[GatorGal]

Please help me with the Hijack This log below for my new computer. It took me a couple of days to get all my software and updates downloaded and configured and I'm still working on getting NOD32 anti-virus setup.

I've run Ad-aware 6 and got 22 object and Spybot S&D and got 10 more and now I have Spyware Guard and Spyware Blaster and this is the log for Hijack This:

Logfile of HijackThis v1.97.7
Scan saved at 3:51:51 PM, on 3/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\nda.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray\sgtray.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus10.hpwis.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing

 

[Rollin' Rog]

It looks like a clean scanlog, although I don't really know what this is, perhaps you could say?

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

Also if you have problems opening Adobe files on the web, it may be because of a missing file associated with this entry:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

Perhaps the entry was left over after an update. I would just check and "fix" it.

 

[GatorGal]

Thanks Rolin' Rog. I'll give it a try. Be back in a minute.

 

[GatorGal]

Got it done. And no problems, but I've been having trouble with setup of NOD32. It fails setup just after the files are extracted and issues a big report to Microsoft. That didn't change still having problems with it. So I tested setup on some other programs like Ad-aware 6 and it does great. So, I guess I've got a messed up download file. What do you think?

 

[Rollin' Rog]

When that error dialog pops up there is a "more info" tab you can click to see what it contains. Of interest is the faulting module.

You can also look in Administrative Tools > Event Viewer for errors under the applications and system logs. Probably application will have something.

Do you know what vttimer is by the way?

I didn't expect that the BHO entry would be causing any problems, except perhaps for Adobe since I think it was put there by that.

 

[GatorGal]

Hi Rollin' Rog!

I don't know what vt timer is, but I think I mistakenly fixed it along with the BHO entry and now it's gone. I guess it's too late to recover it, right? I guess I can always restore if it turns out to be really important...

Sorry, that was careless of me.

On the setup problem, it said the Appl Name: setup.exe Mod Ver: 6.0.8665.0 Offset:00003c6a Mod Name: mfc42u.dll

I didn't know how to get to it to look at the tabs you were talking about.

Thanks so much for your help.

 

[Rollin' Rog]

Saving HijackThis directly on the desktop may be a no-no here. But run HijackThis and select Config > backups and see if the entry you deleted is still there. Frankly I wouldn't restore it at this time, until you can verify its legitimacy. It is nothing Windows needs anyway.

Also do a file search for vttimer.exe (it won't be deleted), right click on it and select Properties > Version and see what that says.

When you get "error report" dialogs you will see this image:

Select the "click here" tab to see what the error actually is.

Also, as I mentioned, you can review these errors in the Administrative Tools > Events viewer as well.

Your version of mfc42u.dll in the correct one. I don't know what the problem might be, but be sure you have closed down all other open programs or any other antivirus programs before running setup.

In fact you might try running the install after doing a "clean boot". To do this run msconfig and temporarily clear the check for load startup group items; then reboot and try the install. Go back and re-enable them afterwards, one way or another.

 

[GatorGal]

Hi Rollin Rog!

Sorry for the delay. I had to be gone all day, but I found out that the vt timer entry is in the backup config of Hijack This. Though I've searched all the files and folders of my two hard drives several times, the answer is always no files found for vttimer.exe. So I dunno what to make of it.

I did the start up with nothing loading thru MSCONFIG startup and tried to setup NOD32 again. Same thing happened. But this time I was able to figure out that you were talking about a feature XP when you were speaking about Administrative Tools and looked it up and found it. (Brand new to XP...I'm Windows 98.) Here's what it said:

Source: DR. Watson Event ID: 4097 Computer: 6000Z

Description: The application C:\ProgramFiles\ESET\Install\Setup.exe generated an application error. The error occured at 3/23/2004 @ 16:03:50.687. The execption generated was c0000005 at address 76FB3C6A (MFC42u! Ordinal 6195). For mor info, see Help & Support Center at http://go microsoft.com/wink/events.asp.

I tried to click on that and it said the page couldn't display. Then Compaq help and support page jumped up and messages started being issued and all kinds of stuff.

Do you have any further thoughts on what I should try? Thanks.

 

[GatorGal]

You Know the thought occured to me that my computer came with Norton Antivirus and Norton Personal Firewall icons on the desktop. They would popup and ask me to activate them but I didn't. However they might actually be embedded in my computer. Oh well, I did remove the programs but I wonder...Anyway I have entered a tech support request at ESET. I'm out of ideas for now.

 

[Rollin' Rog]

C:\WINDOWS\System32\nvsvc32.exe

Is a NAV service. It is the only evidence of NAV in the startups. You can disable it through Administrative Tools > Services or remove it entirely by deleting it from this registry key:'

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Unfortunately I can't narrow down the error from the event ID either. The listed "source" seems to be the model of the computer: 6000Z which seems unusual to me as a source. Is that what is listed as the "source" in the event viewer?

As for VTTimer, if the file isn't there just leave the registry entry deleted.



C:\ProgramFiles\ESET\Install\Setup.exe

The presence if this folder and file would seem to indicate that NOD has already been installed? Is it listed in Add/Remove programs?

