Jump to content


Photo

Hijack This Log File


  • This topic is locked This topic is locked
56 replies to this topic

#1 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 08 June 2007 - 02:10 PM

My computer suddenly started rebooting itself (that problem has since stopped) but now my browsers are running erratically, freezing every few seconds and taking an usually long time to open. I successfully ran a virus scan and SpyBot but Ad-Aware kept freezing after two hours of scanning - I deleted my backlog of temp files and then re-tried the scan in Safe Mode and it worked fine, in about 40 minutes. Windows Security Alert began telling me my Norton Antivirus was "status unknown" although it appears to be working fine. I disabled it temporarily and the browser problems stopped so I'm thinking there's something wrong with it? Here's my most recent HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:07 AM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\NortonAntiVirus\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\NortonAntiVirus\defwatch.exe
C:\Program Files\NortonAntiVirus\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NortonAntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123819283953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NortonAntiVirus\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NortonAntiVirus\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Edited by salvation, 14 June 2007 - 07:38 AM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 11 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 16 June 2007 - 04:05 AM

Hi,

Sorry you’ve had to wait for a few days but all of the helpers here are volunteers and we’ve been really busy recently.

To begin with, please download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
I’ll look out for your reply :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#4 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 16 June 2007 - 10:32 AM

thanks! i still have my norton antivirus switched off because i only experience the problems when it's on. here's the log:

MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Incurable.Moved.;
wmplayer.exe.tmp;C:\Program Files\Windows Media Player;Trojan.DownLoader.500;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0125487.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1081;Trojan.PurityAd;Deleted.;
A0126595.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1081;Dialer.Maxd;Deleted.;
A0126620.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1081;Adware.SaveNow;Incurable.Moved.;
A0126632.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1081;Trojan.MulDrop.2953;Deleted.;
ld295.tmp;C:\WINDOWS\SYSTEM32\1024;Trojan.Click.841;Deleted.;
ldCF6F.tmp;C:\WINDOWS\SYSTEM32\1024;Trojan.Click.841;Deleted.;

#5 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 17 June 2007 - 03:09 AM

Hello again,

Thanks for running that scan.

I am a bit worried that you have your Anti-Virus switched off (although I understand why you have done so if that seems to solve the problem).

Whilst we are working on this fix, if you don't want to use your Norton AV, I would recommend that you download and install a free AV to make sure you are protected - otherwise you could end up in a worse state that before we started!

There are a few good, free Anti-Virus programs available for download such as:

AntiVir
AVG AntiVirus
Avast Anti-Virus

Moving on to your actual problem, let's do some general housekeeping and see what we are left with after that.

Firstly, run Disk Cleanup
  • Go to Start > Run and type the command Cleanmgr > then click OK
  • If you have more than one hard drive, select the drive Windows is installed on and click OK
  • When Disk Cleanup opens, select the More Options tab
  • In the System Restore section (bottom of window), click Cleanup
  • Then in the confirmation window that opens, click Yes
  • Now click on the Disk Cleanup tab and select the following items:
    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
  • Finally, in the confirmation window, select Yes (Disk Cleanup will then close).
Please download the free CCleaner utility.

Once you have installed it:
  • Run CCleaner
  • Click the Windows tab
  • Check the following options:
  • Posted Image
  • Finally click Run Cleaner (bottom right) then Exit
Finally, create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Choose Create a Restore Point and then click Next.
  • In the box for Restore point description, enter a descriptive name and click Create
  • When the Restore Point Created window appears, click Close
Once you have done that, please could you post a fresh HijackThis log and let me knkow what problems persist?

Thanks :D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#6 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 17 June 2007 - 12:38 PM

ok, done. i installed AntiVir Guard. the problems are still only happening when Norton is enabled. does that mean my virus protection has a problem and maybe i should uninstall it and reinstall a new one? or are the browsers freezing maybe because Norton is detecting a problem in realtime?

here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:34:50 PM, on 6/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\NortonAntiVirus\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\NortonAntiVirus\defwatch.exe
C:\Program Files\NortonAntiVirus\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NortonAntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123819283953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NortonAntiVirus\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NortonAntiVirus\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#7 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 18 June 2007 - 05:43 AM

Hello again,

It may indeed be the case that your installation of Norton has become corrupt in some way. This is reinforced by the fact that your HijackThis log looks clean of malware.

If you have an installation CD for Norton, I would recommend uninstalling your current Norton application and then re-installing it again following the instructions below:

To fully remove Norton AntiVirus, you should go here before uninstalling and download the files and print the instructions for removal, and follow them after uninstalling NAV:

How to uninstall Norton AntiVirus 2004/2005/2006 (note: this removes ALL Norton 2004/2005/2006 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)

How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition

How to uninstall Norton AntiVirus 2000/2001/2002 using Add or Remove Programs within Control Panel, then rebooting your PC and re-installing Norton again.

A word of caution though, Norton products can be very persistent and do not always uninstall cleanly - if you encounter any "odd" or unexpected error or warning messages during the uninstall, please make a note of them and let me know BEFORE you try to reinstall as doing otherwise could make things worse :gack:

I'll look out for your reply.

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#8 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 18 June 2007 - 07:58 AM

okay. sounds good. but i have norton antivirus corporate edition 7.60.926. are the instructions different for this one?

