# windows installer for xp professional screen



## chirodoc (Nov 1, 2004)

i have a (hopefully) simple problem. I went to beginning downloading some updates of windows and did so. since then a little popup screen shows up every time a new window opens up in xp. whether it's internet or word or whatever. the popup screen at the top says "windows installer". I can click cancel and the screen goes away and pops up as another little screen that says "windows xp professional" and it has another cancel button. if you let it run the screen trys to install windows xp again and then says that it failed b/c it couldn't find the xp cd in the d: drive. my question is simply this. how do i stop the screen from coming up all the time cause i can't stick the xp cd in cause i can't find it. how can I stop this crazy screen, its driving me batty!!! thank you for any help you can give.


----------



## ~Candy~ (Jan 27, 2001)

Hi and welcome. Why can't you find your XP cd?


----------



## chirodoc (Nov 1, 2004)

well, not that it matters but I moved after grad school to a new home and the box that all my computer stuff was in is EMPTY! got dumped during the move i guess i don't know. someone said i could use my id # from xp and get a new cd but will that even work and surely there is an easier way!! help. thank you for the welcome acaCandy


----------



## chirodoc (Nov 1, 2004)

this pop up screen on windows xp windows installer is killin' me. thanks 

chirodoc


----------



## chirodoc (Nov 1, 2004)

can anybody help me here. thanks. I hope i don't sound impatient cause i understand that you all volunteer your time and expertise, so keep up the good work. please help.


----------



## ~Candy~ (Jan 27, 2001)

Restore point?


----------



## chirodoc (Nov 1, 2004)

i'm not a tech administrator, so although i understand what a restore point is and have tried reverting back to a point before the screen began popping up i have had no success. i am wondering if anyone understands what screen i am talking about but i don't know how to snap a shot of the screen and post it here. either way, is there not a command sequence that this screen is tied into or something? and therefore be able to stop it from coming up EVERYTIME a new window opens...?


----------



## chirodoc (Nov 1, 2004)

anybody have an idea?


----------



## ~Candy~ (Jan 27, 2001)

Post your running items at startup.

Start, run, type msinfo32 and hit ok, go to software, startups, edit, select all, edit, copy and come back and paste.


----------



## chirodoc (Nov 1, 2004)

thanks! will do. just so you know though, it doesn't pop up when i startup the computer or windows, but once i click on any application like word or the internet it starts. i will post the stuff though. thanks again


----------



## chirodoc (Nov 1, 2004)

HOLY CRAP, what in the world? when i went in and typed that msinfo32 and got into the software screen my norton popped up and said it found a virus. great!!! i know it's just wierd timing but strange either way.


----------



## chirodoc (Nov 1, 2004)

it keeps popping up with the norton screen about the same virus when i get to the startups screen and only then. plus it doesn't get into the startups screen it says (on the right side of the window) refreshing system info... and doesn't go anywhere.??


----------



## chirodoc (Nov 1, 2004)

okay i can get to the startups screen but it has over 200,000 characters and these threads limit me to 30,000 can i just post part of it at a time or what?


----------



## chirodoc (Nov 1, 2004)

here is the log out of the windows error reporting screen ...

11/5/2004 8:30 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:30 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:30 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:33 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:33 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:34 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:36 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:36 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:38 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:38 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:47 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;
11/5/2004 8:47 AM	MsiInstaller	Detection of product '{91110409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{456D1A62-DC1F-45C2-910F-FCDB0DCE4562}'&#x000d;&#x000a;


----------



## chirodoc (Nov 1, 2004)

so this thing is popping up all the time and failing. tell me what you need to see out of the startups log and i will post it cause there is too much to post it all thanks for your help


----------



## chirodoc (Nov 1, 2004)

in the services log of the software menu this is what it says about the windows installer...

Windows Installer	MSIServer	Running	Manual	Share Process	c:\windows\system32\msiexec.exe /v	Normal	LocalSystem	0


----------



## chirodoc (Nov 1, 2004)

if i go to this .exe file can i delete it and stop the installer from coming up or what?


----------



## chirodoc (Nov 1, 2004)

i copied the .exe file i posted and ran it and a little box popped up that said "incorrect function!" hmmm...


----------



## ~Candy~ (Jan 27, 2001)

Something is too strange if you can't paste a startup list....you went to software environment, startups, right?

For example, this is mine:

AIM	c:\aim\aim.exe -cnetwait.odl	CHAVA\Chava Gata	HKU\S-1-5-21-329068152-2052111302-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GoToMyPC	k:\expertcity\gotomypc\g2svc.exe -logon	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MCAgentExe	k:\progra~1\mcafee.com\agent\mcagent.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MCUpdateExe	k:\progra~1\mcafee.com\agent\mcupdate.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MessengerPlus3	"k:\messenger plus! 3\msgplus.exe" /winstart	CHAVA\Chava Gata	HKU\S-1-5-21-329068152-2052111302-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MessengerPlus3	"k:\messenger plus! 3\msgplus.exe"	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Photo Loader supervisory	c:\casio\photol~1\plauto.exe	All Users	Common Startup
QuickTime Task	"k:\program files\quicktime\qttask.exe" -atboottime	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpywareGuard	k:\spywar~1\sgmain.exe	CHAVA\Chava Gata	Startup
TkBellExe	"k:\program files\common files\real\update_ob\realsched.exe" -osboot	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VSOCheckTask	"k:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ViewMgr	k:\program files\viewpoint\viewpoint manager\viewmgr.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VirusScan Online	"k:\progra~1\mcafee.com\vso\mcvsshld.exe"	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Zinio DLM	k:\zinio\zdlm.exe /hide	CHAVA\Chava Gata	HKU\S-1-5-21-329068152-2052111302-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop	desktop.ini	NT AUTHORITY\SYSTEM	Startup
desktop	desktop.ini	CHAVA\Chava Gata	Startup
desktop	desktop.ini	.DEFAULT	Startup
desktop	desktop.ini	All Users	Common Startup
iTunesHelper	k:\itunes\ituneshelper.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


----------



## chirodoc (Nov 1, 2004)

yeah, let me try it again though. did you follow any of my rambling about the windows error log and all that? thanks for stickin' this out with me, i know i'm an idiot.

going to try and post again... run msinfo32,software enviroment, startups, edit select all copy and paste. that's what i've tried. later..