 

[GatorGal]

It said:

Source: DR. Watson
Event ID: 4097
Computerresario 6000Z

Description: The application C:\ProgramFiles\ESET\Install\Setup.exe generated an application error. The error occured at 3/23/2004 @ 16:03:50.687. The execption generated was c0000005 at address 76FB3C6A (MFC42u! Ordinal 6195). For mor info, see Help & Support Center at http://go microsoft.com/wink/events.asp.

ESET is not in the Ad/Remove programs nor is NOD32. I think it means that the applcation which Dr. Watson was logging was Setup.exe which was working on the install of ESET into C:\Program Files. Just my guess.

I'll try to disable nvsvc32.exe first and then try the vanilla startup again. I'll report back later. Thanks for your help.

 

[GatorGal]

Rollin Rog, I don't understand how to disable the nvsvc32.exe fie using Administrative Tools/ Services. I tried to read the Help but I don't know which service I'm interested in and how to get down to that specific file. Could you walk me thru this? Meantime I'll look thru my XP for Dummies book and see if I can figure something out. Sorry to be such a dummy. Thanks again.

 

[Rollin' Rog]

I was trying to get a 'hit' for the error at this site, unfortunately nothing; but you might want to bookmark it for future references.

http://www.eventid.net/

Sorry for the incomplete help on the services configuration -- I didn't have time to spell it out when I posted.

If you open your Administrative Tools > Services applet, you can find settings and descriptions of installed services there.

Under the "Name" header you should find something for Norton Antivirus; double click that and see if the path to the executable is:

C:\WINDOWS\System32\nvsvc32.exe

If it is you can set this service to "disabled" so it doesn't start (you will need to reboot afterwards).

Also though ESET is not in Add/Remove Programs, is it in C:\Program Files?

If so, and you are installing this from a Setup file you have downloaded, download the Setup file to some other location and before running it delete the ESET folder in Program Files.

 

[GatorGal]

Hi Rollin' Rog!

Thanks for the link to Event ID. I looked thoroughly through the Services Names and didn't find any that are related to Norton Antivirus or Symantec or even antiviruses generally or anything I could speculate might be doing the job. I also searched for C:\Windows\System32\nvsvc32.exe or nvsvc32.exe in either of the two hard drives C or D. It's just not there. I looked repeatedly. But I did find a Symantec folder in Program Files and it contains:

A folder: Live Update Symevent (Security Catalog) Symevent(System File) S32event1.DLL Symevent (Setup Information)

I printed out the .INF file below:

;
; SymEvent INF File
;
; Copyright (c) 2003, Symantec Corporation
;
[Version]
signature = "$Windows NT$"
Class = "ActivityMonitor"
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
Provider = %Symc%
DriverVer = 08/06/2003,11.3.0.17
CatalogFile = SymEvent.cat

[SourceDisksNames]
1 = %Disk1%

[SourceDisksFiles]
SymEvent.sys = 1

[DestinationDirs]
DefaultDestDir = 01,temp.^^^

[SymcInstall]
CopyFiles = @SymEvent.sys

[DefaultInstall]

[DefaultUninstall]

[Strings]
Symc = "Symantec Corporation"
Disk1 = "SymEvent Source Media"

I wonder if I had activated the icon for setup of Norton Antivirus if this would have caused the placement of that nvsvc32.exe in C:\Windows\System32.

Also ESET is in the Program Files but is not complete (not fully extracted) as you will see below.

I got a request for action from ESET tech support. It said the following:

Please try installing the mfc libraries supplied with the NOD32 installer by renaming the extension of the enclosed file to bat and running it. (this will work if your windows is installed in c:\windows and the NOD32's installation files are already extracted in c:\program files\eset). Finally, reboot the machine and try installing NOD32 again.

They sent me mfc.ba.

However, there were no NOD32 files in ESET and of course it failed to install.

I haven't answered the tech support reqest yet. I wondered if there was anything else you thought I should try first.

Also, I wondered whetther you thought I should go ahead at this point and delete the Symantec folder and all its files?

Right now I thought I'd try downloading AVG to see if it will install and also because I need some virus protection. Thanks again.

I'll be right back to leave a note about AVG.

 

[GatorGal]

I think I was wrong on the test of the ESET tech support request. I do have an install file just none of the files are named NOD32. And mfc.bat is an MS DOS Batch file so I need to have executed it from the DOS directory but I don't know what that translates to in XP. Can you give me some guidance as to where I need to locate mfc.bat to execute it? Sorry about being a dummy.

 

[Rollin' Rog]

Let me just start with the Norton issue. With this showing in Running Tasks, it HAS to be there:

C:\WINDOWS\System32\nvsvc32.exe

But you should disable the service from Administrative Tools > Services following the directions I have rather than trying to delete the file, the access to which will probably be denied since it is in use.

I'm a bit confused about the NOD problem.

If they sent you a file, mfc.ba then that is what you rename to mfc.bat and run. There is no difference regarding operating systems.

It doesn't necessarily need to be run from a DOS command or any special directory, did they tell you you had to do it from DOS? Bat files simply execute DOS commands. They can be run from within normal Windows most of the time the same way you run any file. Likely you will just see a DOS shell briefly open and close.