#9 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 20 June 2007 - 04:33 PM

Hi,

You should be able to uninstall your Norton Corporate using the first set of instructions in the post above.

Please let me know how you get on or if you encounter any problems.

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#10 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 21 June 2007 - 08:41 AM

the first link is broken but i found this one:

http://service1.syma...005033108162039

will this work?

also, i read somewhere during searching for how to uninstall norton that you should back-up your registry files first? do i need to do that?

#11 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 22 June 2007 - 05:36 PM

Hi,

Yes, this will do splendidly!

I would certainly recommend that you back up your Registry before attempting the removal. Follow these steps to create a backup of the registry.
  • Click the Start button, then click Run
  • Type REGEDIT, then click OK to open the Registry Editor
  • Choose Registry > Export Registry File
  • Verify the following entries in the Export Registry File dialog box:
  • Save in: Desktop
  • File Name: Registry Backup
  • Export Range: All
  • Click Save and then exit the Registry Editor
  • Verify you have an icon titled REGISTRY BACKUP.REG on the Desktop.
CAUTION: Do not double-click the REGISTRY BACKUP.REG file on your Desktop unless you intend to undo your changes!

Immediately verify the effect of your changes. When you have verified that the changes to the registry produce the desired result, delete the REGISTRY BACKUP.REG file from the desktop, otherwise restore it immediately.

Do not allow the REGISTRY BACKUP.REG file to remain on the desktop beyond the testing period to avoid inadvertently double-clicking it.

Please also ensure that you have System Restore enabled.

To create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Choose Create a Restore Point and then click Next.
  • In the box for Restore point description, enter a descriptive name and click Create
  • When the Restore Point Created window appears, click Close
Once you have done that, please run the Symantec Removal Tool.

Please let me know how you get on!

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#12 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2007 - 01:42 PM

thanks!

i don't see an option for "Choose Registry > Export Registry File" and also step "Verify the following entries in the Export Registry File dialog box:" looks incomplete!

#13 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 25 June 2007 - 04:42 PM

Hello,

Revised instructions below!

Follow these steps to create a backup of the registry.
  • Click the Start button, then click Run
  • Type REGEDIT, then click OK to open the Registry Editor
  • Choose File > Export
  • Select the following entries in the Export Registry File dialog box:
  • 'Save in': should read Desktop
  • Enter the 'File Name' as: Registry Backup
  • Choose the 'Export Range' to be: All
  • Click Save and then exit the Registry Editor
  • Verify you have an icon titled REGISTRY BACKUP.REG on the Desktop.
Any problems, let me know.

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#14 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2007 - 05:18 PM

okay, it looks like i successfully removed norton. i don't see any indication that there were any problems with the registry - is there a way to verify this before i delete the backup i created?

also, before we wrap this up: i don't have a norton disc (i would need to download new software) and i'm currently using the Avira AntiVir protection that i downloaded. is this sufficient for virus protection or should i try to get something else? what other programs, if any, should i be running on my computer?

thanks again for all your help!

#15 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 26 June 2007 - 05:29 PM

Hello,

To make sure that there aren't any errors in your system's Registry, I would recommend that you download RegSeeker from here: http://www.snapfiles.../regseeker.html
  • Open RegSeeker
  • Check the 'Backup before Deletion' box
  • Check 'Clean the Registry'
  • Check all boxes and click OK
When the scan has finished click Select all then right-click on the highlighted area and click 'Delete Selected items'

OK the prompt and then exit RegSeeker - This should clean out any orphaned Registry entries.

Please do not run any of the other options as this is a very powerful utility and can cause serious damage to your system if used incorrectly!

Once you have done that, could you let me know how your system is running and then we can look to keeping you safe in the future!

:)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#16 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 27 June 2007 - 09:21 AM

ok done. yahoo messenger wasn't working at first, although i don't know if there's any connection to the registry or not. when i try to click on it via the taskbar, the icon disappears. when i tried to sign on through Start > Programs > Yahoo Messenger, i couldn't log in but now it seems to be working. don't know if it's related...

also, i just noticed that when i click on my control panel it says "Intel® PROSet - Resources are not available." when i click OK the control panel seems to come up okay and i don't see any indication that the various options don't work.

Edited by salvation, 27 June 2007 - 06:18 PM.


#17 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 28 June 2007 - 05:30 PM

Hello again,

Are you still having problems with Yahoo messenger? If you are, I would suggest removing your current installation through Add or Remove Programs and then re-download and re-install the application.

How about your Control Panel? Are you able to use all of the features in there or is there anything not working as you would expect?

Could you please let me see a fresh HijackThis log too?

Thanks :D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#18 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 29 June 2007 - 10:30 AM

i reinstalled yahoo messenger and it seems to be fine. i'm still getting the error message "Intel® PROSet - Resources are not available" when i try to open the control panel but i don't seen any indication that the features are working incorrectly.

here's my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:30:03 AM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123819283953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#19 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 30 June 2007 - 06:29 PM

Hello,

Your HijackThis log looks clean which is good news. I am glad to read too that your Yahoo Messenger is now working correctly.

With regard to your Intel ProSet problem - Am I right in thinking that you use their wireless software? It may simply be a case of needing to download the relevant drivers or as with your Yahoo Messenger, simply re-install the software again.

You can download the Intel software and drivers here: http://www.intel.com...b/cs-010623.htm

Have a look to see if there is a download for the particular version you have installed and let me know how you get on.

