Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dr. Watson I presume [resolved]


  • This topic is locked This topic is locked

#46
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
tried a full scan at activescan. found about 8 infected files and mid-way thru scan it crashed. everytime it even tried to restart, pc just turns off and starts again. then, finally stayed on, so tried activescan on just the harddrives like before. but it crashed again. now after rebooting itself about 3 times in a row, im coming back to report it to you. any clues?
:tazz:

Jim.
  • 0

Advertisements


#47
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, do a full system scan with ad-aware (if it will let you).

Then we'll go from there.

Michelle :tazz:
  • 0

#48
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
(in safe mode)

Michelle :tazz:
  • 0

#49
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
tried activescan again, just on c: drive. crashed again, i think looking in the c:\l386 folder
  • 0

#50
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Done it!


Ad-Aware SE Build 1.05
Logfile Created on:29 March 2005 21:59:15
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R34 23.03.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):8 total references
MRU List(TAC index:0):12 total references
WindUpdates(TAC index:8):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


29-03-2005 21:59:15 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 124
ThreadCreationTime : 29-03-2005 20:57:37
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 176
ThreadCreationTime : 29-03-2005 20:57:59
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 208
ThreadCreationTime : 29-03-2005 20:58:06
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 252
ThreadCreationTime : 29-03-2005 20:58:12
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 264
ThreadCreationTime : 29-03-2005 20:58:12
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 416
ThreadCreationTime : 29-03-2005 20:58:16
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 476
ThreadCreationTime : 29-03-2005 20:58:18
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 520
ThreadCreationTime : 29-03-2005 20:58:19
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 760
ThreadCreationTime : 29-03-2005 20:58:33
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 872
ThreadCreationTime : 29-03-2005 20:59:06
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\enum\root\legacy_*008f__6q*00d4*00f5*0013'*00aa*00b4*00c6*00d08

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2

MRU List Object Recognized!
Location: : S-1-5-21-3410288154-1754454779-3683679437-500\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-3410288154-1754454779-3683679437-500\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-3410288154-1754454779-3683679437-500\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-3410288154-1754454779-3683679437-500\software\ahead\nero - burning rom\recent file list
Description : list of recently used files in nero burning rom


MRU List Object Recognized!
Location: : S-1-5-21-3410288154-1754454779-3683679437-500\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-3410288154-1754454779-3683679437-500\software\creative tech\creative wavestudio\settings
Description : list of recently used directories in creative wavestudio


MRU List Object Recognized!
Location: : S-1-5-21-3410288154-1754454779-3683679437-500\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-3410288154-1754454779-3683679437-500\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-3410288154-1754454779-3683679437-500\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3410288154-1754454779-3683679437-500\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Documents and Settings\Administrator\recent
Description : list of recently opened documents



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : File
Data : Dc1.dll
Category : Malware
Comment :
Object : C:\RECYCLER\S-1-5-21-3410288154-1754454779-3683679437-500\



WindUpdates Object Recognized!
Type : File
Data : A0248007.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP796\



CoolWebSearch Object Recognized!
Type : File
Data : okvti.txt
Category : Malware
Comment :
Object : C:\WINDOWS\system32\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {EB4D80CE-A5EA-A544-8137-2F007EEFD4DA}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 21

22:13:35 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:14:19.646
Objects scanned:128197
Objects identified:9
Objects ignored:0
New critical objects:9
  • 0

#51
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please post a new HiJackThis log!

Michelle :tazz:
  • 0

#52
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Logfile of HijackThis v1.99.1
Scan saved at 22:38:02, on 29/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\allp9nwm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\allp9nwm.slt\prefs.js)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
  • 0

#53
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We're getting closer! :tazz:

Try running Housecall this time instead of Activescan. If it works, then try running Activescan again.

I know it's tedious...

Michelle ;)
  • 0

#54
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
ok tried Housecall. Crashed after about 4 mins, on a file /Adobe/whatever,,, on 2nd time it done that, I went to Add/Remove hardware, found out I already uninstalled that program ages ago, so went into c: and delted the folders it got stuck at. they are just adobe After Effects program zips, Try Out folders that should be fine to delete -and I don't need them.

Fionlaly scan finished, after doing C: and D: drives only (boith my harddrives). Found 37 infected files, most said uncleanable, I clicked delete them. (all but one were this:

system volume information\_restore{huge long numbers and letters).exe

going to try activescan again now.

so sorry to take up all your time... much love.

Jim.
  • 0

#55
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
pfffffft make that, crashed after 45mins.... :tazz:
  • 0

Advertisements


#56
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please, Turn off System Restore.
*Right-click My Computer.
*Click Properties.
*Click the System Restore tab.
*Check "Turn off System Restore"
*Click Apply, and then click OK.

Reboot into safe mode and try running About:Buster again. If it crashes in Safe Mode, restart into normal mode and try running About:Buster this way (something we haven't tried yet!)

You're not taking up all of my time. I don't mind helping at all!
Michelle
:tazz:
  • 0

#57
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
ActiveScan crashed my comp again, doing what u say now.
  • 0

#58
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
ran AboutBuster in safe mode, pc rebooted half way thru, took several attempts until finally rebooting properly. ran aboutbuster in normal mode, and pc rebooted again.

by the way these crashes aren't like everything pauses, its just like hitting the reset button.
  • 0

#59
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
to confirm, yup system restore on both C & D drives no off. :tazz:
  • 0

#60
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, go to Start > Control Panel > System - Click the Advanced tab. Under "Startup & Recovery" click Settings, then UN-check "automatically restart" and make sure there is a check next to "Write an event to the system log". Click OK.

Then try running About:Buster again (in normal mode), then we will go into the event viewer to see what is causing the error.

Michelle :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP