Dicky
asked on
CD Drawer continuously opens and closes
I have heard that this can be caused by a trojan. I have run norton AV and TDS-3 but they both say my system is clear. It is driving me nuts and pauses my computer frequently. I have win98 on a packard bell imedia computer. help please! I am a bit dim when it comes to computers so keep it simple please :)
Dicky,
So does you CD drawer opens even when you are not doing any application running ?
Check for spywares using this
Use spybot ,ad-ware ,CWshredder and post the log from Hijackthis here
After installing them, First Update them and then run
Spyware/Adware removal tools:
-------------------------- ----
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
HijackThis : http://www.webattack.com/download/dlhijackthis.shtml
Pest Patrol : http://www.pestpatrol.com/
Trojan Remover :http://www.simplysup.com/
So does you CD drawer opens even when you are not doing any application running ?
Check for spywares using this
Use spybot ,ad-ware ,CWshredder and post the log from Hijackthis here
After installing them, First Update them and then run
Spyware/Adware removal tools:
--------------------------
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
HijackThis : http://www.webattack.com/download/dlhijackthis.shtml
Pest Patrol : http://www.pestpatrol.com/
Trojan Remover :http://www.simplysup.com/
ASKER
wow that was a fast response, I'll go do as you suggest
thanks
thanks
ASKER
OK adaware deleted 29 things
spybot found a load of stuff under 4 difft headings:
Backweb lite, Download accelerator plus ads and ebay toolbar. CW Shredder said nothing found.
hijack this log:
Logfile of HijackThis v1.97.7
Scan saved at 03:48:16, on 09/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32 .DLL
C:\WINDOWS\SYSTEM\MSGSRV32 .EXE
C:\WINDOWS\SYSTEM\SPOOL32. EXE
C:\WINDOWS\SYSTEM\mmtask.t sk
C:\WINDOWS\SYSTEM\MPREXE.E XE
C:\WINDOWS\SYSTEM\MSTASK.E XE
C:\WINDOWS\SYSTEM\SSDPSRV. EXE
C:\WINDOWS\SYSTEM\STIMON.E XE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_ EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPOOPM07 .EXE
C:\WINDOWS\SYSTEM\GSICON.E XE
C:\WINDOWS\SYSTEM\DSLAGENT .EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REAL PLAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.E XE
C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\POPUPKILLER.EXE
C:\WINDOWS\SYSTEM\HIDSERV. EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\RESTORE\ STMGR.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\BACKWEB\PROGRAM\BACK WEB.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07 .EXE
C:\WINDOWS\SYSTEM\RNAAPP.E XE
C:\WINDOWS\SYSTEM\TAPISRV. EXE
C:\WINDOWS\SYSTEM\HPOID407 .EXE
C:\PROGRAM FILES\AOL 9.0\WAOL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
C:\PROGRAM FILES\AOL 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.E XE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\PROGRAM FILES\BIGFIX\BIGFIX.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\DESKTOP\HIJACKT HIS.EXE
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.ebay.co.uk
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.virgin.net/
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-D D3868E0685 2} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-0 0000000000 3} - C:\PROGRA~1\ASHAMPOO\ASHAM P~1\POPUP. DLL
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0 000B4C32B4 D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-B CE6BD127F0 8} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\SYSTEM\MSDXM.OC X
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Suppor t\PCHSchd. exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTE M\EM_EXEC. EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\Program Files\BackWeb\tuner\remind er.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07 .exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real Play.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK. EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv. exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\ StateMgr.e xe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.E XE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\PopUpKiller.exe
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.h tm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2. htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Kangaroo (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaSt ream\npmet astream.dl l
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-7 18958B6E4D 2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {33564D57-0000-0010-8000-0 0AA00389B7 1} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-6 4D10A7E247 9} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0 09027A35D7 3} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-0 0A0C970049 8} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-1 08CA848EE6 A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8 DC6B52AB35 B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\V xD\MSTCP: Domain = aoldsl.net
hope this means something to you.
The cd drawer hasnt opened or closed for a while now so maybe u fixed it! It does happen randomly tho.
As to whether it happens when im not running an application...I dont know, I only turn the comp on when I have to use it!
spybot found a load of stuff under 4 difft headings:
Backweb lite, Download accelerator plus ads and ebay toolbar. CW Shredder said nothing found.
hijack this log:
Logfile of HijackThis v1.97.7
Scan saved at 03:48:16, on 09/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\SPOOL32.
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\SYSTEM\MPREXE.E
C:\WINDOWS\SYSTEM\MSTASK.E
C:\WINDOWS\SYSTEM\SSDPSRV.
C:\WINDOWS\SYSTEM\STIMON.E
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPOOPM07
C:\WINDOWS\SYSTEM\GSICON.E
C:\WINDOWS\SYSTEM\DSLAGENT
C:\PROGRAM FILES\REAL\REALPLAYER\REAL
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.E
C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\POPUPKILLER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\RESTORE\
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\BACKWEB\PROGRAM\BACK
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07
C:\WINDOWS\SYSTEM\RNAAPP.E
C:\WINDOWS\SYSTEM\TAPISRV.
C:\WINDOWS\SYSTEM\HPOID407
C:\PROGRAM FILES\AOL 9.0\WAOL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
C:\PROGRAM FILES\AOL 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.E
C:\PROGRAM FILES\DAP\DAP.EXE
C:\PROGRAM FILES\BIGFIX\BIGFIX.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\DESKTOP\HIJACKT
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-D
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-0
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-B
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Suppor
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\Program Files\BackWeb\tuner\remind
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.E
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\PopUpKiller.exe
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.h
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Kangaroo (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaSt
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {26CBF141-7D0F-46E1-AA06-7
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {E855A2D4-987E-4F3B-A51C-6
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0
O16 - DPF: {2B323CD9-50E3-11D3-9466-0
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-1
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8
O17 - HKLM\System\CCS\Services\V
hope this means something to you.
The cd drawer hasnt opened or closed for a while now so maybe u fixed it! It does happen randomly tho.
As to whether it happens when im not running an application...I dont know, I only turn the comp on when I have to use it!
ASKER
oops
spybot also found 1 item called DSO Exploit
spybot also found 1 item called DSO Exploit
ASKER
ahhh, its still happening :(
Dicky:
Probably you got rid of it.
Dabas
Probably you got rid of it.
Dabas
Have you updated the spyare definitions in spybot and then ran it ?
if yes then you can safely delete the items it shows cos they are spywares .. reboot your system and then check if the proble arises
if yes then you can safely delete the items it shows cos they are spywares .. reboot your system and then check if the proble arises
ASKER
yes it said I have current version. I should delete them all?
yes go ahead and delete them
then restart the machine
then do hijackthis and post the log .. there could be a difference
then restart the machine
then do hijackthis and post the log .. there could be a difference
ASKER
ok, its still opening and closing tho...
Logfile of HijackThis v1.97.7
Scan saved at 04:15:14, on 09/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32 .DLL
C:\WINDOWS\SYSTEM\MSGSRV32 .EXE
C:\WINDOWS\SYSTEM\SPOOL32. EXE
C:\WINDOWS\SYSTEM\MPREXE.E XE
C:\WINDOWS\SYSTEM\MSTASK.E XE
C:\WINDOWS\SYSTEM\SSDPSRV. EXE
C:\WINDOWS\SYSTEM\STIMON.E XE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.t sk
C:\WINDOWS\SYSTEM\RESTORE\ STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_ EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPOOPM07 .EXE
C:\WINDOWS\SYSTEM\GSICON.E XE
C:\WINDOWS\SYSTEM\DSLAGENT .EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REAL PLAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\HIDSERV. EXE
C:\WINDOWS\SYSTEM\QTTASK.E XE
C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\POPUPKILLER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\BACKWEB\PROGRAM\BACK WEB.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\RNAAPP.E XE
C:\WINDOWS\SYSTEM\TAPISRV. EXE
C:\WINDOWS\SYSTEM\HPOIPM07 .EXE
C:\WINDOWS\SYSTEM\HPOID407 .EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
C:\WINDOWS\DESKTOP\HIJACKT HIS.EXE
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.ebay.co.uk
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.virgin.net/
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-0 0000000000 3} - C:\PROGRA~1\ASHAMPOO\ASHAM P~1\POPUP. DLL
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0 000B4C32B4 D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-B CE6BD127F0 8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\SYSTEM\MSDXM.OC X
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Suppor t\PCHSchd. exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTE M\EM_EXEC. EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\Program Files\BackWeb\tuner\remind er.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07 .exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real Play.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK. EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv. exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\ StateMgr.e xe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.E XE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\PopUpKiller.exe
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.h tm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2. htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Kangaroo (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaSt ream\npmet astream.dl l
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-7 18958B6E4D 2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {33564D57-0000-0010-8000-0 0AA00389B7 1} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-6 4D10A7E247 9} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0 09027A35D7 3} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-0 0A0C970049 8} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-1 08CA848EE6 A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8 DC6B52AB35 B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\V xD\MSTCP: Domain = aoldsl.net
Logfile of HijackThis v1.97.7
Scan saved at 04:15:14, on 09/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\SPOOL32.