I'll wait to hear from you.

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#20 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 01 July 2007 - 08:20 AM

hmmmm. i don't use their wireless software. :scratchhead:

i looked it up in the control panel > add or remove and it looks like it was "last used" on 10/14/2003, which is when i purchased the computer. should i just remove it or reinstall it?

Edited by salvation, 01 July 2007 - 08:23 AM.


#21 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 01 July 2007 - 08:38 AM

Hi,

That's a bit puzzling :scratchhead:

If it is not something that you have ever used and simply came bundled with the computer when you bought it . . . it is very much what we would term "user's choice" whether to actually re-download and effectively repair the installation if the message that pops up bothers you or simply uninstall it altogether.

All to often, computer manufacturers provide lots of "extra" and in many cases "unnecessary" software which you may never actually use!

Personally, if it showing as never having been used since 2003, I think it would be a safe bet to just uninstall. Please let me know what you decide to do.

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#22 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 01 July 2007 - 08:45 AM

i tried to remove it but it said this file was missing: HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Network_Servies\NCS\PROSet\8023

so it couldn't be removed. at this point i'm not too worried about it though.

#23 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 01 July 2007 - 09:24 AM

Hi,

I'll do some research on that entry and come back to you. However, from your last HijackThis log, there is one entry we need to remove, so please run HijackThis again and put a check next to the following:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Now, having checked those entries, close all other open windows and browsers EXCEPT HijackThis and click on the Fix checked button.

Once you have done that, you should also update your Sun Java Runtime Environment as the previous versions are vulnerable to malware:

Although, before updating Java, you need to uninstall the previous version; To do that:
  • Click on Start > Control Panel
  • Select Add or Remove Programs
  • Search the list for any previous versions of Java(The J2SE Runtime Environment)
  • It should have a Posted Image icon next to it
  • Select it and click Remove
  • Once you have done that, you can download the latest version from HERE
Finally, lets do some housekeeping:

Firstly, run Disk Cleanup
  • Go to Start > Run and type the command Cleanmgr > then click OK
  • If you have more than one hard drive, select the drive Windows is installed on and click OK
  • When Disk Cleanup opens, select the More Options tab
  • In the System Restore section (bottom of window), click Cleanup
  • Then in the confirmation window that opens, click Yes
  • Now click on the Disk Cleanup tab and select the following items:
    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
  • Finally, in the confirmation window, select Yes (Disk Cleanup will then close).
Next, create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Choose Create a Restore Point and then click Next.
  • In the box for Restore point description, enter a descriptive name and click Create
  • When the Restore Point Created window appears, click Close
Then could you let me know how your computer is running?

Thanks :D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#24 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 01 July 2007 - 09:46 AM

ok, did all that and everything seems fine.

i have a bunch of programs and files downloaded from this whole process of figuring out what was wrong (combofix, fsbl, RegSeeker, SDFix, drweb-cureit, Kaspersky, etc.). can i remove these or should i keep any of them? i also still have that registry backup that i'm assuming i can remove now?

(sorry this has become such a long process!)

#25 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 01 July 2007 - 01:37 PM

Hi,

Good to hear that everything is alright.

With regard to getting rid of the programs and controls you have downloaded during this process, yes - I would recommend that you delete them:

Using HijackThis, you can remove the ActiveX controls for the Kaspersky Scan and Panda Scan from your registry by fixing these entries:

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab


You may also find that you have files in:

C:\WINDOWS\Downloaded Program Files - if you have controls for Kaspersky or Panda, you can safely delete them.

Any actual programs you have downloaded (like DrWeb) can usually be removed through Add or Remove Programs in Control Panel.

After uninstalling them, you could check to make sure that all folders have been deleted too. As SDFix, ComboFix and HijackThis will have their own named folders in C:\ - you can also delete these Although deleting them will obviously remove any backups they created! However, this shouldn't be an issue if your system is working properly.

Likewise, RegSeeker will have its own folder created in the location to where you downloaded it - this (and your Registry backup) can be deleted.

If you have any further questions please let me know.

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#26 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 01 July 2007 - 01:57 PM

great. thank you!

the only other question i have is about virus and spyware protection. i'm currently running AntiVir Guard that i downloaded after uninstalling Norton. is this sufficient protection? and are there any other guards i should have on my computer? Ad-Watch was downloaded along with Ad-Aware but i haven't used it.

#27 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 01 July 2007 - 04:51 PM

Hello,

We don't like to send people away without some advice and prevention tips - but it's always nice to be asked, it shows someone is serious about keeping their system safe :D

So . . . there are several free utilities you can use to help keep malware off your system:

If you have not already done so, I would recommend that you install a Firewall. This should always be your first line of defence against attacks. There are several available online which you can download for free, for example:

Outpost
Zone Alarm
Keiro Personal Firewall

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is the MVPS HOSTS File, available from http://www.mvps.org/...p2002/hosts.htm.

IE/SPYAD adds sites associated with ads and spyware to your Internet Explorer’s Restricted Zone and you can download that at http://www.spywarewa...uc/resource.htm.

SpywareBlaster by JavaCool is a free non-resident utility to prevent the installation of ActiveX-based malware. For real-time protection, there is SpywareGuard. Both are available from http://www.javacools...m/products.html.

In conclusion, you should also read the article So how did I get infected in the first place?