----------



## chirodoc (Nov 1, 2004)

okay here's a quick question that may be causing a problem... when i go into software environment and then the next list to go into DOESN'T say startups, it says startup programs... is there a discrepency here or were you just abbreviating? i don't have a list labeled startups...


----------



## ~Candy~ (Jan 27, 2001)

The windows error log is pretty Greek to me. I'm thinking we should see the installer running via startups and maybe we can kill it there.


----------



## ~Candy~ (Jan 27, 2001)

Yes, startup programs is what I want, I usually just abbreviate to make my posts shorter to type  Sorry about that, notice I left off 'environment' too


----------



## chirodoc (Nov 1, 2004)

here are the first five or six lines, but seriously it goes on for DAYS!!! 

$ncsp$	$ncsp$.inf	NT AUTHORITY\SYSTEM	Startup
$ncsp$	$ncsp$.inf	.DEFAULT	Startup
$winnt$	$winnt$.inf	NT AUTHORITY\SYSTEM	Startup
$winnt$	$winnt$.inf	.DEFAULT	Startup
12520437	12520437.cpx	NT AUTHORITY\SYSTEM	Startup
12520437	12520437.cpx	.DEFAULT	Startup
12520850	12520850.cpx	NT AUTHORITY\SYSTEM	Startup
12520850	12520850.cpx	.DEFAULT	Startup
5JY4YGM5K9YZT7	c:\windows\system32\doznu4.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
6to4svc	6to4svc.dll	NT AUTHORITY\SYSTEM	Startup


----------



## chirodoc (Nov 1, 2004)

k, got the abbr. thing, now let's fix this thing.


----------



## ~Candy~ (Jan 27, 2001)

Wow, good grief, you should be able to uncheck most everything, but let me see who I can find to assist.


----------



## chirodoc (Nov 1, 2004)

uncheck?


----------



## ~Candy~ (Jan 27, 2001)

Yes, but you'll do that from start, run, msconfig, startup tab. I'm trying to locate Rollin' Rog, but he doesn't appear to be online right now. I'm not sure who else may be able to help.


----------



## chirodoc (Nov 1, 2004)

seein if you found rollin' rog to help.


----------



## Rollin' Rog (Dec 9, 2000)

Use HijackThis to post a Scanlog here. If possible create the scanlog when the pop-window is on the screen, before you press "cancel".

http://www.net-integration.net/tools/hijackthis.html

You say you used System Restore, did the restore complete successfully to a date prior to the updates, and just not resolve the problem, or did the restore fail?

It's rather surprising that a successful System Restore would not resolve this.

It seems like a similar problem was posed here and may have gone unresolved. I'm including the link for reference and future comparison with yours...

http://forums.techguy.org/t268252&highlight=office.html


----------



## chirodoc (Nov 1, 2004)

i am thinking that possibly the system restore failed... i'm not sure... to be sure can someone run me through a system restore hopefully to a point before the change that occurred to make the windows installer popup box appear. part of the archived post sounds just like my problem but maybe a successful system restore will do the trick. thanks for the help/guidance.


----------



## ~Candy~ (Jan 27, 2001)

http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx


----------



## chirodoc (Nov 1, 2004)

ran a system restore to the oldest point i could get to which was back on aug. 2nd and after reboot, a dialog box said i couldn't restore because no changes had been made to the system. where do i go from here? anyone seen the startup log i posted that can mire through some of it? i was telling acaCandy that i can't paste it all at once cause it's so large...


----------



## chirodoc (Nov 1, 2004)

also, on windows startup i have an application that comes up as failed it is an .exe file and it says it had a problem loading it, can i get rid of it and how? the file is (bwgfvnah.exe) thanks again.


----------



## chirodoc (Nov 1, 2004)

Logfile of HijackThis v1.98.2
Scan saved at 11:11:15 AM, on 11/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Deerfield.com\DNS2Go\DNS2GoClient.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\UPGRADE.TXT:jqkcl
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wkupik.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\winro.exe
C:\WINDOWS\System32\mmgr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\XddOW0.exe
C:\WINDOWS\System32\RnuQDC65.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\antispyware\HijackThis.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.worldnetdaily.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E4C8B99E-0103-FBC9-F6CA-7D83FF55910C} - C:\WINDOWS\netet32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5JY4YGM5K9YZT7] C:\WINDOWS\System32\DozNu4.exe
O4 - HKLM\..\Run: [Services] C:\DOCUME~1\Jamie\LOCALS~1\Temp\32423.exe
O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe
O4 - HKLM\..\Run: [ntyw32.exe] C:\WINDOWS\system32\ntyw32.exe
O4 - HKLM\..\Run: [ewoj] C:\WINDOWS\System32\agaapmpj.exe
O4 - HKLM\..\Run: [rmzaez] C:\WINDOWS\System32\gqzhn.exe
O4 - HKLM\..\Run: [okldpuym] C:\WINDOWS\System32\dkbgx.exe
O4 - HKLM\..\Run: [cphttgye] C:\WINDOWS\System32\eakqikt.exe
O4 - HKLM\..\Run: [dsix] C:\WINDOWS\System32\jkrhovea.exe
O4 - HKLM\..\Run: [yvil] C:\WINDOWS\System32\vrsoujvh.exe
O4 - HKLM\..\Run: [othhquyh] C:\WINDOWS\System32\vvkiwb.exe
O4 - HKLM\..\Run: [uyih] C:\WINDOWS\System32\yqpa.exe
O4 - HKLM\..\Run: [dbvbd] C:\WINDOWS\System32\fqcxs.exe
O4 - HKLM\..\Run: [wigaiwn] C:\WINDOWS\System32\zbcgirp.exe
O4 - HKLM\..\Run: [szqrfx] C:\WINDOWS\System32\lapgina.exe
O4 - HKLM\..\Run: [qtyvlheg] C:\WINDOWS\System32\qtwb.exe
O4 - HKLM\..\Run: [dhac] C:\WINDOWS\System32\zzvh.exe
O4 - HKLM\..\Run: [rpbmr] C:\WINDOWS\System32\bbjzlwst.exe
O4 - HKLM\..\Run: [winro.exe] C:\WINDOWS\system32\winro.exe
O4 - HKLM\..\Run: [oggmatp] C:\WINDOWS\System32\wxnuyw.exe
O4 - HKLM\..\Run: [vgxu] C:\WINDOWS\System32\nzgekuhr.exe
O4 - HKLM\..\Run: [tjdykw] C:\WINDOWS\System32\qttxlf.exe
O4 - HKLM\..\Run: [jpndo] C:\WINDOWS\System32\wdccq.exe
O4 - HKLM\..\Run: [uyrvc] C:\WINDOWS\System32\bsry.exe
O4 - HKLM\..\Run: [ksfvoe] C:\WINDOWS\System32\mmejwmil.exe
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mmgr32.exe
O4 - HKCU\..\Run: [input] C:\WINDOWS\System32\input.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [hhkbxd] C:\WINDOWS\System32\bwgfvnah.exe k:hhkbxd:
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\snbd.exe
O4 - HKCU\..\Run: [JavaUpdate0.06] C:\WINDOWS\System32\lgmz.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.212.47.54/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab


