Task Manager and Msconfig etc crashes HELP

[Axel7]

Brother has a problem and i cant fix it...

If he try to goto Task Manager or msconfig the window opens then shuts down instantly.........

he have run many many Norton tools and scans with 2004 pro with nothing coming up...
I have run adaware and removed a few tracking cookies......
I think i need some better advice....

Here is the hijackthis.log

Logfile of HijackThis v1.97.7
Scan saved at 10:01:58 AM, on 5/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\SKDAEMON.EXE
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\winsock2drv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Doug\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.mybc.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Winsock2 driver] winsock2drv.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\RunOnce: [Winsock2 driver] winsock2drv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Zone Labs Security.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) -

http://www.bxwa.com/fastbid/fastbidx1.cab

O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) -

http://www.bxwa.com/fastbid/fastbidx2.cab

O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) -

http://216.210.235.54/home/SonySncRz30View.cab

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) -

http://pointa.autodesk.com/portal/lang/enu/InstBanr.Ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) -

http://pointa.autodesk.com/portal/lang/enu/InstFred.Ocx

O16 - DPF: {C876C44F-F4CF-11D2-BC2A-E5C9894AD505} (FastBid Class) -

http://www.bxwa.com/fastbid/fastbidx.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

 

[carrr]

Sounds like a virus. Looks like a virus.

You've got the SPYBOT virus:

http://www.sophos.com/virusinfo/analyses/w32spybotbm.html

These are the offending entries:
O4 - HKLM\..\Run: [Winsock2 driver] winsock2drv.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] winsock2drv.exe

Disable system restore: right click My Computer > System Restore tab > disable system restore

Remove the entries I noted above using Hijack This!

Follow the removal instructions in the SOPHOS article I linked above.

Reboot.

Once satisfied that you're clean, reenable system restore.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[jrbarnett]

Hello

Disable system restore.
Reboot into safe mode, then take out these two:
O4 - HKLM\..\Run: [Winsock2 driver] winsock2drv.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] winsock2drv.exe

Although regarded as spyware, tgcmd is part of the manufacturer's software and so if you remove it, something may stop working. I leave it up to you whether you remove it or not.

http://www.liutilities.com/products/wintaskspro/processlibrary/tgcmd/

Then re enable system restore and reboot, and run a full scan.

John

 

[Axel7]

TIRED DELETING THE ABOUT FILES AND SAVED AND REBOOTED AND THEY ARE STILL THERE???????

 

[carrr]

Did you diable system restore first?

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[Axel7]

yes

 

[carrr]

And...they're still showing up on Hijack This! or on your C:\ drive?
You need to delete them from the actual drive. All removing the Hijack This! entries does is remove them from a startup position. You ned to then reboot in safe mode and delete C:\WINDOWS\System32\winsock2drv.exe

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[Axel7]

YAAAAAAAAAAAAAAA



Thank you sooooo much, i Just told my brother to delete that file and restarted and BOOM zonealarm works , task mananger starts, msconfig and regedit all start perfectly...
once again thanks

 

[jrbarnett]

I'd run a full scan over the machine now to make sure that there are no remnants left on the hard drive.

John