Once you've taken these precautions, if you find that you have any lingering problems or if you've experienced any difficulties since the fix, please let me know and post a fresh log for me to have a look at!

With very best wishes for the future,

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#28 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 01 July 2007 - 05:12 PM

ok thanks for the tips. i should mention that i use firefox primarily, not IE.

and what about the virus protection? is AntiVir Guard enough?

#29 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 02 July 2007 - 04:20 PM

Hi,

Firefox is a lot more secure that IE, so you are already ahead of the game there!

Normally, if I was recommending an Anti-Virus, I would suggest any of these:

AntiVir
AVG AntiVirus
Avast Anti-Virus

As long as you keep their virus definitions up to date and scan your system regularly - you should be alright.

The prevention tips in the thread cited above "So how did I get infected in the first place" are also good to keep in mind.

As malware is changing - often on a daily basis - We can never absolutely guarentee that you won't have any problems again, but you can certainly minimize the chance of becoming infected and if ever the worst happens, we'll be around to help :D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#30 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 08 July 2007 - 05:06 PM

Since this issue appears to be resolved, this topic is closed.

[Reopened]

Everyone else please begin a New Topic.
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#31 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 25 July 2007 - 09:38 AM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#32 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 July 2007 - 12:04 PM

Okay, so I haven't had any problems ever since I disabled and removed Norton Antivirus from my computer. I'm now using AntiVir Guard. But two days ago my computer starting spontaneously shutting down and rebooting all by itself, which is the problem I first experienced back when this thread was initially started. When this rebooting problem first happened, I ran a virus scan and Norton detected and removed a virus. I can't remember the name of it, but that's when the rebooting problem stopped and the problems with Norton's real-time protection slowing down my browsers began. I don't want to complicate the issue here, but could the rebooting been caused by a virus and could the removal of the virus somehow have corrupted Norton? I no longer use Norton and AntiVir didn't detect that same virus (I would have remembered the name), and the browser problems haven't returned. Just food for thought.

Back to the current problem: The rebooting happens while I'm working and other times when I'm not even in the room. I went all day yesterday without it happening until early evening. Today it's been happening every few minutes. The problem occurs regardless of whether I'm connected to the internet or not. I don't have any reason to believe it's related to power supply or overheating (temp is 40c). I did a little research online and found some connections between this problem and Google Toolbars, etc., but I don't have any of those programs on my computer that I'm aware of, unless they were downloaded without my knowledge. I ran Adaware and Spybot S&D but it didn't solve the problem. For the record, I primarily use Firefox. Here's a fresh Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 1:01:04 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123819283953
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Edited by salvation, 25 July 2007 - 01:18 PM.


#33 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 26 July 2007 - 06:55 PM

Hello again,

Sorry to read that your problems have recurred :(

In order to run some diagnostic tests on your computer, please register HERE (don’t worry, it's free) with PCPitStop and run all of their tests.

Once the tests are complete, a results page will pop up.

Click "Share these results with TechExpress" on the left-hand side, then copy the URL provided and post it here for me.

Thanks :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#34 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 28 July 2007 - 11:42 AM

hi again and thanks. here are the results:

http://www.pcpitstop...4UUHWG46YVS8ZJW

#35 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 29 July 2007 - 04:15 PM

Hello again,

Thanks for sharing those results with me :)

As there is no malware showing up in your HijackThis log, I needed to see if the problem was hardware related before digging deeper into your computer.

The results from PC Pitstop are on the whole very good :thumbsup:

I would certainly advise you to follow these recommendations before proceeding any further:
  • Defragment your hard drive
    • Click Start > All Programs > Accessories > System Tools > Disk Defragmenter
    • Click “Defragment” – this may take some time, so I would go and have a coffee and come back in a while! :whistle:
  • Reduce your System Restore space
    • Click Start > Control Panel > System
    • Click the System Restore tab.
    • In this dialog you will see a list of all the drive partitions on the system
    • Select the C:\ drive and click Settings
    • In the Drive Settings dialog, move the slider until the amount of disk space less than 2 gigabytes
    • Then OK your way out
  • Adjust your browser cache size
    • Start Internet Explorer
    • Select Tools > Internet Options > General
    • Under Temporary Internet Files click the Settings button
    • In the box for the amount of disk space to use, enter a value between 10 and 100 megabytes
    • Then click OK to accept the changes
Once you have done that, create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Choose Create a Restore Point and then click Next.
  • In the box for Restore point description, enter a descriptive name and click Create
  • When the Restore Point Created window appears, click Close
Finally, please download ComboFix by sUBs from Here or Here to your Desktop.