----------



## chirodoc (Nov 1, 2004)

the preceeding post is my hijackthis.log notebook file. i scan it while the windows installer dialog box was on screen, but looking through the contents i don't see it on there anywhere, but you guys are the experts! let me know what to check and fix asap. thanks for all your help!


----------



## chirodoc (Nov 1, 2004)

a couple of things i DO see is...
1. that bwgfvnah.exe file that keeps coming up at startup
2. this thing... file:///C:/Program%20Files/MStart2Page/Portal/portal.html (which always shows up as my default home page on explorer browser even though i change it every time to the site just below it which is www.worldnetdaily.com. WOW can i get that off of there too?!!
3. ezButton, Doznu4, msnmessanger background, a bunch of stuff like broadjump, dns2go, touchpad ---all stuff i don't use.


----------



## ~Candy~ (Jan 27, 2001)

You have SOME REAL SERIOUS issues there, wait for Rog or another security person please. STOP doing anything for now.


----------



## chirodoc (Nov 1, 2004)

i'm a doctor, and what you just typed was like me telling a patient "hey you have cancer, it's serious, i've got a friend who should be here later to tell you about it, have a good day!"  ---just kidding thanks for your help AcaCandy will wait to hear from Rog


----------



## ~Candy~ (Jan 27, 2001)

Well, you wouldn't want to hear MY cure all 

It's called format c:


----------



## chirodoc (Nov 1, 2004)

i'm getting distracted here, what's going on with my computer issue?


----------



## ~Candy~ (Jan 27, 2001)

Let me see who I can find online. I take it my format c: solution was not acceptable?


----------



## chirodoc (Nov 1, 2004)

ummm, acceptable.......no. a soon to be, cold hard fact of life....probably. 


say it ain't so momma mia.


----------



## cybertech (Apr 16, 2002)

Click here to download getservice.zip and unzip it to your desktop. Open the Getservice folder and click on the getservices.bat file. A notepad will open up with a long list of Services. Please save that notepad file and attach it to your next reply to this thread. It will be easier to attach it rather than copy and paste because it will be too long to paste in one post.


----------



## ~Candy~ (Jan 27, 2001)

Ok, doc, I'm off to assist others in need, you're in good hands with cybertech  Your prognosis has now been updated to probable survivor


----------



## cfrc22 (Nov 9, 2004)

This is what I would do:

1. Scan pc for spyware & malware using Adaware 
and Spybot S&D

2. Looking back to your original post I noticed a problem with HandWritingFiles, this could be related to the Hand Writing recognition which is installed with Office XP or 2003, so I would suggest reinstalling Office from the original CD (if you have it)

let me know if this helps.


----------



## chirodoc (Nov 1, 2004)

cybertech, i did as you requested and the notepad file is empty, the dos screen that popped up with the notepad says, 'psservice' is not recognized as an internal or external command, operable program or batch file.


----------



## chirodoc (Nov 1, 2004)

cfrc22, i haven't been able to locate my office cd as of today, thanks 
-doc


----------



## Flrman1 (Jul 26, 2002)

chirodoc said:


> cybertech, i did as you requested and the notepad file is empty, the dos screen that popped up with the notepad says, 'psservice' is not recognized as an internal or external command, operable program or batch file.


That error usually means that you did not unzip the getservice.zip file before you tried to run the getservice.bat file. Unzip it and try again.

Also rescan with Hijack This and post a fresh log when you attach the getservice.txt file.


----------



## Rollin' Rog (Dec 9, 2000)

Not abolutely sure, but among others, it looks like there could be a "peper" trojan infection there as well.

O4 - HKLM\..\Run: [5JY4YGM5K9YZT7] C:\WINDOWS\System32\DozNu4.exe

The multiple other "random" named files running on startup are characteristic of this too.

Might be a good idea to run that fixer at the appropriate time.

I'm sure Cybertech can take care of you.


----------



## chirodoc (Nov 1, 2004)

here is the new hijackthis log and the txt file that opened (it worked after i unzipped it again, thanks guys!!) let me know if either one of them is unreadable or anything.


