I can see that you fellows are slowly running out of ideas should i just bite the bullet and do a complete reformat?
|
Bill
08/26/04
|
Bump!!! Sorry I just don't want to be left in the shuffle down here.
|
Mark
08/26/04
|
Hey Bill, sorry about that. It's extremely difficult for us these days ; the forum is very busy, and two regular helpers (out of 4...) are away for a while. I'm not even sure if Mike isn't gone on business as well..
Have you ever tried a "repair install" of 98 ? If system files are corrupt or missing, then that might be a solution (some call it an "install over") ; your data and programs are not lost, but you should do backups before, to be safe. Not sure here, but I think the Windows directory should be renamed prior to doing this (renamed to the original, without the "000").
Needing a format is possible, but the repair is something to try.
|
mikeyb
08/27/04
|
if you run the SFC on windows it will only scan the windows directory that the OS is running on at that time, in this case windows.000 don't think you will be able to rename the directory and have SFC scan it.. never tried that before!
If it was me I would back up your windows data and then fdisk, and remove both the windows and windows.000 directorys then format and change the windows to be the default directory.
regards
Mikeyb
|
Bill
08/27/04
|
Thank you gentlemen for your old college try, you have come up with more answers than i could have. Looks like I'm in for a long weekend of formatting, i wish her machine was esy as mine i slip a restore disk and all problems are pretty much gone. With hers i have to do a whole lot more and should take me a couple of hours at least. Thanks again for all your help
Bill
|
Mark
08/27/04
|
Hey Bill ; good luck with the format. Sometimes, you just can't get away from it...
|
Robin Lee
robin@jpfrog.com
09/06/04
|
Help with error message
Here is the error message I get everytime I boot up ... C:\Program Files|Norton AntiVirus\navapw32.exeisnot a valid win 32 app
How do I get rid of this? I can't firgure it out.
Anti-SpyWare: none
Anti-Virus: Norton
Browser: internet explorer
Firewall: None
OS: 98 SE
|
|