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HijackThis log into your next reply
Note: please do not mouseclick ComboFix's window while it’s running as that may cause it to stall

Thanks :D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#36 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 29 July 2007 - 06:49 PM

here's the ComboFix log:

"SC" - 2007-07-29 19:42:09 [GMT -4:00] - ComboFix 07-07-24 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))


2007-07-25 14:07 <DIR> d-------- C:\Program Files\EVEREST Home Edition
2007-07-18 13:47 5,693,440 --a------ C:\DOCUME~1\SALCIN~1\ntuser.dat
2007-07-18 13:47 229,376 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-07-18 12:11 4,096 --a------ C:\WINDOWS\SYSTEM32\sysres.dll
2007-07-18 12:11 38,567 --a------ C:\WINDOWS\SYSTEM32\pcpbios.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 20:41:55 -------- d-----w C:\Program Files\Ad-Aware 2007
2007-06-25 22:10:55 -------- d-----w C:\Program Files\Symantec
2007-06-17 17:17:49 -------- d-----w C:\Program Files\CCleaner
2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-06-13 03:02:05 -------- d-----w C:\Program Files\QuickTime
2007-06-13 03:02:05 -------- d-----w C:\Program Files\iTunes
2007-06-13 01:52:52 -------- d-----w C:\Program Files\CuteFTP
2007-06-09 22:19:05 -------- d-----w C:\Program Files\iPod
2007-06-08 16:19:32 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-08 00:56:51 77,312 ----a-w C:\WINDOWS\ua2.dll
2007-06-06 15:26:20 -------- d-----w C:\Program Files\AIM6
2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-04 16:29:31 -------- d-----w C:\DOCUME~1\SALCIN~1\APPLIC~1\Viewpoint
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-13 20:56]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 11:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

C:\Documents and Settings\SC\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-05-18 17:16:00]
DESKTOP.INI [2002-09-03 10:00:00]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 19:23:24]

R1 avgio;avgio;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
R1 avipbb;avipbb;C:\WINDOWS\system32\DRIVERS\avipbb.sys
R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\System32\Drivers\SbcpHid.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
R3 avgntflt;avgntflt;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\C:\Program Files\EVEREST Home Edition\kerneld.wnt
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


Contents of the 'Scheduled Tasks' folder
2007-07-28 14:44:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 19:44:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}]
"FriendlyName"="DirectX"
"ComponentGUID"="{44BBA855-CC51-11CF-AAFA-00AA00B6015C}"
"Version"=dword:00040009
"Sub-Version"=dword:00000385
"ExceptionInfName"=str(2):"C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxxp.inf"
"ExceptionCatalogName"=str(2):"C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxxp.cat"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AA936DF4-2B08-4B1F-B071-72192E287704}]
"FriendlyName"="DirectX BDA"
"ComponentGUID"="{AA936DF4-2B08-4B1F-B071-72192E287704}"
"Version"=dword:00040009
"Sub-Version"=dword:00000385
"ExceptionInfName"=str(2):"C:\WINDOWS\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\dxbda.inf"
"ExceptionCatalogName"=str(2):"C:\WINDOWS\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\dx9bda.cat"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwFlash]
"Installed"="1"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-29 19:46:06
C:\ComboFix-quarantined-files.txt ... 2007-07-29 19:45

--- E O F ---


And here's a fresh Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 7:48:58 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123819283953
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#37 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 01 August 2007 - 04:45 AM

Hello again,

Both logs look clean and whilst this is good news, it doesn't help us identify what is the cause of your PC shutting itself down all the time :scratchhead:

Could you please download Rustbfix from one of these locations:
http://www.uploads.e...et/rustbfix.exe, or
http://uploads.ejvin...om/Rustbfix.exe

...and save it to your desktop.

Double click on rustbfix.exe to run the tool.

If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.

The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of both of these logfiles along with a new HijackThis log.

Thanks :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#38 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 02 August 2007 - 09:42 AM

no Rustock.b-infection was found.

the problem stopped for a couple of days following my last post (which is the longest it's gone without rebooting since the problem started) but it just started again this morning...

#39 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 06 August 2007 - 02:34 PM

Hello again,

Sorry for the delay in my reply, but I am struggling to find a cause for the problems you are experiencing. Often sudden shutdowns can be caused by a computer overheating - have you checked that there is sufficient ventillation around all of the vents on your PC?

As part of the clean up process, RegSeeker should clear out orphaned registry entries:

So please download RegSeeker from here: http://www.snapfiles.../regseeker.html
  • Open RegSeeker.
  • Check the 'Backup before Deletion' box
  • Check 'Clean the Registry'
  • Check all boxes and click OK
When the scan has finished click Select all then right-click on the highlighted area and click 'Delete Selected items' OK the prompt and then exit RegSeeker.

Could you have a look in the System Event Viewer and tell me if you have any Application Warnings or Errors?

To access the Event Viewer, click Start > Control Panel > Administrative Tools > Event Viewer and then select the Applications tab.

If there are any warnings or errors, could you double click on the error and click the copy button underneath the navigation arrows and copy and paste it into this thread?

Finally, could you please run a disk check:

Click Start > Run and type > CHKDSK

Press Enter and it will scan the drive for errors and it will look like this :

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

If it does show errors then type

CHKDSK /F /R

Press Enter and it will show this message :

The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts? (Y/N)

Type Y for Yes and then Reboot the PC, this may take along time to complete but hopefully it will repair any problems that are found on the drive.

Please let us know how it goes and if the system still reboots after running CheckDisk.


Thanks :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#40 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 07 August 2007 - 02:11 PM

No worries about the delay. I realize it's a difficult problem to diagnose. That's why I'm here! There's about six inches between the vent and the wall and it seems fine. I had checked the temperature and posted that info above. Here it is again:

I don't have any reason to believe it's related to power supply or overheating (temp is 40c). I did a little research online and found some connections between this problem and Google Toolbars, etc., but I don't have any of those programs on my computer that I'm aware of, unless they were downloaded without my knowledge.


Also, I ran CHKDSK but it said it was read-only and that the "F parameter isn't specified." How can I change that before running it again?

