ide21201.vxd
Started by
buckt
, Apr 01 2005 11:33 AM
-
This topic is locked
#16
Posted 12 April 2005 - 04:54 PM
little eagle
-
- Member
-
- 170 posts
Member
#17
Posted 12 April 2005 - 08:56 PM
buckt
- Topic Starter
-
- Member
-
- 23 posts
Member
The the latest HJT log...
Logfile of HijackThis v1.99.1
Scan saved at 9:49:28 PM, on 4/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\WINDOWS\system32\wuauclt.exe
H:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...0R&zoommode=pan
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wundergro...y, TX&type=N0R"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://H%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HighPoint ATA RAID Management Software.lnk = H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpeedUpMyPC.lnk = H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://h:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kaldm1-web.f...0018/iNotes.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092958210928
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - H:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe
CCleaner, disk cleanup and defrag went fine - no errors.
Spybot clean on reboot.
Dr Watson still around.
Logfile of HijackThis v1.99.1
Scan saved at 9:49:28 PM, on 4/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\WINDOWS\system32\wuauclt.exe
H:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...0R&zoommode=pan
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wundergro...y, TX&type=N0R"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://H%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HighPoint ATA RAID Management Software.lnk = H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpeedUpMyPC.lnk = H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://h:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kaldm1-web.f...0018/iNotes.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092958210928
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - H:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe
CCleaner, disk cleanup and defrag went fine - no errors.
Spybot clean on reboot.
Dr Watson still around.
#18
Posted 12 April 2005 - 09:12 PM
little eagle
-
- Member
-
- 170 posts
Member
#19
Posted 13 April 2005 - 06:32 AM
buckt
- Topic Starter
-
- Member
-
- 23 posts
Member
Looks like I've got some homework to do.
Thanks for your help little eagle.
I'll be out of town for a few days, so I'll get back on this first thing next week.
Thanks again.
JT
Thanks for your help little eagle.
I'll be out of town for a few days, so I'll get back on this first thing next week.
Thanks again.
JT
Edited by buckt, 13 April 2005 - 06:33 AM.
#21
Posted 20 April 2005 - 08:35 PM
buckt
- Topic Starter
-
- Member
-
- 23 posts
Member
Here's the latest portion of the drwtsn32.log file.
Application exception occurred:
App: H:\WINDOWS\Explorer.EXE (pid=1420)
When: 4/20/2005 @ 19:58:38.843
Exception number: c0000005 (access violation)
*----> System Information <----*
Computer Name: DRAGON
User Name: JT
Terminal Session Id: 0
Number of Processors: 1
Processor Type: x86 Family 15 Model 2 Stepping 9
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
Current Type: Multiprocessor Free
Registered Organization: JOPA International
Registered Owner: Joel Taylor
*----> Task List <----*
0 System Process
4 System
560 smss.exe
628 csrss.exe
652 winlogon.exe
696 services.exe
708 lsass.exe
840 Ati2evxx.exe
860 svchost.exe
952 svchost.exe
988 svchost.exe
1012 InCDsrv.exe
1180 svchost.exe
1296 svchost.exe
1332 Ati2evxx.exe
1420 Explorer.EXE
1648 spoolsv.exe
1696 SCardSvr.exe
1780 avgamsvr.exe
1792 avgupsvc.exe
1896 mdm.exe
2028 InCD.exe
2036 avgcc.exe
136 Error 0xD0000022
156 ctfmon.exe
208 raidman.exe
244 speedupmypc.exe
296 svchost.exe
588 wdfmgr.exe
1096 Error 0xD0000022
2412 alg.exe
3216 FIREFOX.EXE
748 wuauclt.exe
1524 wmiprvse.exe
260 drwtsn32.exe
*----> Module List <----*
(0000000000a90000 - 0000000000adb000: H:\WINDOWS\system32\MSCTF.dll
(0000000001000000 - 00000000010ff000: H:\WINDOWS\Explorer.EXE
(00000000074a0000 - 00000000074b3000: H:\PROGRA~1\WINDOW~3\wmpband.dll
(000000000ffd0000 - 000000000fff8000: H:\WINDOWS\system32\rsaenh.dll
(000000001c000000 - 000000001c027000: H:\Program Files\Ahead\InCD\incdshx.dll
