Task Manager and Msconfig not working

[t0mmyb0y]

So I always enjoy the holidays and trying to fix relatives computers...

I try to open windows task manager or msconfig to determine what programs are running, and nothing comes up. The task manager window appears, but then is gone in like 0.2 seconds. Seems like something doesn't want me to know its running...

I also get the Windows Security pop-up when I hit ctrl-alt-del, instead of it taking me directly to task manager. Does anyone know the setting to configure to change this?

I tried running adaware, but of course it give me a "cannot find device/..." Anyone have other suggestions for spyware elimination programs? He'll probably flip when his kazaa/limewire won't work anymore, but its worth getting the computer functioning again.

Thanks in advance...

 

[mechBgon]

How about starting in Safe Mode? You will probably want to also disable System Restore, or the stuff may get put right back by Windows itself Could you also post what their network connection is (cable, DSL, whatever), what their firewall is (a router, a software firewall, none), and what their antivirus software is (include what generation, such as "Norton Antivirus 2003" or whatever). What OS does the computer run and has it been kept up-to-date on its patches?

Also:

1. Download Hijack This!
2. Save it in C:\HJT or another folder of your own making
3. Run it from that folder and hit Save Log
4. Post the log's contents here, so the anti-spyware gurus can analyze it for you

Or you can take what Yoda calls "the easy path" and just Drop The Bomb On It :evil: WinXP Setup baby... works every time. Temporarily, at least... still gotta educate those relatives about their risky behavior. :roll: And cure world hunger while you're at it, the two jobs will be roughly equal in difficulty, right?

I put together some recommendations for preventing spyware and junk here under the Ongoing prevention part down the page a ways. If you can get the system cleaned up, and get the relatives to stop shooting themselves in the foot, then those measures will do a good job for them. The tough one to sell to a home user is giving up the Administrator privileges and using a Limited / Restricted-User account, but it works.

 

[t0mmyb0y]

Originally posted by: mechBgon
How about starting in Safe Mode? You will probably want to also disable System Restore, or the stuff may get put right back by Windows itself Could you also post what their network connection is (cable, DSL, whatever), what their firewall is (a router, a software firewall, none), and what their antivirus software is (include what generation, such as "Norton Antivirus 2003" or whatever). What OS does the computer run and has it been kept up-to-date on its patches?

Also:

1. Download Hijack This!
2. Save it in C:\HJT or another folder of your own making
3. Run it from that folder and hit Save Log
4. Post the log's contents here, so the anti-spyware gurus can analyze it for you

Or you can take what Yoda calls "the easy path" and just Drop The Bomb On It :evil: WinXP Setup baby... works every time. Temporarily, at least... still gotta educate those relatives about their risky behavior. :roll: And cure world hunger while you're at it, the two jobs will be roughly equal in difficulty, right?

I put together some recommendations for preventing spyware and junk here under the Ongoing prevention part down the page a ways. If you can get the system cleaned up, and get the relatives to stop shooting themselves in the foot, then those measures will do a good job for them. The tough one to sell to a home user is giving up the Administrator privileges and using a Limited / Restricted-User account, but it works.

The computer is running Windows XP Pro with all the latest updates (now that installed them) It's connected through a wireless router which is using Cable Modem connection. They have the latest version of AVG antivirus running, but suspiciously no firewall running (since remmodied with Kerio Personal Firewall)

Here is the log. I would prefer a quick fix as opposed to the entire Windows XP format. I got adaware 6.0 to work, but still can't get task manager to stay open, or msconfig. Again, does anyone know why I get the "windows security" pop-up when i hit ctrl-alt-del rather than the usual task manager?

