Jump to content


Photo

Whole system freezes up after inactivity


  • Please log in to reply
17 replies to this topic

#1 pburchett

pburchett

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 18 October 2006 - 07:57 AM

My computer has been running slower and slower lately. I don't know if it's related to what else is going on or not. For the last week, when I try to use my pc after a period of inactivity (of varying lengths) the whole thing is froze up.....the mouse pointer won't move or anything. None of the buttons on the keyboard work either (if I left wmp playing, the stop button on the keyboard won't stop it). When it does this, I have to use the button on the tower to shut it all down and restart it. Before it started freezing up, I would have various problems occur like pages and programs would stop responding, my mouse would quit working, once my keyboard quit, and sometimes when I restarted my pc, it would have my active desktop turned off. I have avast antivirus updated and not finding any infections. I have ZoneAlarm up to date and running, Spyware Guard, and Spybot Search & Destroy as well. I also have Adaware SE up to date with nothing being found other than a few harmless tracking cookies here and there. I've also installed and used Windows Defender which finds nothing. I went to my control panel and deleted all my cookies & temporary files, as well as the "rearranging items on the disk to make the pc run quicker". Actually, last time I did that rearranging thing, it literally took about 8 hours to do it, when it had always only took a few minutes before. I have the ATF Cleaner downloaded but I didn't use it because I wasn't sure what to do. Below is my HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 9:55:17 AM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Consumer Input Rewarded with MyPoints, Consumer Input\ConsumerInputRewardedwithMyPoints,ConsumerInput.exe
C:\Program Files\Consumer Input Rewarded with MyPoints, Consumer Input\ConsumerInputRewardedwithMyPoints,ConsumerInputUa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\YTBSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Documents and Settings\Pamela\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*photosite.com;*.dir.untd.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Consumer Input Rewarded with MyPoints, Consumer Input] C:\Program Files\Consumer Input Rewarded with MyPoints, Consumer Input\ConsumerInputRewardedwithMyPoints,ConsumerInput.exe
O4 - HKCU\..\Run: [Consumer Input Rewarded with MyPoints, Consumer Input Update] C:\Program Files\Consumer Input Rewarded with MyPoints, Consumer Input\ConsumerInputRewardedwithMyPoints,ConsumerInputUa.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shopnbc.com
O15 - Trusted Zone: http://login.live.com
O15 - Trusted Zone: http://www.rockstar.msn.com
O15 - Trusted Zone: www.mypoints.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto...YorkActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127177922152
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - https://secure.stamp...file=stamps.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.co...snmusax4421.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B88E090-46DB-4EAD-9160-2BE1A1543A86}: NameServer = 204.68.227.1,204.68.227.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 21 October 2006 - 05:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 27 October 2006 - 02:11 PM

Hi pburchett,

Please download SilentRunners from here:
http://www.silentrun...ent Runners.vbs
Save it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

#4 pburchett

pburchett

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 27 October 2006 - 02:24 PM

(In case you already read this once, it has been edited)

Here is the SilentRunners log:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Consumer Input Rewarded with MyPoints, Consumer Input" = "C:\Program Files\Consumer Input Rewarded with MyPoints, Consumer Input\ConsumerInputRewardedwithMyPoints,ConsumerInput.exe" ["Compete, Inc."]
"Consumer Input Rewarded with MyPoints, Consumer Input Update" = "C:\Program Files\Consumer Input Rewarded with MyPoints, Consumer Input\ConsumerInputRewardedwithMyPoints,ConsumerInputUa.exe" ["Compete, Inc."]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"PCTVOICE" = "pctspk.exe" [empty string]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"LXCFCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16" [MS]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"FLMOFFICE4DMOUSE" = "C:\Program Files\Browser MOUSE\mouse32a.exe" [empty string]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "YahooTaggedBM Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\YAHOO!\COMMON\ymmapi20041123.dll" ["Yahoo! Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\YAHOO!\COMMON\ymmapi20041123.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Pamela\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Pamela" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\Pamela\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"ISP signup reminder 1" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /i /n:1" [MS]
"ISP signup reminder 2" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /i /n:2" [MS]
"Disk Cleanup" -> launches: "C:\WINDOWS\system32\cleanmgr.exe" [MS]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll" ["Yahoo! Inc."]
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = (no title provided)
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\YAHOO!\COMMON\yhexbmesus.dll" ["Yahoo! Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"
"CLSIDExtension" = "{4982D40A-C53B-4615-B15B-B5B5E98D167C}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]

{4B30061A-5B39-11D3-80F8-0090276F843F}\
"ButtonText" = "Net2Phone"
"MenuText" = "Net2Phone"
"Exec" = "C:\Program Files\Net2Phone\Net2fone.exe" ["Net2Phone"]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["America Online"]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
LXCFCustomerConnect, LXCFCustomerConnect, "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFserv.exe" [empty string]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZONELABS\vsmon.exe -service" ["Zone Labs, LLC"]
Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
730 Series Port\Driver = "lxcflmpm.DLL" [empty string]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 185 seconds, including 18 seconds for message boxes)

Edited by pburchett, 27 October 2006 - 02:29 PM.