----------



## chirodoc (Nov 1, 2004)

looks like maybe my hijackthis log isn't gonna open up right so i will just post it outright. thx


----------



## chirodoc (Nov 1, 2004)

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Deerfield.com\DNS2Go\DNS2GoClient.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\UPGRADE.TXT:jqkcl
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wkupik.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\winro.exe
C:\WINDOWS\System32\mmgr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\XddOW0.exe
C:\WINDOWS\System32\RnuQDC65.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\msiexec.exe
C:\antispyware\HijackThis.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jchfc.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.worldnetdaily.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E4C8B99E-0103-FBC9-F6CA-7D83FF55910C} - C:\WINDOWS\netet32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5JY4YGM5K9YZT7] C:\WINDOWS\System32\DozNu4.exe
O4 - HKLM\..\Run: [Services] C:\DOCUME~1\Jamie\LOCALS~1\Temp\32423.exe
O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe
O4 - HKLM\..\Run: [ntyw32.exe] C:\WINDOWS\system32\ntyw32.exe
O4 - HKLM\..\Run: [ewoj] C:\WINDOWS\System32\agaapmpj.exe
O4 - HKLM\..\Run: [rmzaez] C:\WINDOWS\System32\gqzhn.exe
O4 - HKLM\..\Run: [okldpuym] C:\WINDOWS\System32\dkbgx.exe
O4 - HKLM\..\Run: [cphttgye] C:\WINDOWS\System32\eakqikt.exe
O4 - HKLM\..\Run: [dsix] C:\WINDOWS\System32\jkrhovea.exe
O4 - HKLM\..\Run: [yvil] C:\WINDOWS\System32\vrsoujvh.exe
O4 - HKLM\..\Run: [othhquyh] C:\WINDOWS\System32\vvkiwb.exe
O4 - HKLM\..\Run: [uyih] C:\WINDOWS\System32\yqpa.exe
O4 - HKLM\..\Run: [dbvbd] C:\WINDOWS\System32\fqcxs.exe
O4 - HKLM\..\Run: [wigaiwn] C:\WINDOWS\System32\zbcgirp.exe
O4 - HKLM\..\Run: [szqrfx] C:\WINDOWS\System32\lapgina.exe
O4 - HKLM\..\Run: [qtyvlheg] C:\WINDOWS\System32\qtwb.exe
O4 - HKLM\..\Run: [dhac] C:\WINDOWS\System32\zzvh.exe
O4 - HKLM\..\Run: [rpbmr] C:\WINDOWS\System32\bbjzlwst.exe
O4 - HKLM\..\Run: [winro.exe] C:\WINDOWS\system32\winro.exe
O4 - HKLM\..\Run: [oggmatp] C:\WINDOWS\System32\wxnuyw.exe
O4 - HKLM\..\Run: [vgxu] C:\WINDOWS\System32\nzgekuhr.exe
O4 - HKLM\..\Run: [tjdykw] C:\WINDOWS\System32\qttxlf.exe
O4 - HKLM\..\Run: [jpndo] C:\WINDOWS\System32\wdccq.exe
O4 - HKLM\..\Run: [uyrvc] C:\WINDOWS\System32\bsry.exe
O4 - HKLM\..\Run: [ksfvoe] C:\WINDOWS\System32\mmejwmil.exe
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mmgr32.exe
O4 - HKCU\..\Run: [input] C:\WINDOWS\System32\input.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [hhkbxd] C:\WINDOWS\System32\bwgfvnah.exe k:hhkbxd:
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\snbd.exe
O4 - HKCU\..\Run: [JavaUpdate0.06] C:\WINDOWS\System32\lgmz.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.212.47.54/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab


----------



## chirodoc (Nov 1, 2004)

i saw, looking through the getservice file, the windows installer paragraph, 
------SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS 
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem-----------------------------

that's sounds like the least of my worries at this point though eh? I have been getting a notification from norton the last 2 days that it is detecting a trojankillv or something named similar to that, i ran a 2 system scans and nothing else came up.


----------



## Flrman1 (Jul 26, 2002)

I am pasting this sevice info here for easy reference. I'll post the removal directions in the next 10 to 15 mins.

SERVICE_NAME: O?rtñåÈ²$Ó
(null)
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\UPGRADE.TXT:jqkcl /s
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Helper
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem


----------



## Flrman1 (Jul 26, 2002)

*Click here* to download LspFix

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of *calsp.dll* (and nothing else) , and move them to the "Remove" pane. 
Then click Finish. 
___________________________________________________________________________
Click here to download cwsserviceremove.zip and unzip it to your desktop and have it ready to run later.
___________________________________________________________________________

Click here to download CWShredder. *Do Not* run it yet. Download it to the desktop and have it ready to run later.

____________________________________________________________________

Click here to download AboutBuster created by Rubber Ducky.

*Unzip* AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode. 
_____________________________________________________________________

Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
______________________________________________________________________

*Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.
______________________________________________________________________

Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Remote Procedure Call (RPC) Helper*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*CAUTION:* There is also a service named *Remote Procedure Call (RPC) Locator* and one called *Remote Procedure Call (RPC)* . These are the legitimate services. Do not stop those two.
______________________________________________________________________

Restart to safe mode.

How to start your computer in safe mode

Perform the following steps in safe mode:

____________________________________________________________________

Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry. 
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Put a check by these entries in Hijack This and click the "Fix Checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jchfc.dll/sp.html#12802

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jchfc.dll/sp.html#12802

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStart2Page/Portal/portal.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jchfc.dll/sp.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jchfc.dll/sp.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jchfc.dll/sp.html#12802

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jchfc.dll/sp.html#12802

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jchfc.dll/sp.html#12802

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MStart2Page/Portal/portal.html

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {E4C8B99E-0103-FBC9-F6CA-7D83FF55910C} - C:\WINDOWS\netet32.dll