LOG:

Scan saved at 4:06:51 AM, on 11/24/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\PROGRA~1\Grisoft\AVG6\avgserv.exe
H:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
H:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
H:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
H:\WINDOWS\System32\P2P Networking\P2P Networking.exe
H:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
H:\Program Files\QuickTime\qttask.exe
H:\WINDOWS\system32\AIMMSNGR.EXE
H:\WINDOWS\system32\RYAOMJRC.EXE
H:\WINDOWS\system32\REAIPLAY.EXE
H:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\AIM\aim.exe
H:\WINDOWS\System32\ouxynj.exe
H:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\DOCUME~1\BRIANS~1\LOCALS~1\Temp\Temporary Directory 1 for hjt.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10DB3155-EE1F-69F1-8F59-655579AE281A} - H:\WINDOWS\System32\esmxkre.dll (file missing)
O2 - BHO: (no name) - {12803A51-ED4C-39AA-8359-655579AE2919} - H:\WINDOWS\System32\xcdq.dll (file missing)
O2 - BHO: (no name) - {18DC3A58-E946-39A1-815F-655579AF2C1F} - H:\WINDOWS\System32\qrk.dll (file missing)
O2 - BHO: (no name) - {19D83606-EC12-3CA9-845B-655579AE7E19} - H:\WINDOWS\System32\wmm.dll (file missing)
O2 - BHO: (no name) - {19DF3B09-EC15-6FFC-D75B-655579AE7B4E} - H:\WINDOWS\System32\nkaa.dll (file missing)
O2 - BHO: (no name) - {1C8C6F58-EC13-60FF-820A-655579AF2B49} - H:\WINDOWS\System32\benubv.dll (file missing)
O2 - BHO: (no name) - {1DDF3304-E74E-6AF0-D35F-655579AE2E1D} - H:\WINDOWS\System32\dbppt.dll (file missing)
O2 - BHO: (no name) - {1ED86F0B-BB4E-3EA5-D25F-655579AE7B4A} - H:\WINDOWS\System32\qknwjaf.dll (file missing)
O2 - BHO: (no name) - {1F826B0E-E819-6FF0-D65F-655579AF2E16} - H:\WINDOWS\System32\deoane.dll (file missing)
O2 - BHO: (no name) - {41813701-BD19-65AC-D459-655579AE2F15} - H:\WINDOWS\System32\fixor.dll (file missing)
O2 - BHO: (no name) - {438E3351-E040-3DAB-825F-655579AE2C4D} - H:\WINDOWS\System32\uehjrdul.dll (file missing)
O2 - BHO: (no name) - {488C6E0D-BD19-31F7-D50A-655579AF2840} - H:\WINDOWS\System32\bls.dll (file missing)
O2 - BHO: (no name) - {488F6300-B14D-6DFF-825F-655579AE2D19} - H:\WINDOWS\System32\ieso.dll (file missing)
O2 - BHO: (no name) - {4C88325D-EC12-3CFC-865B-655579AE274D} - H:\WINDOWS\System32\dkldeq.dll (file missing)
O2 - BHO: (no name) - {4E8E6D09-EF4B-68A4-D05F-655579AF2F1F} - H:\WINDOWS\System32\hfen.dll (file missing)
O2 - BHO: (no name) - {4F8F300B-ED40-38FF-845B-655579AE291C} - H:\WINDOWS\System32\omwby.dll (file missing)
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - H:\WINDOWS\System32\NDrv.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] H:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [P2P Networking] H:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AIM Messenger] AIMMSNGR.EXE
O4 - HKLM\..\Run: [AOL Instent Messenger] RYAOMJRC.EXE
O4 - HKLM\..\Run: [WhenUSearchWHSE] H:\PROGRA~1\WHENUS~1\whse.exe
O4 - HKLM\..\Run: [Real Internet Player] REAIPLAY.EXE
O4 - HKLM\..\Run: [ViewMgr] H:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] H:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ebla] H:\Documents and Settings\Brian Sanders\Application Data\aoro.exe
O4 - HKCU\..\Run: [Tryrpzjn] H:\WINDOWS\System32\ouxynj.exe
O4 - HKCU\..\RunOnce: [AIM Messenger] AIMMSNGR.EXE
O4 - HKCU\..\RunOnce: [Real Internet Player] REAIPLAY.EXE
O4 - HKCU\..\RunOnce: [AOL Instent Messenger] RYAOMJRC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = H:\Documents and Settings\Brian Sanders\Local Settings\Temp\{A9AE1C47-EC5B-466B-A904-4B990021420C}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = H:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://h:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/...901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.micros...l.CAB?37993.8598958333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com...cabs/flash/swflash.cab

 

[mechBgon]

Super, one of the spyware honchos will be able to help with that logfile As for Grisoft, is it running with its Resident Shield set like shown here and doing daily scans? Anything in the Virus Vault that might shed light on what stuff they're running into?

