HELP!

A couple of windows come up evertime I restart. One is looking for a country and the other is prompting me to wait for a plugin. When I use the program manager I see sysquery1.exe running. I shut it down - the 2 windows go away. However in winnt\system32 - the sysquery1.exe continues to be rebuilt. I've deleted its value in the registry I also deleted webdialer??? key. I've ran spybot and adaware. Any Suggestions??

Logfile of HijackThis v1.97.7
Scan saved at 8:50:25 PM, on 4/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\System32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Analog Devices\SoundMAX\SMTray.exe
E:\Program Files\Winamp\Winampa.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\WINNT\system32\w32sup.exe
E:\WINNT\system32\ms32.exe
E:\WINNT\system32\RUNDLL32.EXE
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Office\OSA.EXE
E:\MSSQL7\Binn\sqlmangr.exe
E:\Program Files\Netscape\Netscape\Netscp.exe
E:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.0.214.43
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (E:\Documents and Settings\Christopher Scott Ro\Application Data\Mozilla\Profiles\default\bzqmov35.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (E:\Documents and Settings\Christopher Scott Ro\Application Data\Mozilla\Profiles\default\bzqmov35.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] E:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] E:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [w32sup] E:\WINNT\system32\w32sup.exe
O4 - HKLM\..\Run: [Ink Monitor] E:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [System Backup] ms32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINNT\System32\NVMCTRAY.DLL NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Free WebSite Tools.lnk = E:\Program Files\CoffeeCup Software\CoffeeCup Free Zip Wizard\ThirtyDayTimer.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = E:\MSSQL7\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: h&iSearch The Web - res://E:\WINNT\system32\toolbar.dll/SEARCH.HTML
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

:o :o :o

Check the following items in HijackThis.
O4 - HKLM\..\Run: [w32sup] E:\WINNT\system32\w32sup.exe
O4 - HKLM\..\Run: [System Backup] ms32.exe

O8 - Extra context menu item: h&iSearch The Web - res://E:\WINNT\system32\toolbar.dll/SEARCH.HTML

Close all windows except HijackThis and click Fix checked:

Reboot in Safe Mode* and delete the following: (you may need to show hidden files**)
E:\WINNT\system32\w32sup.exe
E:\WINNT\system32\ms32.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show hidden files/folders as per the instructions here http://www.tacktech.com/display.cfm?ttid=190

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot.

Post another HiJackThis log in this thread for review.

Hello everyone,

The problem arises after I type in my password at boot. I get the following error - When I click OK - I have a blank desktop. If I click cancel C++ is launched. My task manager is still working and I can do many things using it.

I've recently developed a nasty problem with my win2000 system. The error message reads - "The instuction at "0x76c025ce" referenced memory at "0x019d0000". The required data was not placed into memory because of an i/o error status of "0xc000009c"." The msg box is titled explorer.exe - Application Error. If I choose cancel microsoft C++ flags error as "Unhandled exception in explorer.exe [WININET.DLL}: 0xc0000006; In Page Error". I've ran a checkdisk / f and had several corrupted areas repaired. I've also ran win2000 repair. THese however did not fix my problem.

I have a hijack this log. I also just ran a spy check and removed ALEXA and I repaired a Windows media Player registry change.

Logfile of HijackThis v1.97.7
Scan saved at 8:45:28 PM, on 8/10/2004
Platform: Windows 2000 SP4, RC 3.154 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\System32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\inetsrv\inetinfo.exe
E:\WINNT\System32\taskmgr.exe
E:\Program Files\Netscape\Netscape\Netscp.exe
E:\Program Files\NoteTab Light\NoteTab.exe
E:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.0.214.43
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (E:\Documents and Settings\Christopher Scott Ro\Application Data\Mozilla\Profiles\default\bzqmov35.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (E:\Documents and Settings\Christopher Scott Ro\Application Data\Mozilla\Profiles\default\bzqmov35.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] E:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] E:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ink Monitor] E:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINNT\System32\NVMCTRAY.DLL NvTaskbarInit
O4 - Global Startup: Free WebSite Tools.lnk = E:\Program Files\CoffeeCup Software\CoffeeCup Free Zip Wizard\ThirtyDayTimer.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = E:\MSSQL7\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Any ideas???

Hello cscottyr Wave.gif

I can't see any malware running that would be causing this. You can however, fix a couple of what looks like leftovers.

Checkmark these items on a scan with HijackThis and press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.0.214.43
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,

I'm not a Win 2000 operating system specialist but I did find this page for you. Maybe that will help point you in the right direction. You could start a new post in our *Operating Systems* forum for other opinions.

http://www.microsoft.com/windows2000/techi...hd_exe_sdpm.asp





Go to that link for more instructions and info. :)

Thanks CalamatyJane - I will try that when I get home! :thumb:

Hi cscottyr,

I have moved all your threads together now in this one so i can make sense out of all you have posted so i can help.


First..

Your Logfile of HijackThis v1.97.7 is out of date
The newest version is: v1.98.2! Visit the manufacturers homepage to update.

second

Your Internet Explorer v5.00 SP1 (5.00.2920.0000) is out of date Newest Version is: 6.00.2800.1106Check Windows Update to update the Internet Explorer.

third

do you really need this thing ?


O4 - Global Startup: Free WebSite Tools.lnk = E:\Program Files\CoffeeCup Software\CoffeeCup Free Zip


if not find it as a program and dump it in add/remove then delete this entry.


Now you have two osa.exe trying to load at startup. I do not know how they both got there but this info might help and those items could be causing most of the problems you are getting in error messages.



These are the entries.

O4 - Global Startup: Microsoft Office.lnk = E:\Office10\OSA.EXE
Safe.



O4 - Global Startup: Office Startup.lnk = C:\Office\OSA.EXE

and that last one does not makes sense at all.



This might help..


osa - osa.exe - Process Information
Process File: osa or osa.exe
Process Name: Office Startup Assistant
Description: Microsoft Office Startup Assistant that is loaded at start-up and improves performance by handling automation, Office fonts, certain Office commands, and Outlook notification.

OFFXP: What Is the Osa.exe File and What Does It Do?

http://support.microsoft.com/default.aspx?...kb;EN-US;290144

Can I Remove the Osa.exe File?
You can safely remove the Osa.exe file without causing the Office XP programs to fail. However, if you remove Osa.exe, you no longer benefit from the performance advantages that are provided by running Osa.exe. Also, the Office Shortcut Bar (OSB) may no longer start automatically, if you configured the OSB to start when Windows starts. (See the notes for the command-line switches later in this article.)


Personally I would start looking into removing those entries and find out also if your office software has been compromised and might have to be uninstalled then reinstalled from the CD.

That coffee cup zip does not do well and seems to be full of popups adware and crashes for many. :(


http://www.download.com/3302-2250_4-10287410.html