O4 - HKLM\..\Run: [Services] C:\DOCUME~1\Jamie\LOCALS~1\Temp\32423.exe

O4 - HKLM\..\Run: [ntyw32.exe] C:\WINDOWS\system32\ntyw32.exe

O4 - HKLM\..\Run: [ewoj] C:\WINDOWS\System32\agaapmpj.exe

O4 - HKLM\..\Run: [rmzaez] C:\WINDOWS\System32\gqzhn.exe

O4 - HKLM\..\Run: [okldpuym] C:\WINDOWS\System32\dkbgx.exe

O4 - HKLM\..\Run: [cphttgye] C:\WINDOWS\System32\eakqikt.exe

O4 - HKLM\..\Run: [dsix] C:\WINDOWS\System32\jkrhovea.exe

O4 - HKLM\..\Run: [yvil] C:\WINDOWS\System32\vrsoujvh.exe

O4 - HKLM\..\Run: [othhquyh] C:\WINDOWS\System32\vvkiwb.exe

O4 - HKLM\..\Run: [uyih] C:\WINDOWS\System32\yqpa.exe

O4 - HKLM\..\Run: [dbvbd] C:\WINDOWS\System32\fqcxs.exe

O4 - HKLM\..\Run: [wigaiwn] C:\WINDOWS\System32\zbcgirp.exe

O4 - HKLM\..\Run: [szqrfx] C:\WINDOWS\System32\lapgina.exe

O4 - HKLM\..\Run: [qtyvlheg] C:\WINDOWS\System32\qtwb.exe

O4 - HKLM\..\Run: [dhac] C:\WINDOWS\System32\zzvh.exe

O4 - HKLM\..\Run: [rpbmr] C:\WINDOWS\System32\bbjzlwst.exe

O4 - HKLM\..\Run: [winro.exe] C:\WINDOWS\system32\winro.exe

O4 - HKLM\..\Run: [oggmatp] C:\WINDOWS\System32\wxnuyw.exe

O4 - HKLM\..\Run: [vgxu] C:\WINDOWS\System32\nzgekuhr.exe

O4 - HKLM\..\Run: [tjdykw] C:\WINDOWS\System32\qttxlf.exe

O4 - HKLM\..\Run: [jpndo] C:\WINDOWS\System32\wdccq.exe

O4 - HKLM\..\Run: [uyrvc] C:\WINDOWS\System32\bsry.exe

O4 - HKLM\..\Run: [ksfvoe] C:\WINDOWS\System32\mmejwmil.exe

O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mmgr32.exe

O4 - HKCU\..\Run: [input] C:\WINDOWS\System32\input.exe

O4 - HKCU\..\Run: [hhkbxd] C:\WINDOWS\System32\bwgfvnah.exe k:hhkbxd:

O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\snbd.exe

O4 - HKCU\..\Run: [JavaUpdate0.06] C:\WINDOWS\System32\lgmz.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab

O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

Find and delete these files:

C:\WINDOWS\system32\ntyw32.exe
C:\WINDOWS\System32\agaapmpj.exe
C:\WINDOWS\System32\gqzhn.exe
C:\WINDOWS\System32\dkbgx.exe
C:\WINDOWS\System32\eakqikt.exe
C:\WINDOWS\System32\jkrhovea.exe
C:\WINDOWS\System32\vrsoujvh.exe
C:\WINDOWS\System32\vvkiwb.exe
C:\WINDOWS\System32\yqpa.exe
C:\WINDOWS\System32\fqcxs.exe
C:\WINDOWS\System32\zbcgirp.exe
C:\WINDOWS\System32\lapgina.exe
C:\WINDOWS\System32\qtwb.exe
C:\WINDOWS\System32\zzvh.exe
C:\WINDOWS\System32\bbjzlwst.exe
C:\WINDOWS\system32\winro.exe
C:\WINDOWS\System32\wxnuyw.exe
C:\WINDOWS\System32\nzgekuhr.exe
C:\WINDOWS\System32\qttxlf.exe
C:\WINDOWS\System32\wdccq.exe
C:\WINDOWS\System32\bsry.exe
C:\WINDOWS\System32\mmejwmil.exe
C:\WINDOWS\System32\mmgr32.exe
C:\WINDOWS\System32\input.exe
C:\WINDOWS\System32\bwgfvnah.exe
C:\WINDOWS\System32\snbd.exe
C:\WINDOWS\System32\lgmz.exe
c:\windows\system32\calsp.dll
C:\WINDOWS\System32\wkupik.exe
C:\WINDOWS\UPGRADE.TXT

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Jamie (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.

*Click here* to downloadthe PeperFix.exe tool to get rid of the peper trojan:

Click on the PeperFix.exe to launch it.

Click the *Find and Fix* button.

It will scan the %systemroot% folder and locate all the peper files. You will be prompted to restart your computer. Restart and it will delete the peper files.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file. 
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder. 
Find shell.dll and right click on it. Choose Copy from the menu. 
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

control.exe may have been deleted. 
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

*IMPORTANT!:* Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.

When you are sure you are clean turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.


----------



## chirodoc (Nov 1, 2004)

nothing like trouble right off the bat to wrench things up, i can't get your link to work to the countereplotation site. i have a good connection to the internet and i can move around to other sites fine but when trying to get to www.cexx.org/LSPFix.exe, it cannot do it. tech difficulties with the site or what should i try to get to the sight?


----------



## ~Candy~ (Jan 27, 2001)

It's not working for me either  I'm sure Mark will come up with an alternative.


----------



## chirodoc (Nov 1, 2004)

hi candy, hey i think i have it working now, it's just an applications dialog box that asks to download some files right? good. will download and use now, and then to the next step. thanks


----------



## chirodoc (Nov 1, 2004)

first step done, only had one calsp.dll to remove is that normal?


----------



## Flrman1 (Jul 26, 2002)

It's working for me.


----------



## ~Candy~ (Jan 27, 2001)

Must have been a momentary glitch


----------



## chirodoc (Nov 1, 2004)

signing off now to finish the rest. may the tech gods have mercy on my soul!!!!


----------



## ~Candy~ (Jan 27, 2001)

Good Luck


----------



## chirodoc (Nov 1, 2004)

hey this is doc again, i am not on my computer, but i have a question about the process. I am trying to find all the files you asked me to find and delete but i can't find but one or two of them, shouldn't they all be there? i set up the search and everything like you wanted to search for hidden and system files and unchecked the two items that were checked but i can't find most of the .exe files in start>search. am i doing it incorrectly? what should i do?


----------



## chirodoc (Nov 1, 2004)

hey also, flrman1, in your instructions you say to "boot back to windows" does that mean to restart and get OUT of safe mode? if that isn't what it means then how do i boot back to windows and when do i get back out of safe mode. thanks.