 

[Slugbait]

MusicMatch spyware

download PsTools
1) extract these files to your working directory.
2) open a command prompt and run pslist and verify that reaIplayer.exe is in the list. (notice the capital I "eye")
3) run pskill reaIplayer.exe
4) del \windows\prefetch\reaIplayer.*

This should get msconfig and TaskMan to work.

Now run msconfig and get rid of the reaIplayer in Startup.
Run your other spyware programs and reboot

I noticed you have AOL Instent Messenger (yes, that was CORRECTLY spelled) running a process called RYAOMJRC...get rid of that. It's also in your RunOnce regkey so that it will always runonce in case you delete it, so be careful getting rid of it...or it just comes back again.

Get rid of WhenUSearch. This one is particularly nasty in the way it pisses all over your entire registry...this one may require manual surgery, and do not reboot until you are sure you've deleted all reg entries.

Dunno what ouxynj.exe is, but I don't trust it.

 

[DetroitSportsFan]

Hi t0mmyb0y,

I can see why this system is having problems. You're dealing with a good handful of "nasties" and another smaller handful of questionable programs as far as their security risks are concerned. First off, I suggest you sit down with the computer owner and explain that while we can fix these things .... the programs that are causing the problems HAVE TO GO! There's no other way around it. In cases that I can suggest an alternative program, I will. Sound fair?

Alright, first thing I noticed is you've got HijackThis installed in a temporary directory. We need to move it to its own permanent folder like C:\HijackThis. It won't work right on the desktop or from a temporary folder. So, thats the first change you'll have to make.

Secondly, this is going to be a multi-step process. Its not going to be a "one button click fix." We're going to have to remove some of this stuff manually and that will require multiple posts and some patience on your part. If you hang in there through out the process, you'll reclaim this sytem in the end.

Ok, here we go ....

We need to uninstall Kazaa/limeware if they are there as they come well packaged with spyware as you already know. Also, uninstall Viewpoint Media Player, Real Player and AOL instant messenger too (Use Trillian .... its so much more secure.). I know .... this person is going to flip! However, those applications I mentioned have been implicated in the malware processes that are on this machine. So, head to control panel then add/remove programs. I think you're well aware of the "drill."

Once you've got that part done, post me a new HJT log. (Be sure to move HijackThis to its own permenant folder first.) I've got a whole bunch more manual removal steps for us to do.

 

[Slugbait]

Whoa, hold on...first things first. We need to get the original problem solved, which is getting back TaskMan and msconfig.

Then we have to get rid of the true nasties. AIM and Real are fine, they don't have to be uninstalled. Viewpoint sucks, but it's nothing compared to WhenUSearch. Once all the really crappy stuff has been taken care of, you can decide what else to nuke from there.

 

[DetroitSportsFan]

Originally posted by: Slugbait
Whoa, hold on...first things first. We need to get the original problem solved, which is getting back TaskMan and msconfig.

Then we have to get rid of the true nasties. AIM and Real are fine, they don't have to be uninstalled. Viewpoint sucks, but it's nothing compared to WhenUSearch. Once all the really crappy stuff has been taken care of, you can decide what else to nuke from there.

On a healthy system, yes ... however in this guys case they have been implicated in the spread of malware. If you research his issue, you'll see that his msconfig problem is directly related to the malware that his system has. They have to go for now .... otherwise his problem will not be fixed. I have some freeware tricks up my sleeve that will allow him to use AIM ... but it still has to go for now. By removing it, we'll get a clearer view of what appears to be malware mimicking AOL. Even so, Trillian is a safer choice! As for RealPlayer .... I guess you've been asleep! They use tracking software and its considered to be a security risk. I wouldn't have it on my machine. WinAmp is a much safer choice!!!


t0mmyb0y, trust me on this one .... I'm not out to lunch. Remember, I stated we've got to go through a multi-step process.



