System 32 Pops up on Startup

Discussion in 'adware, spyware & hijack cleaning' started by AngelBaby0703, Apr 25, 2004.

Thread Status:
Not open for further replies.
  1. AngelBaby0703

    AngelBaby0703 Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    4
    Hello:

    I am new to this forum, and wondered if anyone could help me. I have the System 32 folder popping up everytime I restart my computer. Any suggestions? I have ran RAV antivirus, shredder, adaware, spywareblaster, all that stuff by the way. And here is my latest log:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:30:49 PM, on 4/25/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {186E51E5-96A2-4BC5-8858-581932C15F82} (CardPrintStub Class) - http://www.hpphoto.com/downloads/cardprint.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.5808217593
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi AngelBaby,

    have only HijackThis running and fix :

    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

    Restart PC after doing so

    make sure you update your XP and IE to get the latest security patches at windowsupdate.com

    Hope this helps

    Cheers,
     
  3. AngelBaby0703

    AngelBaby0703 Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    4
    Hey There,

    That worked after I had HJT fix those things. I also updated on windowsupdate.com and everything like you mentioned also :) Thanks for your help!



     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hello angel,

    Nice we could help :)

    In future you may like to be more prepared so that you dont find any re-infections. Have a look here

    -> How did I get infected?

    Hope that helps.

    Regards
     
  5. AngelBaby0703

    AngelBaby0703 Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    4
    Downloader.MSCache, Download.Trojan, Backdoor.Trojan

    I have been to symantec to try and get rid of these viruses, and I can't figure it out. I've run all the free antivirus programs, including norton. I do a system scan, and it doesn't find the viruses, until it does a manual scan during the day, I looked at history, and yesterday there were still these viruses on my computer. Please help with anything!!
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi AngelBaby0703,

    What sre the filenames and paths for the files symantec is finding?

    Regards,
    Kent
     
  7. AngelBaby0703

    AngelBaby0703 Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    4
    Filenames:

    Filenames include py.exe, py[1].exe, py[2].exe, qpmytsxh.dll, and khliqpvs.exe. Most of them are in the temporary internet files, but I delete those all the time, and they keep coming back. Maybe it's a page that I go to that causes the viruses to come back, I don't know. AVG antivirus system has also detected Dowloader.Small.5.L, but I run a full scan, and it doesn't find it. Any thoughts??
     
Thread Status:
Not open for further replies.