----------



## Flrman1 (Jul 26, 2002)

You need to physically navigate to the folders and look for the files. If you still can't find them then move on.

Yes boot back to windows means boot out of safe mode.


----------



## chirodoc (Nov 1, 2004)

thanks flrman1, so actually just look in the folders then? okay thanks


----------



## chirodoc (Nov 1, 2004)

hey flrman, i am running the trend micro virus scan again and see if i can find how to delete all the files it finds but i'm not sure it will. plus, i ran the peperfix program and then did the virus scan and it showed a trojan in a file in the peperfix, and that was after i had restarted the computer just after running the peperfix, what's up with that? everything is done that you posted for me to do except do the system restore point and I haven't done that cause i got a virus alert from norton saying that the trojankillav was detected----after i went through all that other stuff, plus my windows installer dialog box is STILL popping up. what to do next? thanks for your advice


----------



## chirodoc (Nov 1, 2004)

Logfile of HijackThis v1.98.2
Scan saved at 5:40:22 PM, on 11/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wkupik.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\program files\ee\sain.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Deerfield.com\DNS2Go\DNS2GoClient.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jamie\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.worldnetdaily.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5JY4YGM5K9YZT7] C:\WINDOWS\System32\RmtQCB55.exe
O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [mobyhmo] C:\WINDOWS\System32\vhok.exe
O4 - HKLM\..\Run: [sain] c:\program files\ee\sain.exe
O4 - HKLM\..\Run: [lgqi] C:\WINDOWS\System32\ysuikcq.exe
O4 - HKLM\..\Run: [dxbyyrzw] C:\WINDOWS\System32\kefp.exe
O4 - HKLM\..\Run: [arop] C:\WINDOWS\arop.exe
O4 - HKLM\..\Run: [betkjlz] C:\WINDOWS\System32\zzqnm.exe
O4 - HKLM\..\Run: [temuiguv] C:\WINDOWS\System32\fdipyr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.212.47.54/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab


----------



## chirodoc (Nov 1, 2004)

this is my log file after all the changes have been made. how does it look? 

thx


----------



## Rollin' Rog (Dec 9, 2000)

http://www.bleepingcomputer.com/files/peperremover.php

I believe you need to be connected to the internet when you run the peper tool, were you?

Run the "peper fixer" again, then reboot in Safe Mode and check and fix the following entries:

O4 - HKLM\..\Run: [5JY4YGM5K9YZT7] C:\WINDOWS\System32\RmtQCB55.exe

O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe

^^ delete the "ee" folder.

O4 - HKLM\..\Run: [mobyhmo] C:\WINDOWS\System32\vhok.exe
O4 - HKLM\..\Run: [sain] c:\program files\ee\sain.exe
O4 - HKLM\..\Run: [lgqi] C:\WINDOWS\System32\ysuikcq.exe
O4 - HKLM\..\Run: [dxbyyrzw] C:\WINDOWS\System32\kefp.exe
O4 - HKLM\..\Run: [arop] C:\WINDOWS\arop.exe
O4 - HKLM\..\Run: [betkjlz] C:\WINDOWS\System32\zzqnm.exe
O4 - HKLM\..\Run: [temuiguv] C:\WINDOWS\System32\fdipyr.exe

^^ verify all these files are deleted

Reboot, connect and run the Peper Tool a second time, then run HijackThis and post the Scanlog again.


----------



## chirodoc (Nov 1, 2004)

yeah i was connected to internet but I will do this stuff again anyway. thx. my windows installer box is still popping up, any ideas? is that paragraph that i posted on the last page that mentioned the windows installer have anything to do with it or not? later


----------



## Rollin' Rog (Dec 9, 2000)

After completing the above, post another "getservice" text file again along with a new scanlog. That malware service that flrman1 flagged *seemed* like it was a source of the problem. Pehaps something else has replaced it. The one you pointed to was legit but seemed to result from the first being run.

We may want to try disabling or removing the Microsoft "Office" startups if the problem persists once the computer is "clean".


----------



## chirodoc (Nov 1, 2004)

here is the new log file and i will attach a getservice file as well. thanks

Logfile of HijackThis v1.98.2
Scan saved at 9:51:03 AM, on 11/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Deerfield.com\DNS2Go\DNS2GoClient.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wkupik.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\orofyt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jamie\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.worldnetdaily.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [knhp] C:\WINDOWS\System32\orofyt.exe
O4 - HKLM\..\Run: [hjidy] C:\WINDOWS\System32\ztzqnn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.212.47.54/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab


----------



## chirodoc (Nov 1, 2004)

looks cleaner anyway huh? let me know what's next.

thx. peperfix found no new files that were infected/corrupt


----------



## Rollin' Rog (Dec 9, 2000)

First, take HijackThis out of the "temporary" folder it is in, and put it in a folder of its own, preferably in the My Documents directory.

Check and fix these items, verify the files are not present, and that they or nothing similar returns after a reboot:

O4 - HKLM\..\Run: [knhp] C:\WINDOWS\System32\orofyt.exe
O4 - HKLM\..\Run: [hjidy] C:\WINDOWS\System32\ztzqnn.exe

Next we need to determine if the remaining (really the original) problem is related to Microsoft Office startups.

Check and "fix" this HijackThis item:

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

It can be restored through HijackThis > Config > Backups.

You have two alternatives for the next; you can use HijackThis to "fix" it and restore it as above, or you can run *msconfig* and "uncheck" iit under the startup tab:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

After rebooting, let us know the results and post another Scanlog so we can verify nothing is returning.

I didn't see anything wrong in the services.text but a second pair of eyes sometimes helps...

Also, try this: do a full drive File Search for all files of the type:

*.msi

and let me know the name and location of any file with a MODIFIED date consistent with the current problem.


----------



## chirodoc (Nov 1, 2004)

everytime i "fix" stuff in hijackthis should i be running in safe mode?