Slugbait, this system has multiple issues and for me, I like to do this the easiest way possible. If we remove AOL temporarily, the whole thing becomes easier. So, we'll fix his problems then install JavaCool's Spyware Blaster so that a lot of this won't ever be able to install again. Then, they can choose to either install AIM or Trillian .... but Trillian is a much safer choice.

 

[Slugbait]

On a healthy system, yes

Was that a sarcastic response? I most certainly DID do my research, determined that he does NOT have a healthy system, and then provided detailed instructions for getting TaskMan and msconfig back up and running, which is imperative to have in order to continue flushing the other crap on this machine.

Telling someone that "AIM has to go for now" is irresponsible. Tens of millions of people use that program, it has absolutely nothing to do with his problems. I have already pointed out the malware that is masquerading as AIM...the actual legit program doesn't need to be removed.

As for RealPlayer, you're the one who must be asleep. Tracking doesn't mean squat compared to the TRUE crap he's got to deal with. And pull up some links to show the security dangers that Real's tracking is doing to their customers...are their machines vulnerable? Have they had ID theft? Password culling? What? Do they only know what their customers are watching or listening to, or is it something much more nefarious?

I'm fully aware his system has multiple issues. I pointed them out. You're *only* telling him to remove either legit software, or the really low-impact stuff. Believe it or not, some people actually prefer to use the actual programs that support those formats and/or services.

 

[DetroitSportsFan]

Say what you want ... and when it all returns I'll step in and fix the problem. Until then, its your show. I'll take a seat and see what happens. Good luck.

 

[t0mmyb0y]

Originally posted by: DetroitSportsFan
Say what you want ... and when it all returns I'll step in and fix the problem. Until then, its your show. I'll take a seat and see what happens. Good luck.

No need to fight boys... I managed to fix the problem with hijack this and adawareSE and the AIM fix program that is available on the web. I managed to do it without getting rid of AIM, as I dont think i can convince the person to use trillian or Gaim. Thanks for your help. Oh yeah, and go Detroit Sports! (native Detroiter)

 

[Schadenfroh]

here is my take on what to do with the hijackthis log

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there, delete corrosponding file)

