Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Several Problems but I Will Start Here First

3050 Views 5 Replies 3 Participants Last post by  architect
A
Below is the Hijack Log pulled from my computer. I am experiencing several problems. Nothing appears to be drastic, but they are all annoying and time consuming.

The first problem is I am recently receiving "attack" messages from by Norton security software. These are defined as the "Activeperl_overflow". When I get the details, I am informed the attacks are internal. The curious part is that the IP address, 127.0.0.1 is the same as a previous post which I read. I do not understand how this address can be the same as someone elses. Regardless, what is this and what should I do about it? Like the previous post, I frequent ESPN.com quite often.

The second concern is that I have recently received two Mailer Deamons through Outlook indicating the messages sent were to an unknown recipient. The troubling part is that these messages were "sent" while I was on vacation and the system was completely shut off. The Sent Items log does not have any record of these attempts. Both of the attempted messages were to unspecific recipients using .yahoo domains.

The next item is whenever I run the "Find and Fix Problems" program through my Norton (2003) software, I get several problems that are remedied but always have an entry which can not be repaired. The message is as follows, "Missing File: "C:\Program Files\Common File\Microsoft Shared\Reference Titles\A\ERS2000.exe" Followed by "C:\Program Files\Common Files\Microsoft Shared\Reference Titles\A\ERS2000.exe" cannot access necessary file, "shrl30.dll" What do I do about this?

Finally, I frequently get the blue screen of death with the notation the "ccapp.exe" has failed. I believe this is part of the Norton system only because there is the same executable in my MSConfig Start up. I noticed within this program that NProtect (Norton) is actually listed twice, as well.

Here is my Hijack Log. I followed the directions about turning on everything listed in MSConfig but I usually only have the following turned on at start up. Taskbar Display Control, System Tray, NProtect, Em_exec, Ccapp, Ccregvfy, NProtect (the duplicate), Nisum, Ccpsysvc, Scriptblocking, Ccevtmgr and Microsoft Office Startup.

Thank you in advance for all of your advice.

Logfile of HijackThis v1.97.7
Scan saved at 12:54:53 PM, on 3/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ACD SYSTEMS\ACDSEE\CAMDETECT.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r4.attbi.com

O2 - BHO: (no name) - {4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} - C:\WINDOWS\IEXPLORR23.DLL
O2 - BHO: (no name) - {6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} - C:\WINDOWS\IEXPLORR24.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\ACDSEE\CAMDET~1.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\stimon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~3\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\WINDOWS\Easy Internet\EncMontr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .MID: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .adp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37738.4036111111
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50015/btiein.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
See less See more
Save
Like
Status
Not open for further replies.
1 - 2 of 6 Posts
Byteman
Hi, One thing that can cause the missing file error you have for Encarta Encyclopedia (shrl30.dll) is the Sircam virus;;; there is a free remover here that will run and remove or tell you the virus is not present- that will rule out Sircam. There are other reasons for this error.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314599

After reading the info, scroll down to the "Availablity of W32.Sircam...............etc" and get the remover, run it from the desktop, reading instructions and all.........

There are some things in the HJT log that must go:

O2 - BHO: (no name) - {4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} - C:\WINDOWS\IEXPLORR23.DLL
O2 - BHO: (no name) - {6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} - C:\WINDOWS\IEXPLORR24.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50015/btiein.cab

However, these may not go easily in Normal Mode, so try from Safe Mode- here are directions for reaching Safe Mode:
If you already know this, just run HJthis from Safe Mode, and have it fix those entries....sometimes, not even this works and you have to end those processes first, then use HJT to fix them.
Only a reboot and rescan with HJT will tell you if they are gone.
You must then hunt for those files which may or may not be present, and delete them if present.
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

AdAware and SpyBot would detect and remove Huntbar (BTEIN.DLL indicates that) do you have either of these free malware removal tools? You should! Update and run them if you do already have them installed. AdAware has special settings- let me know if you do want AdAware and will post the directions, but they are in many threads here in Security forum.

The IP adress 127.0.0.1 is your own computer's. That should mean the infection or whatever is present and as you say, attacking internally....the internal address is the same for all computers which is why you saw it the same in another post.

The returned emails are bogus, your email addy has been picked up by some other infected computer and used or "spoofed" making you the recipient of the returned mails....which also may contain a virus.... so, until it gets straightened out, you may continue to get these, many many people are also having this problem. There may be a way to block them, but that can also block some mail you do want...

The Norton Security error I am not sure about, perhaps it was installed badly and just needs to be totally uninstalled/reinstalled....that can be a real pain, but sometimes goes well and does fix the problem....we can work that out after the main problems are fixed.
Somewhere along the line you probably should scan for worms/Trojans not just viruses....

There may be some other things to do.
See less See more
Save
Like
Byteman
Hi- Actually, even after you remove the Grokster item, I would get the free removal programs AdAware 6.0 and also SpyBot search and destroy- especially if son will be using computer regularly!
Merely uninstalling Grokster does not remove the malware it contained...
The directions for installing each:

AdAware has special settings that must be checked before you remove anything... these two programs will completely clean up the junk that even HJT may not be showing.
These are the general directions for AdAware which I got from a reply by dvk01-::
""Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least 01R275 25.03.2004 or a higher number/later date

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again

SPYBOT- directions:
After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

then post a new hijackthis log to check what is left"

Download location for them:

http://www.safer-networking.org/index.php?page=download

Pick a server- it does not make much difference, just some are quite busy.....

AAW here:
http://lavasoft.element5.com/support/download/
Scroll down to "AAW 6 standard edition"

After we see a new log, there may be some other things to do.

There are malware prevention tools you should have, also....another thing you may have to do is visit Windows Updates and get all the Critical Updates installed if you have not done them.
See less See more
Save
Like
1 - 2 of 6 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top