corrupt folders, hijacked google searches, windows search crashes,and adaware stalls.

Discussion in 'Windows Desktop Systems' started by Shawn160, Apr 30, 2007.

  1. Shawn160

    Shawn160 OSNN One Post Wonder

    Messages:
    4
    Location:
    Kansas USA
    Hi. as you can see I have quite a few issues. The latest is I have two folders that can't be accessed with windows explorer or moveonboot. As soon as I select my music in Windows explorer it closes with an error message windows explorer needs to close bla bla bla. My computer was recently in the shop, with a caput motherboard, and my hd had to be reformatted, but the tech backed up my files. He put my old documents and settings on the desktop, but I also had a new documents and settings folder. I moved everything in the old my documents, which was under my name, in to the new one, which was just called owner's documents, and moved my name's music folder into the my music folder in my documents, and that's when the problems started to surface here, with DEP closing windows explorer every time I would get in to the now almost empty documents and settings folder sitting on my desktop, or my old music folder inside my my music. I would check windows explorer as an exception in the DEP change settings dialogue when it popped up, and it worked for a while, then a few days later it comes back up. I just checked it again today, this time in the system dialogue in control panel, so it doesn't pop up, but windows explorer just crashes now when I select my music, or when I go in to that old documents and settings folder. I can't delete that old folder at all. Even before I moved all these files and folders however, I've had trouble with the windows search. If I search certain folders or the entire C-drive for something, it crashes or DEP pops up and it crashes, depending on whether the box stayed checked. I've done a disk defrag but it didn't help. I am able to go in to my music with a43, a windows explorer alternative I found today, and I can move certain files and folders, but I get an access violation when trying to move other subfolders. I can't delete anything at all with a45, but I'm moving what I can over to the D drive. I've tried running adaware several times, and it always stalls at some point. Spybot works fine but it doesn't help. Registry booster works fine, but it doesn't help either. Nod32 doesn't find anything, although there a number of files that it shows as locked "error opening file", but the folks on the nod32 forums all say don't worry about that. I've tried to get rid of all temporary internet and temp files in all of the documents and settings folders I have, but some temporary internet files are constantly in use and can't be deleted. I've also not been able to click on any google search results without getting hijacked by ads. I have to cut and paste links from google in to another explorer window. This only happens with google. But I haven't been able to find any BHO's that are obviously malicious. Some time ago I ran hijackthis and tried to find out about every entry just by searching, got rid of all entries that were flagged as suspicious by posters in various forums, and ran my log through an automated analyser online, but the problem still persists. The hardest thing for me is I'm a totally blind computer user, I use a screen reader, window eyes, so I can't do a damned thing in safe mode myself. Here's my hijackthis file, hope someone can find something in it. Thanks.
    Logfile of HijackThis v1.99.1
    Scan saved at 3:13:45 PM, on 4/30/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINEYES\WESERV.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINEYES\wineyes.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINEYES\SPEECH32.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINEYES\GWM32.EXE
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINEYES\bdisplay.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170079968232
    O17 - HKLM\System\CCS\Services\Tcpip\..\{88516631-F7D5-4ED6-AC2E-778C847625BF}: NameServer = 216.129.224.1,216.220.0.1
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: GWMHOOK.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: wineyes - C:\WINDOWS\SYSTEM32\welogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Window-Eyes Professional (windoweyes) - Unknown owner - C:\WINEYES\WESERV.EXE
     
  2. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Re: corrupt folders, hijacked google searches, windows search crashes,and adaware sta

    The only entry that I don't recognise is on line O20. Delete that, reboot and see how you get on.
     
  3. Shawn160

    Shawn160 OSNN One Post Wonder

    Messages:
    4
    Location:
    Kansas USA
    Re: corrupt folders, hijacked google searches, windows search crashes,and adaware sta


    Oh you mean WgaLogon.dll?
    Check out
    www.bleepingcomputer.com/startups/WgaLogon.dll-17279.html
    for that one, it's a valid windows program. The other two o20's relate to Window Eyes, my screen reader. I've read that gwmhook is flagged by certain spyware detectors as spyware, but window eyes 6.0 needs it to run. Thanks.
     
  4. BouncingSoul

    BouncingSoul Stranger Than Fiction Political User

    Messages:
    1,299
    Location:
    Sioux Falls, SD
    Re: corrupt folders, hijacked google searches, windows search crashes,and adaware sta

    I think the O20 line he was talking about was the O20 - Winlogon Notify: wineyes - C:\WINDOWS\SYSTEM32\welogon.dll, that is a component of your screen reader so it's fine. I don't see anything spyware related on your hijackthis log. The frequent crashes sound more like bad memory to me. I'd run memtest to check for errors

    http://www.memtest86.com/
     
  5. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Re: corrupt folders, hijacked google searches, windows search crashes,and adaware sta

    And: O20 - AppInit_DLLs: GWMHOOK.DLL