2 replies to this topic

[majack]

Please help! My computer has been acting bipolar for a couple of weeks now. Thank you!!!

Logfile of HijackThis v1.99.1
Scan saved at 2:59:31 PM, on 11/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\OfficeScan NT\pccntmon.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\wuauclt.exe
F:\LTW\LTWMAIN.EXE
C:\WINDOWS\System32\W32MKDE.EXE
C:\WINDOWS\system32\LTWNode.exe
C:\Program Files\WordPerfect Office X3\Programs\wpwin13.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chris\My Documents\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://BANNERSERVER01:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O16 - DPF: Yahoo! Pyramids - http://download2.gam...ts/y/pyt1_x.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://www.swiftview...all_a_green.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoft...5/asproinst.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia....ab/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bannertitle.local
O17 - HKLM\Software\..\Telephony: DomainName = bannertitle.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bannertitle.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bannertitle.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rege2usb - rege2usb.dll (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe

[ken545]

majack

Welcome to Tom Coyote You have a couple of issues that we need to address. Your Windows Operating System is out of date and its letting some of the bad guys in, after we are done you need to update to Service Pack 2 and beyond. I will provide the link later in this thread.

Did you or a systems adminstrator install this program, if so its ok, if not than it could be dangerous and we need to remove it. This is what it is.

RISKWARE! or potentially unwanted application. This application may have been installed by your system administrator for providing support for your machine. However this application has been used by several trojan authors and included in other trojans for malicious purposes.

O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe



Print out the following instructions as you will not have Internet Access for the rest of this fix.

Download Process Explorer to your desktop.


Download Pocket Killbox to your desktop, unzip it to a folder that you can find

Reboot into Safemode

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

• Unzip Process Explorer and double click on procexp.exe
• In the top section of the Process Exlporer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen.
• Click on the Threads tab at the top.
• Once you see this screen click on each instance of: rege2usb.dllonce.
• Then click the Kill button.
• After you have killed all of: rege2usb.dll under winlogon click OK.

BE SURE TO KILL ONLY THIS FILE

• Next double-click on explorer.exe.
• Select the Threads tab.
• and again click once on each instance of: rege2usb.dll
• Then click the Kill button.
• Once you have done that click OK again.

BE SURE TO KILL ONLY THIS FILE


Next run Hijack This! Scan Only and place a check beside this entry
O20 - Winlogon Notify: rege2usb - rege2usb.dll (file missing)




Highlight the file with the complete path in the Quote Box and press Ctrl C on your keyboard.

C:\windows\system32\ rege2usb.dll

• Open Pocket Killbox
• Go to File > Paste from clipboard
• Set it to Delete on Reboot
• Tick the box that says End Explorer shell while killing file
• If its not greyed out..Click the radio button that say Unregister .dll before deleting.
• Make sure Single File is selected
• Click on the Red circle with the white X
• It will ask you to confirm the deletion...Say yes
• It will ask you to reboot, say yes

Run this system cleaner

Please download ATF Cleaner by Atribune.

• This program is for XP and Windows 2000 only
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up



Let me know about that 023 service and post a new HJT log please.

[ken545]

This topic is being closed due to lack of response, if you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.