Casper... I need help with HijackThis

Pam · #1 01-17-2005, 07:33 PM

Hi,
You helped me yesterday with my HijackThis scan... and I managed to remove everything but this item
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

i keep deleting it and it keeps coming back... i also ran the panda software and housecall virus scans, the panda stops at the very end and gets stuck after scanning 120,000 files,
the housecall finishes and keeps finding the problem above and identifies it as a trojan but can't delete it because it's "still running"
and... i ran the windowsecurity trojan scan ... this one starts running and after a few minutes it completely shuts down the internet window it was running in....

I could be wrong but I am assuming everything is related to the above item that you told me to delete when you looked at my scan....

any thoughts on how i can get rid of this? if you want to see my new hijack scan let me know and i'll post it...

thanks again!
Pam

Casper · #2 01-17-2005, 07:45 PM

please post the new scan, and try to end the process by hitting the keys crtl - alt - del at the same time select the processes screen, and look in the list for that file name, and end process then try to manually delette it.

this site will explain will what the file is, and may help you remove it if the above fails.

http://www.liutilities.com/products/...slibrary/tsm2/

Overclocked Doc · #3 01-17-2005, 07:48 PM

Have you tried manuelly searching for the file tsm2.exe?
Start > search > all files and folders including hidden (advanced options) > "delete". You may need to start in safe mode and you will also need to re-run Hijack this and delete the line from the start file.

Pam · #4 01-17-2005, 07:50 PM

Hi,
Here is the new scan... i will try what you said right now...
thanks!
Pam

Casper · #5 01-17-2005, 07:53 PM

i can't see the scan hehe sure you pasted it ?

Pam · #6 01-17-2005, 07:57 PM

i'm positive i DIDN'T paste it... i do that all the time... copy something.... write the email... hit send and then realize what a ding dong i am!!!!
i sent it right after that, but here it is again just in case...
Logfile of HijackThis v1.99.0
Scan saved at 8:48:52 PM, on 1/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Popup Ad SmasheR\Smasher.exe
C:\Program Files\Popup Ad SmasheR\Smasher.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\PAMELA~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis_199.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://us8l.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ylmiwbil] C:\WINDOWS\System32\ifdccvt.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Startup: SmasheR.lnk = C:\Program Files\Popup Ad SmasheR\Smasher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Casper · #7 01-17-2005, 08:05 PM

Your log looks alot better did the end process work?

i'am only concered about a few entries in the log

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6] - Result: 42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %
Unnecessary (deactivated) entry that can be fixed.

the above says Norton is missing a file you may want to reinstall norton again

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
Nasty This entry is possibly nasty. Should be fixed.

not sure what that is but the above scan recommends to fix it

also did u try to remove the entries with hijack?

Pam · #8 01-17-2005, 08:08 PM

Hi...
I'm running a search on all files on my computer... so far it found tsm2.exe in the the HijackThis scan and in a drwtsn32
it's a text document C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson could this be it?
Scary thing... the file was created on 5/5/2004 which is a week before I got my laptop shipped to me directly from HP in China....

Pam · #9 01-17-2005, 08:11 PM

Hi...
I did try to remove the tsm2.exe with HijackThis several times... it says it is removing it and it keeps coming back, i've rebooted, etc...
I am going to try your other suggestion as well... and I will also delete the other things you noted...
I spent most of yesterday cleaning things up and deleting what you told me.... it made a HUGE improvement in speed, etc
Again... thanks so much for your help...
I'll post in a while when I finish doing what you suggested
Pam

Casper · #10 01-17-2005, 08:13 PM

No the log clearly shows the location of the unwanted file here
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

You can end the process like i said using ctrl - alt - del, and then try to delette from my computer.

You might try deletting it in safe mode you'll have to hit f8 during boot up till the screen appears, and ask you to start in safe mode.

let me know if the above fails

Pam · #11 01-17-2005, 08:15 PM

okay... i'm going to try control/alt/delete etc right now...

Overclocked Doc · #12 01-17-2005, 08:18 PM

Check "add & remove programs" for "Target Saver". Uninstall if it's there.

Pam · #13 01-17-2005, 08:49 PM

ran safe mode... and FINALLY got tsm2.exe off!!!!

also... checked add/remove and there was no target saver there but....that 180search assistant was there AGAIN!
I uninstalled it again.

I would love to know where my kids went today that I keep getting that one back!

Thanks to both of you...

I'm pretty good at most things on my computer but I'm always afraid to delete the wrong thing and I am scared to death of registry values since everything I've ever read says that you can do tons of damage by deleting the wrong ones

Casper · #14 01-17-2005, 08:56 PM

K kewl deal now i recommend to scandisk, defrag your machine also repair your norton like i mentioned before. Also create a restore point from this point. reinstall your norton before you scandisk/defrag

i did a search and found these links the first one is the 180 search i love there little no spyware icon lol.

http://www.180searchassistant.com/home.html

http://sarc.com/avcenter/venc/data/a...rgetsaver.html

this is what norton description of the tsm file is.

if you got kids i recommend setting your privacy settings higher in your IE.

Make sure your xp is uptodate aswell.

Pam · #15 01-17-2005, 09:06 PM

i did defrag a couple of weeks ago... but i'll do it again...
and I'll do the rest of the things you suggested...
thanks for everything!!!!!!!

i found this site by accident yesterday and would have still been in a big mess if you didn't help!