Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

startup problem

Status
Not open for further replies.
StudentofLife

StudentofLife

Technical User
Sep 17, 2005
16
US
Hi,

I am having a problem with one of my users on my home pc.
When I boot into it, the system tries to open exe files with adobe. I can't get into any resources because they are all exe like help or restore. I'm not sure how this happened. I tried to get into look at file assocations to maybe see what happened but I can't. Any help would be greatly appreciated.

Thanks


 
Sort by date Sort by votes
Hi,

I followed your instructions and have a log file but I'm not sure how to upload it here. If you provide me with your email I'll send it and then we can post the solution here.

Thanks alot for the help.
 
Upvote 0 Downvote
double click hijack this/click scan and make a log/in the log file/click edit/click select all/click edit/click copy.

in the box here you right click on the box, and choose paste and the log will appear here in the box which you type your message in!
 
Upvote 0 Downvote
Logfile of HijackThis v1.99.1
Scan saved at 9:36:05 AM, on 09/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Message Screener\bin\compaq-rba.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\yaoorbmh\axxxqw.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: function OAS_RICH(position)
O1 - Hosts: function {
O1 - Hosts: if (position
O1 - Hosts: if ==
O1 - Hosts: if 'Right')
O1 - Hosts: if {
O1 - Hosts: document.write ('<A
O1 - Hosts: document.write HREF="O1 - Hosts: document.write target="_new"><IMG
O1 - Hosts: document.write SRC="O1 - Hosts: document.write ALT=""
O1 - Hosts: document.write BORDER="0"></A>');
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {32DAE4C3-8B65-EDEB-0395-FEE054E41727} - C:\WINDOWS\system32\dssxraqc\pllvubag.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O2 - BHO: (no name) - {DAB98F0E-24A0-9131-659C-D694790E39AD} - C:\WINDOWS\system32\wwtwgder\oscxxokw.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [sys02284323859] C:\WINDOWS\sys02284323859.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [axxxqw] C:\WINDOWS\system32\yaoorbmh\axxxqw.exe
O8 - Extra context menu item: &Search - O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,0,478 - O16 - DPF: Yahoo! Canasta - O16 - DPF: Yahoo! Dice - O16 - DPF: Yahoo! Dominoes - O16 - DPF: Yahoo! Gin - O16 - DPF: Yahoo! Klondike Solitaire - O16 - DPF: Yahoo! MahJong - O16 - DPF: Yahoo! MahJong Solitaire - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - O16 - DPF: {601B418B-E6A6-47FC-A094-07248741CEB3} (Camtronics Medical Systems Web Viewer) - file://E:\vwr_data\WebVwr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - O21 - SSODL: eplrr - {DF39509E-560F-4DAC-81B6-291554E1E0F7} - C:\WINDOWS\System32\eplrr3.dll (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Compaq Message Screener (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Message Screener\bin\compaq-rba.exe
O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
 
Upvote 0 Downvote
Delete the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 1

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O1 - Hosts: function OAS_RICH(position)

O1 - Hosts: function {

O1 - Hosts: if (position

O1 - Hosts: if ==

O1 - Hosts: if 'Right')

O1 - Hosts: if {

O1 - Hosts: document.write ('

O1 - Hosts: document.write HREF=" ojobs.com/site/1450859526/Right/ChicagoJob/shakeradvertising/cj4.gif/34336164343 738313432656639303730?"

O1 - Hosts: document.write target="_new">

O1 - Hosts: document.write SRC=" lMedia/ads/Creatives/ChicagoJob/shakeradvertising/cj4.gif"

O1 - Hosts: document.write ALT=""

O1 - Hosts: document.write BORDER="0">');

O4 - HKLM\..\Run: [axxxqw] C:\WINDOWS\system32\yaoorbmh\axxxqw.exe

O8 - Extra context menu item: &Search -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - lSetup1.0.0.8.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
O16 - DPF: {601B418B-E6A6-47FC-A094-07248741CEB3} (Camtronics Medical Systems Web Viewer) - file://E:\vwr_data\WebVwr.cab

O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} -
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - blockerutility.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - ab

O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe (file missing)

You also need to download Spybot S&D 1.4 and perhaps MS Antispyware. Get them at and go to the downloads page.


And also you have Aurora and need to do the following:

Try this and make sure you are disabling System Restore:


Run the uninstall program. That works the best. If that doesn't work, try the following:

Download ewido:


Run this in safe mode:

During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Look at the left side of the main screen and click update
Click on Start and let it update.

Click on scanner and run a complete scan.

Hope this helps,

Erik
 
Upvote 0 Downvote
you just download the hoster and click the option to restore original hosts and this will take care of all those host entries you have!

Thes eall need to be fixed, clicking hijack this to fix them won't fix them as they will return, hence using the hoster to restore the host file back to a clean state!


O1 - Hosts: function OAS_RICH(position)
O1 - Hosts: function {
O1 - Hosts: if (position
O1 - Hosts: if ==
O1 - Hosts: if 'Right')
O1 - Hosts: if {
O1 - Hosts: document.write ('<A
O1 - Hosts: document.write HREF="O1 - Hosts: document.write target="_new"><IMG
O1 - Hosts: document.write SRC="O1 - Hosts: document.write ALT=""
O1 - Hosts: document.write BORDER="0"></A>');
 
Upvote 0 Downvote
Your McAfee Virus Dif files will be out of date do to the hosts file re direct. get them up dated ASAP. The last PC that I fixed that had Aurora also had 30 Plus viruses Norton Corp had not been updateing because of the hosts file re direct.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
343
Yoko Littner
Yoko Littner
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
161
2ffat
2ffat
1DMF
  • Locked
  • Question
AVAST latest free version causing nothing but problems 2
2
Replies
20
Views
306
1DMF
1DMF
diogenes10
  • Locked
  • Question
Jotti vs Virus Total for problem detections?
Replies
0
Views
53
diogenes10
diogenes10
RichinMN
  • Locked
  • Question
Problems with Iobit Advanced SystemCare v. 6.0 update??
Replies
9
Views
124
BadBigBen
BadBigBen

Part and Inventory Search

Sponsor

Back
Top