----------



## chirodoc (Nov 1, 2004)

run msconfig go to startup tab and the only thing that looks like what you want me to uncheck is Microsoft Office ---- C:\Progra~1\MICR.... Common Startup


----------



## chirodoc (Nov 1, 2004)

in cofigs>backups, the excel file you had me "fix" is not there, just the two previous files. thought it should be in there.


----------



## chirodoc (Nov 1, 2004)

nevermind my last post, i am an idiot, it's there.


----------



## chirodoc (Nov 1, 2004)

Logfile of HijackThis v1.98.2
Scan saved at 11:32:55 AM, on 11/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wkupik.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\uhrh.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Deerfield.com\DNS2Go\DNS2GoClient.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jamie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.worldnetdaily.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\uhrh.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.212.47.54/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab


----------



## chirodoc (Nov 1, 2004)

here it is. no change in dialog box popping up if that's what you wanted to know. doing a full disc scan for .msi files now


----------



## chirodoc (Nov 1, 2004)

names of files that were modified consistent with problem are as follows...

msnmsgs.msi located in C:\documents and Settings\All Us....
webfldrs.msi located in C:\Windows\Software Distribut...
1b93f18 located in windows\installer
5759ed
490f16b
2b47e8
1dcleec
1b93f25
480a6
2936a


----------



## Rollin' Rog (Dec 9, 2000)

Something is reinfecting you as we go:

O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\uhrh.exe

Reboot in Safe Mode, check and fix that entry and delete that file, and this as well:

C:\WINDOWS\System32\wkupik.exe

I think this last file is the problem, I see it has remained in running processes with no obvious startup.

It may remain hidden or not want to delete. Follow these instructions after a reboot and post a th log.txt as an attachment. along with a new Scanlog

download and run : (http://downloads.subratam.org/FINDnFIX.exe)

It will extract a set of files to c:\FindnFix

Run the *!log!.bat* in the FindnFix folder and post the log.txt file it creates to a reply as an attachment

I also think it would be a good idea, atleast temporarily, to rename those .msi files in the "Installer" folder which have recent modified dates to .msx so they cannot load. And check to see that no new ones are being created.


----------



## chirodoc (Nov 1, 2004)

what's the th log.txt you wrote in the last post? is that the getservice program thing or what? sorry. will do the rest and you can tell me what the th log.txt is.


----------



## chirodoc (Nov 1, 2004)

Logfile of HijackThis v1.98.2
Scan saved at 1:54:44 PM, on 11/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hlpkul.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Deerfield.com\DNS2Go\DNS2GoClient.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jamie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.worldnetdaily.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.212.47.54/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab


----------



## chirodoc (Nov 1, 2004)

here is the findandfix log.


----------



## Rollin' Rog (Dec 9, 2000)

Well for the first time the Scanlog is completely clean, and there is nothing unusual about the FindnFix log either.

And yet msiexec.exe is still a running process. Did you try renaming those recent .msi files? And have any new ones been created?

I don't have much hope for this, but it might be worth a try.

Go to Start > Run and enter *cmd* and a command shell will open. At the prompt type and enter each bold line:

*msiexec.exe /unregister
msiexec /regserver*

reboot and see if the message still comes up.

Also, when that message comes up asking you to insert the XP CD, is there an option to "browse to" or enter a file path?

If there is, browse to or enter:

c:\I386

Normally this contains all the cabinet files that would be found on the installation CD.

What we may be seeing is Windows file protection detecting a missing file and wanting the CD to recover it from.

It might also be worth while to open Administrative Tools > Events log, and look at the Events logs for System and Application and see if there are any red x's current with the last boot on which the message occured. This might tell us the file, if one is missing.


----------



## chirodoc (Nov 1, 2004)

when the screen pops up there is a browse button. when i click it it opens up to a browse screen and the name in the file name line is PRORET.MSI and in the file type box it reads installation package (*msi). then if i try to type in file name C:\I386 it says file name is invalid. if i exit back to the error box and hit okay, a new screen comes up that says path "microsoft office xp professional" cannot be found. verify that you have access and try again, or try to find the installation package PRORET.MSI in a folder from which you can install the product Microsoft office professional.


----------



## chirodoc (Nov 1, 2004)

i did rename the files to msx and no new files had come up. i looked in adminstrative tools and there were a LOT of red x's next to several things. in the applications box the errors were listed under the name msiInstaller (the source description) or under VSS or Event System or application hang and in the system box they were either service control manager or DCOM and there were all errors today or yesterday after 11:30 am. does this tell you anything or how can i be more specfic or show you what i am talking about?


----------



## Rollin' Rog (Dec 9, 2000)

PRORET.MSI is evidently associated with 'Microsoft Office XP Professional', do you have a CD for that?

In any case try doing a "Repair" from the "Word" Help > About menu and see if you get prompted for a CD. It may not need it.

The only red x's there we would be concerned about are the ones for the installer. The others are normal when you boot to Safe Mode. The ones for the installer, I would presume flag the same .msi file; you can double click them to get more information.

Also, google searches reveal a lot of folks with the same problem. I haven't studied them all, but it seems like you may need to locate the right CD.

http://groups.google.com/groups?q=PRORET.MSI&hl=en&lr=&safe=off&sa=N&tab=wg


----------



## chirodoc (Nov 1, 2004)

http://groups.google.com/groups?q=PRORET.MSI&hl=en&lr=&safe=off&start=10&sa=N

check the third listing down from the top that starts with REroret.msi, can you tell me if this is a valid proret.msi file and if so do you think its worth a try to download and then select it again during the browse part of the installer screen like the poster is suggesting?


----------



## chirodoc (Nov 1, 2004)

the thread starts with Re-proret.msi (third from the top)


----------



## chirodoc (Nov 1, 2004)

i tried it already and it didn't work but i just saved it in a wordpad file on the desktop as proret.msi so I doubt if it would've worked from that location. where should i save it to? and can i just copy and paste all the info out of the post or do i have to save it a different way?


----------



## chirodoc (Nov 1, 2004)

is this information that i found at microsoft.com, in the same ballpark as far as my problem is concerned???