Here are the Event Viewer errors:

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 8/5/2007
Time: 9:11:53 PM
User: N/A
Computer: SAL
Description:
Faulting application msimn.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 7.0.6000.16481, fault address 0x0003676f.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 73 69 ure msi
0018: 6d 6e 2e 65 78 65 20 36 mn.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 32 31 38 30 20 69 6e 20 2180 in
0030: 6d 73 68 74 6d 6c 2e 64 mshtml.d
0038: 6c 6c 20 37 2e 30 2e 36 ll 7.0.6
0040: 30 30 30 2e 31 36 34 38 000.1648
0048: 31 20 61 74 20 6f 66 66 1 at off
0050: 73 65 74 20 30 30 30 33 set 0003
0058: 36 37 36 66 0d 0a 676f..

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 8/4/2007
Time: 12:32:24 AM
User: NT AUTHORITY\SYSTEM
Computer: SAL
Description:
Windows saved user SAL\…registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

Event Type: Warning
Event Source: H+BEDV AntiVir
Event Category: Infection
Event ID: 4113
Date: 8/2/2007
Time: 6:50:49 PM
User: NT AUTHORITY\SYSTEM
Computer: SAL
Description:
AntiVir has detected 'HTML/Dldr.Age.43731' in the file C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\CB87E013d01

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 7/29/2007
Time: 11:54:27 PM
User: NT AUTHORITY\SYSTEM
Computer: SAL
Description:
Windows saved user SAL\... registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

Event Type: Warning
Event Source: H+BEDV AntiVir
Event Category: Infection
Event ID: 4113
Date: 7/29/2007
Time: 9:51:26 PM
User: NT AUTHORITY\SYSTEM
Computer: SAL
Description:
AntiVir has detected 'HEUR/Exploit.HTML' in the file C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\3A55C156d01

Edited by salvation, 07 August 2007 - 02:15 PM.


#41 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 08 August 2007 - 01:36 PM

Hi,

I am a bit concerned about this:

AntiVir has detected 'HTML/Dldr.Age.43731' in the file C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\CB87E013d01

and this

AntiVir has detected 'HEUR/Exploit.HTML' in the file C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\3A55C156d01


Before going any further, using Windows Explorer, could you please navigate to: C:\Documents and Settings\Your User Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\Profiles40gsuot.default\Cache and delete the following files:

C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\3A55C156d01<-----This File
C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\CB87E013d01<-----This File

As the Application Data folder is normally hidden, you may first need to display all files and folders using the options in Tools > Folder Options > View and check the box to 'display hidden files'.

Once you have done that, could you please let me see a log from another utility . . .

Please download ComboScan to your Desktop.
  • Close all applications and windows.
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - ComboScan.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread.
  • A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
  • Please attach Supplementary.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
  • To attach a file to a new post, simply
  • Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box:
  • C:\ComboScan\Supplementary.txt
  • Click Upload.
What ComboScan will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. ComboScan
  • automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Once you’ve posted the log, I’ll have a look through it and get back to you as soon as I can.

Thanks :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#42 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 08 August 2007 - 05:25 PM

i have three cache folders and these files aren't in any of them. all hidden files and folders are shown. :huh:

also, anything i should do about the CHKDSK issue?

#43 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 12 August 2007 - 04:33 AM

i have three cache folders and these files aren't in any of them. all hidden files and folders are shown. :huh:

also, anything i should do about the CHKDSK issue?

Hello,

Could you try this please:

Download ATF Cleaner by Atribune from here: http://www.atribune....tent/view/25/1/ and save it to your desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies and delete what you do not need.

Then double-click ATF-Cleaner.exe to run the program and check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch (Windows XP) only *
Java Cache


* The purpose of Prefetch folder is to increase the speed at which you can access the programs that you use on your PC. Unfortunately, Windows doesn't differentiate between a program you use every day and one you use every blue moon, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time.
You may find that the first time you boot up after cleaning out this folder, your PC takes longer to get into gear - the second, and subsequent, boots should be quicker.

The rest are optional - if you want to remove them all, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

With regard to the CHKDSK issue, could you try running it this way:

Go to Windows Explorer > right-click on your C:/ drive and select Properties > Click the Tools tab and unser 'Error Checking' choose > 'Check Now' then check the two options it gives you 'Automatically fix file system errors' and 'Scan for and attempt recovery of bad sectors', then click > OK.

You should then get a message telling you that the system needs exclusive access to the drive to check for errors and would you like to run the disk check at next re-boot (or words to that effect).

When asked this click Yes and then re-boot.

Could you let me know how you get on?

Thanks :D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#44 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 16 August 2007 - 10:19 AM

sorry for the delay. i was out of town for a few days. i ran both ATF Cleaner and CHKDSK. (would ATF have cleared the files you were concerned about that i wasn't able to locate manually?) and do you still want me to run ComboScan? i haven't done that yet.

oh, and the spontaneous rebooting is still happening!

Edited by salvation, 16 August 2007 - 10:29 AM.


#45 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 19 August 2007 - 12:11 PM

sorry for the delay. i was out of town for a few days. i ran both ATF Cleaner and CHKDSK. (would ATF have cleared the files you were concerned about that i wasn't able to locate manually?) and do you still want me to run ComboScan? i haven't done that yet.

oh, and the spontaneous rebooting is still happening!

Hello again,

Yes, ATF should have cleared out all of the files I was concerned about.

Could you let me see a ComboScan log and we will go from there.

Thanks :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#46 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 22 August 2007 - 09:14 AM

hi. i had to use deckard system scan here: http://www.techsuppo...ctools/Deckard/

here are the two logfiles it produced:

Deckard's System Scanner v20070819.64
Run by ... on 2007-08-22 10:08:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
51: 2007-08-22 14:08:27 UTC - RP1159 - Deckard's System Scanner Restore Point
50: 2007-08-21 00:11:03 UTC - RP1158 - System Checkpoint
49: 2007-08-19 23:39:26 UTC - RP1157 - System Checkpoint
48: 2007-08-18 18:30:15 UTC - RP1156 - System Checkpoint
47: 2007-08-17 17:16:47 UTC - RP1155 - System Checkpoint


-- First Restore Point --
1: 2007-07-01 14:36:30 UTC - RP1109 - Installed Java™ SE Runtime Environment 6 Update 1


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as ....exe) --------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-08-22 10:09:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\...\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKEY_LOCAL_MACHINE\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123819283953
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupd...7911.3761111111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\SYSTEM32\NavLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - "C:\Program Files\Ad-Aware 2007\aawservice.exe"
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe"
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe"
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - "C:\Program Files\Viewpoint\Common\ViewpointService.exe"



-- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

backup-20070701-102831-144 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20070701-144821-606 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
backup-20070701-144822-600 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-18 10:44:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-07-22 and 2007-08-22 -----------------------------

2007-08-02 10:40:40 0 d-------- C:\Rustbfix
2007-07-25 14:07:47 0 d-------- C:\Program Files\EVEREST Home Edition


-- Find3M Report ---------------------------------------------------------------

2007-08-06 09:01:26 0 d-------- C:\Program Files\Java
2007-07-23 16:41:55 0 d-------- C:\Program Files\Ad-Aware 2007
2007-07-18 12:11:22 4096 --a------ C:\WINDOWS\system32\sysres.dll
2007-07-18 12:11:20 38567 --a------ C:\WINDOWS\system32\pcpbios.exe
2007-06-25 18:10:55 0 d-------- C:\Program Files\Symantec
2007-06-07 20:56:51 77312 --a------ C:\WINDOWS\ua2.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/13/2003 08:56 PM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [06/24/2003 11:46 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/01/2007 04:51 PM]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [04/02/2007 10:35 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

C:\Documents and Settings\...\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [5/18/2004 5:16:00 PM]
DESKTOP.INI [9/3/2002 10:00:00 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [9/4/1999 7:23:24 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-08-22 10:10:36 ------------

Deckard's System Scanner v20070819.64
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 511 MiB / 290.09 MiB
Pagefile Memory (total/avail): 1247.86 MiB / 1015.61 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1960.35 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.21 GiB total, 15.36 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Avira AntiVir PersonalEdition v 6.39.1.30
(Avira GmbH)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\...\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SAL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\...
LOGONSERVER=\\SAL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SALCIN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SALCIN~1\LOCALS~1\Temp
USERDOMAIN=SAL
USERNAME=...
USERPROFILE=C:\Documents and Settings\...
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

... (admin)
Administrator.SAL (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{0E6AB9FC-76C2-431B-9C06-6C1CFFFEA8EB}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Advanced CD Ripper Pro 1.22 --> "C:\Program Files\Advanced CD Ripper Pro 1.22\unins000.exe"
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Avira AntiVir PersonalEdition Classic --> C:\Program Files\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Chat Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1D71A696-7CCD-4E11-A0DA-618282F1AD7C}\Setup.exe" -l0x9
CuteFTP 5.0 XP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18DF995F-2ACC-47E4-A33B-A703F4D39E92}\IS6.exe" -l0x9 /l0009 UNINSTALL
DAO --> MsiExec.exe /I{64116298-93C5-401D-B06C-39D8E3338508}
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
DS21Patch --> MsiExec.exe /I{9B79DCB0-AAD7-456B-8D07-433C936FA24B}
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
eMule --> "C:\Program Files\eMule\Uninstall.exe"
HijackThis 1.99.1 --> C:\HJT\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
iTunes --> MsiExec.exe /I{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kazaa Lite K++ v2.4.3 --> "C:\Program Files\Kazaa Lite\Kazaa Lite K++\unins000.exe"
LimeWire 4.10.9 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft GIF Animator --> C:\Program Files\Microsoft GIF Animator\setup\GifACME.exe
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 2000 --> MsiExec.exe /I{56364334-9530-11D2-BFFC-00C04FA329AA}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
OpenWebScope Web Statistics (remove only) --> "C:\Program Files\OpenWebScope\uninstall.exe"
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
ScreenPrint32 v3.5 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\ST6UNST.LOG"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spy Sweeper --> C:\WINDOWS\unSpySweeper.exe
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpyKiller --> C:\WINDOWS\iun6002.exe "C:\Program Files\SpyKiller\irunin.ini"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XviD MPEG-4 Codec --> "C:\Program Files\XviD\UninstXviD.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type688 / Error
Event Submitted/Written: 08/17/2007 01:34:50 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application acrp.exe, version 1.2.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type687 / Error
Event Submitted/Written: 08/17/2007 01:34:03 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application acrp.exe, version 1.2.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type645 / Warning
Event Submitted/Written: 08/15/2007 07:53:27 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'HTML/Dldr.Age.43731'
in the file
C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\E58DCDAFd01

Event Record #/Type644 / Warning
Event Submitted/Written: 08/15/2007 07:48:28 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'HTML/Dldr.Age.43731'
in the file
C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\ED628CBEd01

Event Record #/Type643 / Error
Event Submitted/Written: 08/15/2007 07:48:16 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20070.6982, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type97259 / Error
Event Submitted/Written: 08/21/2007 09:36:26 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Event Record #/Type97256 / Error
Event Submitted/Written: 08/21/2007 08:47:54 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.