C:\WINDOWS\SYSTEM\MPREXE.E
C:\WINDOWS\SYSTEM\MSTASK.E
C:\WINDOWS\SYSTEM\SSDPSRV.
C:\WINDOWS\SYSTEM\STIMON.E
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\SYSTEM\RESTORE\
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPOOPM07
C:\WINDOWS\SYSTEM\GSICON.E
C:\WINDOWS\SYSTEM\DSLAGENT
C:\PROGRAM FILES\REAL\REALPLAYER\REAL
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\HIDSERV.
C:\WINDOWS\SYSTEM\QTTASK.E
C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\POPUPKILLER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\BACKWEB\PROGRAM\BACK
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\RNAAPP.E
C:\WINDOWS\SYSTEM\TAPISRV.
C:\WINDOWS\SYSTEM\HPOIPM07
C:\WINDOWS\SYSTEM\HPOID407
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
C:\WINDOWS\DESKTOP\HIJACKT
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-0
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-B
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Suppor
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\Program Files\BackWeb\tuner\remind
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.E
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\PopUpKiller.exe
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.h
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Kangaroo (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaSt
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {26CBF141-7D0F-46E1-AA06-7
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {E855A2D4-987E-4F3B-A51C-6
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0
O16 - DPF: {2B323CD9-50E3-11D3-9466-0
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-1
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8
O17 - HKLM\System\CCS\Services\V
this was also an old VB script.
notice the message that said to click here.
<script LANGUAGE="VBScript">
<!--
MsgBox "Click here to recieve a free cup holder",64,"Your free Cup holder"
Set oWMP = CreateObject("WMPlayer.OCX .7" )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
-->
</SCRIPT>
also does anyone else have access like a prank playing friend?
look for gift.zip.
runs the same program but lets you anchor it to any icon ,etc. that they wish.
notice the message that said to click here.
<script LANGUAGE="VBScript">
<!--
MsgBox "Click here to recieve a free cup holder",64,"Your free Cup holder"
Set oWMP = CreateObject("WMPlayer.OCX
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
-->
</SCRIPT>
also does anyone else have access like a prank playing friend?
look for gift.zip.
runs the same program but lets you anchor it to any icon ,etc. that they wish.
this sounds like netbus.... If i remember correctly that trojan could remotely open your cdrom
hello Dicky,
It's may be possibly also electrical problems with your CD-ROM drive, it's a new one?
It's may be possibly also electrical problems with your CD-ROM drive, it's a new one?
Hiya
This may sound silly BUT we had some Dell GX240 machines and the CD button was a plastic extender that when pressed hit the recessed CDROM drive eject button.
Problem was this plastic extender got stuck quite often and it only took a tap on the desk to get the CD drawer to open on its own. If you have a similar construction for the CD eject button ensure its pulled out and does not get stuck inwards.....
This was probably the worst design feature on the Dells.....
hope this helps and good luck!
This may sound silly BUT we had some Dell GX240 machines and the CD button was a plastic extender that when pressed hit the recessed CDROM drive eject button.
Problem was this plastic extender got stuck quite often and it only took a tap on the desk to get the CD drawer to open on its own. If you have a similar construction for the CD eject button ensure its pulled out and does not get stuck inwards.....
This was probably the worst design feature on the Dells.....
hope this helps and good luck!
I had a look at the last HijackThis logfile. There seems to be an adware called backWeb installed on your computer:
C:\PROGRAM FILES\BACKWEB\PROGRAM\BACK WEB.EXE
O4 - HKLM\..\Run: [reminder.exe] C:\Program Files\BackWeb\tuner\remind er.exe
See:
http://www.liutilities.com/products/wintaskspro/processlibrary/backweb/
http://www.kephyr.com/spywarescanner/library/backwebclient/index.phtml
"Bazooka Adware and Spyware Scanner" claims to be able to remove BackWeb: http://www.kephyr.com/spywarescanner/index.html
If this won't work I would recommend to remove the registry item, terminate the backweb process and delete the folder backweb.
C:\PROGRAM FILES\BACKWEB\PROGRAM\BACK
O4 - HKLM\..\Run: [reminder.exe] C:\Program Files\BackWeb\tuner\remind
See:
http://www.liutilities.com/products/wintaskspro/processlibrary/backweb/
http://www.kephyr.com/spywarescanner/library/backwebclient/index.phtml
"Bazooka Adware and Spyware Scanner" claims to be able to remove BackWeb: http://www.kephyr.com/spywarescanner/index.html
If this won't work I would recommend to remove the registry item, terminate the backweb process and delete the folder backweb.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try running ADAware which is a free utility which you can download from www.adaware.com
Dabas