An easy way to determine the cause of an on-demand installation is to look in the application event log for MsiInstaller log messages of the form:

Event Type: Warning
Event Source: MsiInstaller
Event ID: 1001
Description:
Detection of product '{000C1109-0000-0000-C000-000000000046}', feature 'Example' failed during request for component '{00030829-0000-0000-C000-000000000046}'
Event Type: Warning
Event Source: MsiInstaller
Event ID: 1004
Description:
Detection of product '{000C1109-0000-0000-C000-000000000046}', feature 'Example', component '{00030829-0000-0000-C000-000000000046}' failed. The resource 'C:\Progam Files\example\example.exe' does not exist.

The first message (with event ID 1001) states which component was being installed. The component listed here is the component named in the Component_ column of the Shortcut table for the particular shortcut.

The second message (with event ID 1004) indicates which component failed detection. Improved event logging in Windows Installer 2.0 has updated the message so that in most cases, the message identifies the actual resource that resulted in the failed detection. The component with the missing or damaged keypath is the component that is triggering the reinstallation.

In the example above, the reinstallation is triggered because the resource 'c:\Program Files\example\example.exe' does not exist. You would then need to find out why the keypath does not existin this case, the user deleted it.


----------



## chirodoc (Nov 1, 2004)

I found this at microsoft.com too, this first error message is exactly what i get without the exel failed execution line(s). is there a way to remedy this with what they say is happening here or it is jibberish to you all too? AARRRGGGGG.



When you click Cancel, an error message similar to the following appears 
Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see Drive:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP. 
where Drive is the drive where you install Office XP, such as drive C or drive D. 

When you click OK, an error message similar to the following appears: 
Microsoft Excel can't run this add-in.
Microsoft Excel cannot install the necessary files due to Windows installer error 1603.
ERROR_INSTALL_FAILURE 
CAUSE
This behavior can occur when you install some features of Office as Installed on First Use from a resource such as a network server, and then the resource becomes unavailable.

For example, during Setup you choose Installed on First Use for the Excel add-ins. When you run Excel and select an add-in, the feature attempts to install. If you are disconnected from your installation point, the error message appears. 
RESOLUTION
If you become disconnected from your installation point or network resource, reconnect and try to use the Office feature again. If you are a mobile user who is using a laptop computer, and the installation resource is unavailable, you cannot use this Office feature until you reconnect to your installation resource. 

When you choose Installed on First Use for specific features of Office, these features are not installed until you first use them. Therefore, this requires you to be able to connect to the installation point when you try to use the feature. 

--------------------------------------------------------------------------------


----------



## Rollin' Rog (Dec 9, 2000)

I could not get the proret.msi file to download correctly. It was downloading as an html file (double extension). I may try again and let it complete.

If your download completed, check to see that it does not have a double extension, rename it proret.msi -- then right click on it and select Properties > Summary. Does it have Microsoft Author?

If it had an html extension before, and you change that to just proret.msi, and it has a Microsoft copyright, try it again.

{ok, I tried it again and renamed it proret.msi -- it takes on the "windows installer" icon, but when I select "properties" it does it does not have the usual tabs, hence I wouldn't trust it, who knows what it will install}

The event log ID for the installer type error is what you would be looking for. When you double click those you will get more information.

I don't know about the second error you posted.

It may be time to post the more technical questions you are asking to the Business Applications forum, since it is no longer really a "Security" issue, and I don't personally have experience with "Microsoft Office" products.

We won't consider it a double posting.


----------



## ~Candy~ (Jan 27, 2001)

Tell Dreamboat we sent you, and you might just post this link in the thread in case she has questions.


----------



## ~Candy~ (Jan 27, 2001)

Found this on a Google search 

http://support.installshield.com/kb/view.asp?articleid=Q107182


----------



## Rollin' Rog (Dec 9, 2000)

I had a look inside proret.msi, and based on the textual content, of which there is quite a bit, it appears to be a Microsoft office file. Whether it has been altered or will work for you, I have no idea. But it must be renamed to reflect the windows installer (msi) icon to have any chance of being accepted.

Still something is a bit funky about the "properties" page of it.

By the way, I would highly recommend you follow these instructions to reset the XP system restore cache at this stage, and ensure a new checkpoint gets created:

http://service1.symantec.com/SUPPOR...5065b3834b10031488256b0900255ea7?OpenDocument

Do this before trying to load proret.msi ...


----------



## chirodoc (Nov 1, 2004)

did the system restore thing... I also went to the business guys and talked with XL guru and lightning. what an enthusiastic crowd that was. Never got a hold of dreamboat  but those guys told me that instead of reading through my posts they just suggested editing the registry which didn't work and then told me to give up. wippee!


----------



## ~Candy~ (Jan 27, 2001)

Give up?  We have that option?  

I'll pm Dreamboat.

Did you read thru the MS link I posted above?


Edit, she hasn't been online since 10/23  I hope nothing is wrong


----------



## chirodoc (Nov 1, 2004)

hey, yeah i read thru the ms link that you posted and i even asked them a few questions at microsoft but i haven't at this point figured out the problem so i am still looking for answers.
j


----------



## ~Candy~ (Jan 27, 2001)

Bet a format c: would take care of it


----------



## chirodoc (Nov 1, 2004)

format c: ... let's see is that where I erase everything and then YOU send me a new machine? that sounds like the best idea yet


----------



## ~Candy~ (Jan 27, 2001)

Well, if you were a bit closer


----------



## Rollin' Rog (Dec 9, 2000)

Are you actually using the "Office" software to which this error is related?

If not you could simply uninstall it, and then reinstall it when you get access to the disks.

If you set a system restore point, you could probably get it back doing a System Restore if it doesn't work out, but I can't guarantee that.


----------



## ~Candy~ (Jan 27, 2001)

Rog, I could be wrong, but I "THINK" that even to uninstall Office you need the disks.


----------



## Rollin' Rog (Dec 9, 2000)

Hmmm. Where _is_ Dreamboat?


----------



## ~Candy~ (Jan 27, 2001)

I don't know Rog. She hasn't answered my pm either  I just sent another email. I hope she's ok.


----------