Event Record #/Type97215 / Error
Event Submitted/Written: 08/21/2007 07:38:33 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Event Record #/Type97214 / Error
Event Submitted/Written: 08/21/2007 07:00:30 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Event Record #/Type97212 / Error
Event Submitted/Written: 08/21/2007 06:43:13 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.



-- End of Deckard's System Scanner: finished at 2007-08-22 10:10:36 ------------

#47 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 30 August 2007 - 06:43 PM

just checking to make sure you got my last reply. i'm seriously considering throwing my computer out the window! :techsupport:

#48 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 02 September 2007 - 06:53 PM

Hello again and thanks for your patience!

I hadn’t forgotten about you but I haven’t been able to spend much time here over the last couple of weeks due to family difficulties :(

Before throwing your PC out of the window, I’d like you to run the System File Checker:

Please go to Start > Run > type cmd and press Enter. At the command prompt type sfc /scannow making sure to put a space between the "c" and the slash and then press Enter. This will run the System File Checker. Follow the prompts, and insert your Windows installation CD if requested. Then please restart your computer.

If there are any bad sectors on your disk, Windows needs to identify them and put them to one side so that they are not used. So a disk check is needed:

Please double-click My Computer and then right-click the hard disk that you want to check
Click Properties and then click Tools.
Under Error-checking, click Check Now.
Please check both boxes - you will receive the following message:
'Do you want to schedule the disk check to occur the next time you restart the computer?'
Click Yes to schedule the disk check, and then restart your computer to start the disk check.

Then, you need to defragment your computer
  • Click Start, Double click My Computer.
  • Right-click the local disk volume that you want to defragment, (C: Drive) and then click Properties.
  • On the Tools tab, click Defragment Now.
  • Click Defragment.
There is also the possibility that this problem could be caused by a driver gone bad. So please check the Device Manager:
  • Click the Start button and click Control Panel.
  • Click Performance and Maintenance and click System.
  • Click the Hardware tab and click Device Manager.
  • In the Device Manager list, check for devices that are incorrectly configured.
  • Incorrectly configured devices are indicated by a yellow exclamation point (!) or a red X if the device has been disabled.
  • Double-click any device marked with an exclamation point to display the properties window.
  • The device status area in the properties window reports the devices that need to be re-configured.
Please could you clear your Firefox Cookies too:

Open the Mozilla Browser, click Tools > Options > Privacy > Cookies > Clear.

Then, lastly, Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image

To obtain the report:
  • Click on: Save Report As (above - red blinking arrow)
  • Next, in the Save as prompt, Save in area, select:
  • Desktop
  • In the File name area, use KScan, or something similar
  • In Save as type, click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
  • Please post the Kaspersky Online Scanner Report in your reply.
Thanks!

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#49 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 03 September 2007 - 06:28 PM

hey, no problem. i hope your family difficulties aren't too serious. :unsure:

it doesn't seem like there are any system file or device issues. here's the kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 03, 2007 7:15:34 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 4/09/2007
Kaspersky Anti-Virus database records: 403211
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 75369
Number of viruses found: 2
Number of infected objects: 1
Number of suspicious objects: 2
Duration of the scan process: 01:37:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz.zip/polall1t.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\...\Application Data\Mozilla\Firefox\Profiles40gsuot.default\cert8.db Object is locked skipped
C:\Documents and Settings\...\Application Data\Mozilla\Firefox\Profiles40gsuot.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\...\Application Data\Mozilla\Firefox\Profiles40gsuot.default\history.dat Object is locked skipped
C:\Documents and Settings\...\Application Data\Mozilla\Firefox\Profiles40gsuot.default\key3.db Object is locked skipped
C:\Documents and Settings\...\Application Data\Mozilla\Firefox\Profiles40gsuot.default\parent.lock Object is locked skipped
C:\Documents and Settings\...\Application Data\Mozilla\Firefox\Profiles40gsuot.default\search.sqlite Object is locked skipped
C:\Documents and Settings\...\Application Data\Mozilla\Firefox\Profiles40gsuot.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\...\Application Data\Mozilla\Firefox\Profiles40gsuot.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\...\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\AOL OCP\AIM\Storage\data\salvation79\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Drafts (1).dbx Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles40gsuot.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\...\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\...\Local Settings\Temp\~PST7785.tmp Object is locked skipped
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\...\ntuser.dat Object is locked skipped
C:\Documents and Settings\...\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1171\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\1024\ldBEC6.tmp Infected: Trojan-Downloader.Win32.Zlob.azy skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\FxsTmp\fxs10C.tmp Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by salvation, 03 September 2007 - 06:29 PM.


#50 salvation

salvation

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 22 September 2007 - 08:53 AM

just checking in to see if you've had a chance to look at my last log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button