[pkmimi]

HELP!

Originally, I could not open My Computer, My Documents or My Network Places. Instead, I got the message that Dr Watson debugger had encoutered a problem and needed to close. I visited this site and read the recent posts describing the same problem. I followed the directions and have run Adaware, CW-Shredder, Aboutbuster, and Trend (?) numberous times until there were no more detections. Upon rebout to normal mode, now my Norton Antiviral program will not enable and Adaware won't run. Here is my HijackThis log.


Logfile of HijackThis v1.99.1
Scan saved at 9:02:49 PM, on 3/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\Brad\LOCALS~1\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [5-1-6-2] c:\program files\Webdialer\hentaimovie4_mpeg[1].exe -m
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcaf...31/mcinsctl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101054579718
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: {F877BD00-69FC-11D2-82BC-00C04FB92E85} (MS Project Security Class) - http://63.89.219.43/...ts/pjclient.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\iomegaaccess.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NeroSVC - ahead software gmbh
im stoeckmaedle 6
76307 karlsbad, germany
Fax: ++49-7248-911-888
e-mail: [email protected] - C:\Program Files\ahead\Nero\NeroSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Someone please help. It's getting worse.

[Advertisements]

Hi pkmimi,

Please do a search on your computer for Drwtsn32.log. Once the search is finished, sort them by date and locate the latest log. Double click it to open it. Copy the contents of that log and paste it inot this thread.

[OSC]

Hi pkmimi,

Please do a search on your computer for Drwtsn32.log. Once the search is finished, sort them by date and locate the latest log. Double click it to open it. Copy the contents of that log and paste it inot this thread.

[pkmimi]

Hi,

When I ran the search for Drwtsn.log, I did not find it. So, I ran a search just on Drwtsn- found an Drwtsn32.exe -2B4B52AC.pf file (afraid to open) plus Help and Application files. I looked on Task Manager and the file is no longer there.

On the bright side, I can now access My Computer, My Documents and My Network Places. Norton still won't enable.

Hope this is helpful.

pkmimi

[OSC]

Hi pkmimi,

Configure your computer to show hidden files.

Next, go to the following folder:
c:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson

There should be 2 files in there. A .log file and a .dmp file. Please zip both files up and email them to this address. We'd like to have a look at the data in there.

Edited by OSC, 09 March 2005 - 10:09 PM.

[pkmimi]

Hi,

I made sure system would show hidden files. Only 2 files found; text file and a user dump file. When I tried to open the user dump file with wordpad- gibberish.

I copied the most recent portion of the text file. Here it is.

*----> State Dump for Thread Id 0x220 <----*

eax=774fd888 ebx=00000000 ecx=7ffda000 edx=00000000 esi=7c97c0d8 edi=00000000
eip=7c90eb94 esp=00f3fe18 ebp=00f3fea0 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
ntdll!KiFastSystemCall:
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
ntdll!KiIntSystemCall:
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ole32.dll -
ChildEBP RetAddr Args to Child
00f3fea0 7c90104b 0197c0d8 7c917332 7c97c0d8 ntdll!KiFastSystemCallRet
00f3ff94 7c80ceb7 774e0000 00f3ffb4 774fd8bc ntdll!RtlEnterCriticalSection+0x46
00f3ffa0 774fd8bc 774e0000 00000000 7c91094e kernel32!FreeLibraryAndExitThread+0x16
00f3ffb4 7c80b50b 000c9800 7c910945 7c91094e ole32!IsValidInterface+0x4a3
00f3ffec 00000000 774fd888 000c9800 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Raw Stack Dump <----*
0000000000f3fe18 c0 e9 90 7c 1b 90 91 7c - 04 03 00 00 00 00 00 00 ...|...|........
0000000000f3fe28 00 00 00 00 45 09 91 7c - 00 00 4e 77 00 00 00 00 ....E..|..Nw....
0000000000f3fe38 00 00 00 00 00 00 00 00 - 00 00 00 00 54 fe f3 00 ............T...
0000000000f3fe48 16 66 52 77 00 00 01 00 - 18 6e 60 77 b0 fd f3 00 .fRw.....n`w....
0000000000f3fe58 92 65 52 77 dc ff f3 00 - 18 ee 90 7c 70 05 91 7c .eRw.......|p..|
0000000000f3fe68 ff ff ff ff 6d 05 91 7c - af 65 52 77 00 00 09 00 ....m..|.eRw....
0000000000f3fe78 00 00 00 00 00 00 00 00 - 5f ad b1 76 2b 50 57 58 ........_..v+PWX
0000000000f3fe88 00 00 00 00 3a c3 8c 91 - 1c 64 a7 f1 ce 2b 33 1e ....:....d...+3.
0000000000f3fe98 00 00 00 00 04 03 00 00 - 94 ff f3 00 4b 10 90 7c ............K..|
0000000000f3fea8 d8 c0 97 01 32 73 91 7c - d8 c0 97 7c 45 09 91 7c ....2s.|...|E..|
0000000000f3feb8 00 00 4e 77 00 98 0c 00 - 6d 05 91 7c 45 09 91 7c ..Nw....m..|E..|
0000000000f3fec8 00 98 0c 00 00 98 0c 00 - 3c cb 0b 00 a0 01 00 00 ........<.......
0000000000f3fed8 90 fe f3 00 00 00 00 00 - 80 ff f3 00 f3 99 83 7c ...............|
0000000000f3fee8 58 e4 80 7c ff ff ff ff - f8 e5 80 7c 00 00 09 00 X..|.......|....
0000000000f3fef8 6c e2 80 7c 84 05 02 00 - 00 00 00 00 00 00 00 00 l..|............
0000000000f3ff08 1a 97 91 7c 50 25 80 7c - 00 98 0c 00 30 75 00 00 ...|P%.|....0u..
0000000000f3ff18 50 ff f3 00 00 d0 fd 7f - 20 00 00 00 00 00 00 00 P....... .......
0000000000f3ff28 00 d0 fd 7f 8c ff f3 00 - 2a 26 80 7c 48 ff f3 00 ........*&.|H...
0000000000f3ff38 00 26 80 7c 50 25 80 7c - 00 98 0c 00 30 75 00 00 .&.|P%.|....0u..
0000000000f3ff48 00 00 09 00 01 00 00 00 - 00 00 00 00 00 00 00 00 ................

*----> State Dump for Thread Id 0x228 <----*

eax=7c90ead0 ebx=00000000 ecx=00f7fed4 edx=00000000 esi=7c97c0d8 edi=00000000
eip=7c90eb94 esp=00f7ec18 ebp=00f7eca0 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0080 es=f06b fs=003b gs=0000 efl=00000246

function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
ntdll!KiFastSystemCall:
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
ntdll!KiIntSystemCall:
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*



I am in way over my head. Would running chkdsk c: \r help???

[OSC]

Hi pkmimi,

Please zip both files up (the .log and .dmp) and email them to this address. We'd like to have a look at the data in there.