#5 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 27 October 2006 - 02:56 PM

Hi pburchett,

Try checking the Event Viewer (Control Panel, Administrative Tools, Event Viewer) for recent Application or System errors, if there are any double click on them and post the text under Description.

#6 pburchett

pburchett

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 27 October 2006 - 06:56 PM

I went to the event viewer and under application, there were 963 events. Under system, there were 2053 events. I'm not sure how to go about posting the description for all those because that's an awful lot of descriptions to copy. Any suggestions?

#7 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 28 October 2006 - 07:18 PM

Just look for errors, the ones with the red circle with a white X, you can ignore the information and warning ones.

#8 pburchett

pburchett

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 29 October 2006 - 09:27 AM

I went to the event viewer and filtered the results to only the errors (the ones with the circle and x) and there were 600 application errors (from April 10 to Oct. 26) and 523 system errors (from Sept. 7 to Oct. 26). There isn't a description column on the table. The only way I know of to find the description is in the properties box for each individual event, which is going to be dificult to post for condsidering how many errors there are and that it won't let me just copy and paste the description it gives (some of them have alot of numbers that would take forever and a day to retype and do it correctly). Is there any way you know of that would make it easier to copy all that stuff or are there any specific errors that you are concerned about?

#9 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 29 October 2006 - 04:49 PM

Most of them are probably duplicate errors (the same error occurring each time you log on). Just start with the most recent errors and work backwards, there is no need to post the same error description more than once. When you open the properties box just highlight the text at the beginning of the description box and then press Ctrl-C to copy the text and press Ctrl-V to paste the text into your post.

#10 pburchett

pburchett

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 29 October 2006 - 09:59 PM

Under application errors :
Fault bucket 340238445
Faulting application iexplore.exe, version 7.0.5730.11, faulting module unknown, version 0.0.0.0, fault address 0x40fd7c91.
Hanging application iexplore.exe, version 7.0.5730.11, hang module hungapp, version 0.0.0.0, hang address 0x0000000.
Fault bucket 337148017.
Fault bucket 338144829.
Faulting application iexplore.exe, version 7.0.5730.11, faulting module unknown, version 0.0.0.0, fault address 0x00740069.
Fault bucket 127720864.
Hanging application wmplayer.exe, version 10.0.0.3646, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Fault bucket 303698429.
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9.ocx, version 9.0.16.0, fault address 0x00184fba.
Fault bucket 272724764.
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x65645f21.
Fault bucket 126637809.
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Fault bucket 127388253.
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Fault bucket 192685456.
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module msvcrt.dll, version 7.0.2600.2180, fault address 0x00037fb7.
Fault bucket 326285426.
Faulting application napster.exe, version 3.7.3.3, faulting module unknown, version 0.0.0.0, fault address 0x2e726574.
Fault bucket 126637809.
Fault bucket 127388253.
Hanging application Music.exe, version 5.7.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Fault bucket 199730499.
Hanging application TeaTimer.exe, version 1.4.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Fault bucket 330325492.
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.
Faulting application studio.exe, version 1.0.0.488, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f2b.
Faulting application studio.exe, version 1.0.0.488, faulting module common.dll, version 0.0.0.0, fault address 0x0001615a.
Faulting application studio.exe, version 1.0.0.488, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x0001847c.
Fault bucket 315499824.
Hanging application iedw.exe, version 5.1.2600.2937, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Hanging application wmplayer.exe, version 10.0.0.3646, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Fault bucket 191268753.
Hanging application Weather.exe, version 6.5.0.15, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Fault bucket 280559304.
Faulting application consumerinputrewardedwithmypoints,consumerinput.exe, version 1.7.0.7, faulting module consumerinputrewardedwithmypoints,consumerinput.exe, version 1.7.0.7, fault address 0x0001a483.
Fault bucket 299737037.
Faulting application wmplayer.exe, version 10.0.0.3646, faulting module wmp.dll, version 10.0.0.4036, fault address 0x0013cc5a.
Fault bucket 199730499.
Hanging application TeaTimer.exe, version 1.4.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Hanging application wmplayer.exe, version 10.0.0.3646, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Fault bucket 186232334
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Fault bucket 303682357.
Fault bucket 126648864.
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Fault bucket 126637809.
Hanging application exec.exe, version 4.3.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000
Fault bucket 145909353.
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Faulting application ypager.exe, version 6.0.0.1922, faulting module wininet.dll, version 6.0.2900.2753, fault address 0x0000e2d8.
Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

