Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Sunday 9.3.2025 / 15:11
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > trojan virus - windows restarts, task mgr disabled
Show topics
 
Forums
Forums
Trojan Virus - windows restarts, task mgr disabled
  Jump to:
 
Posted Message
nowens
Newbie
_ 		5. November 2006 @ 09:22 _ Link to this message    Send private message to this user   
Basically windows keeps restarting and my task mgr is disabled. I can only run in safe mode (so I can't install any virus rem. software) and every time I try opening up internet explorer it comes up with an error and restarts... it also changed my home page to http://www.1987324.com/?301 . There is a e1xplorer icon saved on my desktop and in my start menu and keeps coming back after I delete. Any help would be very much appreciated!

Thanks in advance!
Nick


Logfile of HijackThis v1.99.1
Scan saved at 11:24:26 AM, on 11/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\Explorer.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HIJ\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.1987324.com?301
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...ilion&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F2096A06-D3B1-FC6F-CB3B-F8BADF604197} - C:\winnt\system32\osbidorz.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\system32\bcmntray
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1160093779\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Systems] C:\winnt\system32\sysmon.exe
O4 - HKLM\..\Run: [adir] C:\winnt\system32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\winnt\system32\wservice.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.2.3.5\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [UpdateService] C:\winnt\system32\wservice.exe
O4 - HKCU\..\Run: [taskdir] C:\winnt\system32\taskdir.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = D:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_10\bin\npjava131_10.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_10\bin\npjava131_10.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O15 - Trusted Zone: www.1987324.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1D95A7C7-3282-4DB7-9A48-7C39CE152A19} (TeamOn Import Object) - https://bis.na.blackberry.com/html/web/client_tools/TOImport.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=889654fb70de3e056ce09f2e7462c482&url=http%3A%2F%2Fd.69.25.47.73.downloads.estara.com.%2Fas%2FOneCCDM.php&template=37881&sessionid=1424132379_69.25.47.73_51432&=&req=1110494604687OneCC.cab
O16 - DPF: {66960E23-DE25-11CF-876F-444553540000} (RepViewCtrl Object) - http://usrealnet.com/public/realnet/rrprview.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.31.42/display/PopupSh.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://elliemae.webex.com/client/v_mywebex-elliemae/training/ieatgpc.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/ins...cdetection3.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h20179.www2.hp.com/psgna/caller/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = charter6440.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = charter6440.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = charter6440.com
O20 - AppInit_DLLs: ?A
??#A?CS C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\winnt\system32\Acedmb32.dll
O21 - SSODL: kDoYxj - {F0D00A2C-5A7A-A086-AC84-B018C1FE07E8} - C:\winnt\system32\few.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\winnt\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\winnt\System32\wltrysvc.exe
[ + quote]
Niobis
Senior Member
_ 		6. November 2006 @ 15:57 _ Link to this message    Send private message to this user   
Hello nowens,

First, restart in safe mode with networking to download a few programs.
Press F8 like your booting in safe mode, but choose "Safe Mode with Networking".

Go here to download the trial version of AVG Anti-spyware.
Go here and download Spybot Search and Destroy.

Install and open AVGAS.
Click "Update" then click "Start update".
After updating, close AVGAS.

Install and open Spybot.
Click "Check for Updates".
Click "Search for Updates".
Check all and click "Download Updates".
After updating, close Spybot.

Restart in safe mode.

Run a scan only with HijackThis, place a check beside these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.1987324.com?301
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...ilion&pf=laptop
O2 - BHO: (no name) - {F2096A06-D3B1-FC6F-CB3B-F8BADF604197} - C:\winnt\system32\osbidorz.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Systems] C:\winnt\system32\sysmon.exe
O4 - HKLM\..\Run: [adir] C:\winnt\system32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\winnt\system32\wservice.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [UpdateService] C:\winnt\system32\wservice.exe
O4 - HKCU\..\Run: [taskdir] C:\winnt\system32\taskdir.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O15 - Trusted Zone: www.1987324.com
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\winnt\system32\Acedmb32.dll
O21 - SSODL: kDoYxj - {F0D00A2C-5A7A-A086-AC84-B018C1FE07E8} - C:\winnt\system32\few.dll

Close all windows except HijackThis, then click "Fix checked".

Go to Add/Remove Programs and uninstall:
Viewpoint Manager
License Manager

Show all files and folders.
Open My Computer > Tools > Folder Options > View tab > check "Show hidden files and folders".
Click Apply then OK.

Find and delete the following files and folders(if there):
C:\winnt\system32\sysmon.exe <--file
C:\winnt\system32\adirss.exe <--file
C:\winnt\system32\wservice.exe <--file
C:\winstall.exe <--file
C:\winnt\system32\wservice.exe <--file
C:\winnt\system32\taskdir.exe <--file
C:\winnt\system32\Acedmb32.dll <--file
C:\winnt\system32\few.dll <--file
C:\Program Files\Viewpoint <--folder
C:\Program Files\License_Manager <--folder
Please tell me which files, if any, were not there or if access is denied.

Empty the Recycle Bin.
Open AVGAS and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Click "Save Report" and save it to the desktop.
Close AVGAS.

Open Spybot.
Click "Check for Problems".
When it finishes, click "Fix selected problems".
Right click inside the window and select "Copy results". (not full report)
Paste them into Notepad and save them.

Attempt to boot in normal mode and get a HijackThis log.
Please post back with the AVGAS report, the Spybot log and a new HijackThis log(from normal mode, if possible).

[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related

This message has been edited since posting. Last time this message was edited on 6. November 2006 @ 15:58
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > trojan virus - windows restarts, task mgr disabled
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork