Reply With QuoteDownload and run HiJackThis.
This will tell you everything that is running or could be affecting Internet Explorer.
if you don't know what you are doing, choose the option to create a Log and post it on here and I'll let you know which lines to fix.
This is at work.
I went to go on the forum, by typin "www.p" into the address bar and scrollin down till i got to the address, then pressed ENTER.
It didnt open the page, instead a new window opened with this... http://www.stopguard.com/?aid=vtstop&lid=
I've ran adaware, and a virus scan, got rid of the **** that they picked up and it still does it.
Anyone got any ideas, this is a piss take, i dont like this bullshit advertising, and oh yeah, me CPU usage went shootin up to 100% when i opened IE, and wouldnt let me close the page at times and i had to do it thru task manager.
Do you reckon i need to update to SP2 for XP?
Any help appreciated
Oh yeah, and while i have been typin the letters are appearin real slow like :x
Download and run HiJackThis.
This will tell you everything that is running or could be affecting Internet Explorer.
if you don't know what you are doing, choose the option to create a Log and post it on here and I'll let you know which lines to fix.
This is the report from HijackThis (i cant see anythin that makes me **** me pants ):
Logfile of HijackThis v1.97.7
Scan saved at 12:13:05, on 07/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Morpheous\GeoSync\GeoSync.exe
C:\WINDOWS\AppPatch\wmscat.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Outlook\OFFICE11\OUTLOOK.EXE
\talbotdb\apps\videss\progre9d\bin\PROWIN32.EXE
C:\Program Files\Microsoft Office\Office\winword.exe
F:\videss\programs\docman.exe
C:\Documents and Settings\MMian\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tjlegal.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = ***.***.***.***:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\MMian\LOCALS~1\Temp\spcvs.dat
O2 - BHO: (no name) - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\MMian\LOCALS~1\Temp\tacsmw.dat
O2 - BHO: (no name) - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\MMian\LOCALS~1\Temp\tacsmw.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GeoSync] C:\Program Files\Morpheous\GeoSync\GeoSync.exe
O4 - HKLM\..\Run: [svcps] C:\WINDOWS\Web\svcps.exe
O4 - HKLM\..\Run: [wmscat] C:\WINDOWS\AppPatch\wmscat.exe
O4 - HKLM\..\Run: [*wmscat] C:\WINDOWS\AppPatch\wmscat.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [jgdw400] C:\WINDOWS\system32\jgdw400.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [*wmscat] C:\WINDOWS\AppPatch\wmscat.exe rerun
O4 - Startup: PMS Auto Updates.lnk = C:\CDBASE\msupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tjlegal.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = tjlegal.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB203EF7-D8C9-4D63-A2F6-C369CEC859E5}: NameServer = ***.***.***.***
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tjlegal.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tjlegal.co.uk
I appreciate ya help mate 8)
Run Spybot Search & Destroy in safe mode.
Dont forget to imunize ur system.
Personally...I would remove these files. Just bear in mind that I'm not sure of everything that is running on your PC! I take no responsibility for anything not working any more!
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\MMian\LOCALS~1\Temp\spcvs.dat
O2 - BHO: (no name) - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\MMian\LOCALS~1\Temp\tacsmw.dat
O2 - BHO: (no name) - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\MMian\LOCALS~1\Temp\tacsmw.dat
O4 - HKLM\..\Run: [svcps] C:\WINDOWS\Web\svcps.exe
O4 - HKLM\..\Run: [wmscat] C:\WINDOWS\AppPatch\wmscat.exe
O4 - HKLM\..\Run: [*wmscat] C:\WINDOWS\AppPatch\wmscat.exe
O4 - HKCU\..\Run: [jgdw400] C:\WINDOWS\system32\jgdw400.exe
O4 - HKLM\..\RunOnce: [*wmscat] C:\WINDOWS\AppPatch\wmscat.exe rerun
reboot and let me know how the PC is behaving.
As mentioned already, download and run Spybot- Search and Destroy, and possibly a program called CWShredder.
Have Fun!
Right, i'm puttin me money on that wmscat.exe the lil **** wot it is... when i get rid of it usin Hijack this, it just comes back, if i "end process" from Task Manager it flashes back up straight away, about 9MB in size.Originally Posted by PuntoSporting
Spybot doesnt pick it up tho, however it does pick up "ATLEvents" which is somethin that i do not know about.
Hmmm...
Please see this:Right, i'm puttin me money on that wmscat.exe the lil c**t what it is... when i get rid of it usin Hijack this, it just comes back, if i "end process" from Task Manager it flashes back up straight away, about 9MB in size.
Spybot doesnt pick it up tho, however it does pick up "ATLEvents" which is somethin that i do not know about.
Hmmm...
http://us.mcafee.com/virusInfo/defau...virus_k=127690
Conclusion: update and run a good antivirus
Managed to delete that file after ****in about in safe mode and it looks likeit was the culprit.
I think it must be in the startup as well somehere coz Windows is still lookin for it when i log in :x
Al sort it tho 8)
Cheers for your help guys, wouldnt have found it without ya
Please see this:Right, i'm puttin me money on that wmscat.exe the lil c**t what it is... when i get rid of it usin Hijack this, it just comes back, if i "end process" from Task Manager it flashes back up straight away, about 9MB in size.
Spybot doesnt pick it up tho, however it does pick up "ATLEvents" which is somethin that i do not know about.
Hmmm...
http://us.mcafee.com/virusInfo/defau...virus_k=127690
Conclusion: update and run a good antivirus
I have McAfee VirusScan Enterprise on all the systems at work and it didnt find it
Cheers mate, i'm gonna sort that one now as well
You beat me to mentioning deleting the file in SafeMode!
What you have to do now is re-run HiJackThis and remove the lines that mention the file. Its not there any more so it can't put the lines back in!
Either that or check in your registry at :
HKLM\Software\Microsoft\Windows\Currentversion\Run
HKLM\Software\Microsoft\Windows\Currentversion\Run Once
HKLM\Software\Microsoft\Windows\Currentversion\Run Services
HKCU\Software\Microsoft\Windows\Currentversion\Run
HKCU\Software\Microsoft\Windows\Currentversion\Run Once
HKCU\Software\Microsoft\Windows\Currentversion\Run Services
And if anything there references the file...remove them.
Is your PC now running better now that the file isn't there and running?
Posting Permissions