• O2 - BHO: (no name) - {10DB3155-EE1F-69F1-8F59-655579AE281A} - H:\WINDOWS\System32\esmxkre.dll (file missing)
• O2 - BHO: (no name) - {12803A51-ED4C-39AA-8359-655579AE2919} - H:\WINDOWS\System32\xcdq.dll (file missing)
• O2 - BHO: (no name) - {18DC3A58-E946-39A1-815F-655579AF2C1F} - H:\WINDOWS\System32\qrk.dll (file missing)
• O2 - BHO: (no name) - {19D83606-EC12-3CA9-845B-655579AE7E19} - H:\WINDOWS\System32\wmm.dll (file missing)
• O2 - BHO: (no name) - {19DF3B09-EC15-6FFC-D75B-655579AE7B4E} - H:\WINDOWS\System32\nkaa.dll (file missing)
• O2 - BHO: (no name) - {1C8C6F58-EC13-60FF-820A-655579AF2B49} - H:\WINDOWS\System32\benubv.dll (file missing)
• O2 - BHO: (no name) - {1DDF3304-E74E-6AF0-D35F-655579AE2E1D} - H:\WINDOWS\System32\dbppt.dll (file missing)
• O2 - BHO: (no name) - {1ED86F0B-BB4E-3EA5-D25F-655579AE7B4A} - H:\WINDOWS\System32\qknwjaf.dll (file missing)
• O2 - BHO: (no name) - {1F826B0E-E819-6FF0-D65F-655579AF2E16} - H:\WINDOWS\System32\deoane.dll (file missing)
• O2 - BHO: (no name) - {41813701-BD19-65AC-D459-655579AE2F15} - H:\WINDOWS\System32\fixor.dll (file missing)
• O2 - BHO: (no name) - {438E3351-E040-3DAB-825F-655579AE2C4D} - H:\WINDOWS\System32\uehjrdul.dll (file missing)
• O2 - BHO: (no name) - {488C6E0D-BD19-31F7-D50A-655579AF2840} - H:\WINDOWS\System32\bls.dll (file missing)
• O2 - BHO: (no name) - {488F6300-B14D-6DFF-825F-655579AE2D19} - H:\WINDOWS\System32\ieso.dll (file missing)
• O2 - BHO: (no name) - {4C88325D-EC12-3CFC-865B-655579AE274D} - H:\WINDOWS\System32\dkldeq.dll (file missing)
• O2 - BHO: (no name) - {4E8E6D09-EF4B-68A4-D05F-655579AF2F1F} - H:\WINDOWS\System32\hfen.dll (file missing)
• O2 - BHO: (no name) - {4F8F300B-ED40-38FF-845B-655579AE291C} - H:\WINDOWS\System32\omwby.dll (file missing)
• O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - H:\WINDOWS\System32\NDrv.dll (file missing)
• O4 - HKLM\..\Run: [P2P Networking] H:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
• O4 - HKLM\..\Run: [AIM Messenger] AIMMSNGR.EXE
• O4 - HKLM\..\Run: [AOL Instent Messenger] RYAOMJRC.EXE
• O4 - HKLM\..\Run: [WhenUSearchWHSE] H:\PROGRA~1\WHENUS~1\whse.exe
• O4 - HKLM\..\Run: [Real Internet Player] REAIPLAY.EXE
• O4 - HKLM\..\Run: [ViewMgr] H:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
• O4 - HKCU\..\Run: [Ebla] H:\Documents and Settings\Brian Sanders\Application Data\aoro.exe
• O4 - HKCU\..\Run: [Tryrpzjn] H:\WINDOWS\System32\ouxynj.exe
• O4 - HKCU\..\RunOnce: [AIM Messenger] AIMMSNGR.EXE
• O4 - HKCU\..\RunOnce: [Real Internet Player] REAIPLAY.EXE
• O4 - HKCU\..\RunOnce: [AOL Instent Messenger] RYAOMJRC.EXE
• O4 - Startup: PowerReg Scheduler V3.exe
• O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = H:\Documents and Settings\Brian Sanders\Local Settings\Temp\{A9AE1C47-EC5B-466B-A904-4B990021420C}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
• O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Additional Steps
1. Remove the following VIA instructions provided:

• P2P Networking Malware
• ViewPoint Manager (VIa add/remove programs)

2. Clear your Temporary Files
3.Restart into normal windows

 

[DetroitSportsFan]

Glad to hear that TommyBoy, but my hunch is that your problem isn't fully taken care of. You see, what I was unsuccessfully trying to communicate is that frequently malware will use known good process names and put them in places they should not be. For example, all those AIM files and your REAL Player file were in the system32 folder. From what I've researched, they don't belong there. Still, if you feel you've got your problem fixed, WONDERFUL .... however, open HJT one more time and fix this 016 entry if you haven't already (adaware may have taken care of it):

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Its an automatically downloading activeX which may just reinstall this problem. Its at the heart and soul of this issue. The rest was me wanting to make sure of something BEFORE we started deleting files.

By the way .... does MSCONFIG work now?

 

[Slugbait]

Originally posted by: DetroitSportsFan
Say what you want ... and when it all returns I'll step in and fix the problem. Until then, its your show. I'll take a seat and see what happens. Good luck.

Well, aren't you a pretentious little...

frequently malware will use known good process names and put them in places they should not be. For example, all those AIM files and your REAL Player file were in the system32 folder.

Not in this case. As I pointed out above, it's not "real" showing up in his log...it's "reai". It appears in all caps so that it will trick the eye into thinking it's "real".

Again from above, the executable named RYAOMJRC is being called from AOL Instent Messenger...not AOL Instant Messenger. Plus, that executable name is random depending on machine, and bares no relationship to a known good process. Oh, and look! It's sitting directly beneath [AIM messenger] AIMMSNGR.EXE, easily giving itself away.

Oh, but by all means, let's uninstall known good processes first in order to find the bad ones...instead of just examining the log.

BTW, you forgot to include the links I requested to substantiate your claims (this is the point where you should step in...)