The errors under system:

The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 5 time(s).
The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
The lxcf_device service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Timeout (30000 milliseconds) waiting for the lxcf_device service to connect.
DCOM got error "The service did not respond to the start or control request in a timely fashion. " attempting to start the service lxcf_device with arguments "" in order to run the server:
{323CE21C-A448-40AA-BA74-7FCF1E44106F}
The Application Management service terminated with the following error:
The specified module could not be found.
The device, \Device\CdRom1, has a bad block.
The avast! Mail Scanner service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
The IMAPI CD-Burning COM Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
The driver detected a controller error on \Device\CdRom1.
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

#11 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 31 October 2006 - 11:46 AM

Hi pburchett,

Given the number of different programs that have hung or faulted this looks like it is either a general system problem or possibly a hardware problem.

Lets try the System File Checker first:

Click on Start, Run, type in cmd and press enter.

In the Command window that opens type in sfc /scannow and press enter.

Have it scan your system for corrupt or missing system files, if it finds any problems it will ask you to insert your XP CD.

After the scan is complete type in exit and press enter to close the Command window.

If it did find any problems reboot after the scan is complete and see if it seems to have helped any.

#12 pburchett

pburchett

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 06 November 2006 - 11:45 AM

I did what you suggested and it found no errors. The whole computer hasn't been freezing up as often, but I do still have alot of instances of things that stop responding, at least once a day.

#13 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 07 November 2006 - 02:08 PM

The next thing I would recommend to do is a Repair Install of XP. This link will show you how to do it:

http://www.geekstogo...p?showtopic=138

#14 pburchett

pburchett

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 November 2006 - 10:25 AM

Hi. I haven't done the XP repair thing because I have yet to find my disc, but now I've got another problem. I use avast antivirus software and the resident scanner is always on. I decided to run it myself and it found two viruses on my pc. I moved them to the chest like it recommended but my computer completely froze up about 15 minutes after that. I restarted it, and tried to run it again because the scan hadn't got to finish. It has yet to be able to complete a scan since. It goes so far and then it freezes up the whole system. I went to a website for Panda Active Scan to see if it would find anymore virueses but my avast detected a virus in the panda software I was downloading. I got rid of that and tried a few other scanners which found nothing. I ran my adaware and it only found a few tracking cookies which I deleted. Do you think that I must have another problem going on or is it just a problem with avast?..........Also everytime I restart my pc, my ZoneAlarm says that service executable is trying to access the internet ( application lxcfserv.exe). I don't know what this is so I always deny it access. Do you know what this is and if I should allow it?

Edited by pburchett, 09 November 2006 - 09:37 PM.


#15 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 12 November 2006 - 07:49 PM

Hi pburchett,

It is possible that Avast may have deleted a file that is necessary to be there, can you tell me the file names of the two files that Avast moved to the chest?

lxcfserv.exe is associated with your printer, it probably checks for updates to your printer software. Probably doesn't hurt anything to allow it or to deny it internet access.

#16 pburchett

pburchett

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 12 November 2006 - 08:18 PM

One file was pskavs.dll The virus name is Win32:CTX
It also moved two other files which were both just songs I had downloaded. The virus name for those two was Win32:Wimad [Trj]

#17 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 20 November 2006 - 02:07 PM

Hi pburchett,

Sorry it has taken so long to get back to you.

pskavs.dll is a Panda Active Scan file and is a known false positive with Avast. Removing the file should not cause a problem with anything other than Panda Active Scan.

Have you been able to do the repair install yet?

#18 pburchett

pburchett

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 20 November 2006 - 03:34 PM

I haven't had the chance to look for my disk yet (everything's been a little crazy round here lately) but I'm startin to get things back on track so hopefully I'll find it in the next day or so. My pc has been freezing up more (time and everything stopping) and running slower the rest of the time. When I do this thing you have suggested, will I lose my music files (I've got over 5000 of them, an awful lot to have to back up and tons of pictures too)?




Member of UNITE
Support SpywareInfo Forum - click the button