(0000000020000000 - 00000000202c5000: H:\WINDOWS\system32\xpsp2res.dll
(000000005ad70000 - 000000005ada8000: H:\WINDOWS\system32\UxTheme.dll
(000000005b860000 - 000000005b8b4000: H:\WINDOWS\system32\NETAPI32.dll
(000000005ba60000 - 000000005bad1000: H:\WINDOWS\System32\themeui.dll
(000000005cb70000 - 000000005cb96000: H:\WINDOWS\system32\ShimEng.dll
(000000005d090000 - 000000005d127000: H:\WINDOWS\system32\comctl32.dll
(00000000605d0000 - 00000000605d9000: H:\WINDOWS\system32\mslbui.dll
(000000006f880000 - 000000006fa4a000: H:\WINDOWS\AppPatch\AcGenral.DLL
(0000000071aa0000 - 0000000071aa8000: H:\WINDOWS\system32\WS2HELP.dll
(0000000071ab0000 - 0000000071ac7000: H:\WINDOWS\system32\WS2_32.dll
(0000000071ad0000 - 0000000071ad9000: H:\WINDOWS\System32\WSOCK32.dll
(0000000071b20000 - 0000000071b32000: H:\WINDOWS\system32\MPR.dll
(0000000071bf0000 - 0000000071c03000: H:\WINDOWS\system32\SAMLIB.dll
(0000000071c10000 - 0000000071c1e000: H:\WINDOWS\System32\ntlanman.dll
(0000000071c80000 - 0000000071c87000: H:\WINDOWS\System32\NETRAP.dll
(0000000071c90000 - 0000000071cd0000: H:\WINDOWS\System32\NETUI1.dll
(0000000071cd0000 - 0000000071ce7000: H:\WINDOWS\System32\NETUI0.dll
(0000000071d40000 - 0000000071d5c000: H:\WINDOWS\System32\actxprxy.dll
(0000000073030000 - 0000000073040000: H:\WINDOWS\system32\WZCSAPI.DLL
(00000000745e0000 - 00000000748a6000: H:\WINDOWS\system32\msi.dll
(0000000074ad0000 - 0000000074ad8000: H:\WINDOWS\System32\POWRPROF.dll
(0000000074af0000 - 0000000074afa000: H:\WINDOWS\System32\BatMeter.dll
(0000000074b30000 - 0000000074b76000: H:\WINDOWS\System32\webcheck.dll
(00000000754d0000 - 0000000075550000: H:\WINDOWS\system32\CRYPTUI.dll
(0000000075f60000 - 0000000075f67000: H:\WINDOWS\System32\drprov.dll
(0000000075f70000 - 0000000075f79000: H:\WINDOWS\System32\davclnt.dll
(0000000075f80000 - 000000007607c000: H:\WINDOWS\system32\BROWSEUI.dll
(0000000076280000 - 00000000762a1000: H:\WINDOWS\System32\stobject.dll
(0000000076360000 - 0000000076370000: H:\WINDOWS\system32\WINSTA.dll
(0000000076380000 - 0000000076385000: H:\WINDOWS\System32\MSIMG32.dll
(0000000076400000 - 00000000765a6000: H:\WINDOWS\system32\NETSHELL.dll
(0000000076600000 - 000000007661d000: H:\WINDOWS\System32\CSCDLL.dll
(0000000076980000 - 0000000076988000: H:\WINDOWS\system32\LINKINFO.dll
(0000000076990000 - 00000000769b5000: H:\WINDOWS\system32\ntshrui.dll
(00000000769c0000 - 0000000076a73000: H:\WINDOWS\system32\USERENV.dll
(0000000076b20000 - 0000000076b31000: H:\WINDOWS\system32\ATL.DLL
(0000000076b40000 - 0000000076b6d000: H:\WINDOWS\system32\WINMM.dll
(0000000076c00000 - 0000000076c2e000: H:\WINDOWS\system32\credui.dll
(0000000076c30000 - 0000000076c5e000: H:\WINDOWS\system32\WINTRUST.dll
(0000000076c90000 - 0000000076cb8000: H:\WINDOWS\system32\IMAGEHLP.dll
(0000000076d60000 - 0000000076d79000: H:\WINDOWS\system32\iphlpapi.dll
(0000000076e80000 - 0000000076e8e000: H:\WINDOWS\system32\rtutils.dll
(0000000076f50000 - 0000000076f58000: H:\WINDOWS\System32\WTSAPI32.dll
(0000000076f60000 - 0000000076f8c000: H:\WINDOWS\system32\WLDAP32.dll
(0000000076fd0000 - 000000007704f000: H:\WINDOWS\system32\CLBCATQ.DLL
(0000000077050000 - 0000000077115000: H:\WINDOWS\system32\COMRes.dll
(0000000077120000 - 00000000771ac000: H:\WINDOWS\system32\OLEAUT32.dll
(00000000771b0000 - 0000000077256000: H:\WINDOWS\system32\WININET.dll
(0000000077260000 - 00000000772fe000: H:\WINDOWS\system32\urlmon.dll
(00000000773d0000 - 00000000774d2000: H:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
(00000000774e0000 - 000000007761d000: H:\WINDOWS\system32\ole32.dll
(0000000077760000 - 00000000778cc000: H:\WINDOWS\system32\SHDOCVW.dll
(0000000077920000 - 0000000077a13000: H:\WINDOWS\system32\SETUPAPI.dll
(0000000077a20000 - 0000000077a74000: H:\WINDOWS\System32\cscui.dll
(0000000077a80000 - 0000000077b14000: H:\WINDOWS\system32\CRYPT32.dll
(0000000077b20000 - 0000000077b32000: H:\WINDOWS\system32\MSASN1.dll
(0000000077b40000 - 0000000077b62000: H:\WINDOWS\system32\appHelp.dll
(0000000077be0000 - 0000000077bf5000: H:\WINDOWS\system32\MSACM32.dll
(0000000077c00000 - 0000000077c08000: H:\WINDOWS\system32\VERSION.dll
(0000000077c10000 - 0000000077c68000: H:\WINDOWS\system32\msvcrt.dll
(0000000077d40000 - 0000000077dd0000: H:\WINDOWS\system32\USER32.dll
(0000000077dd0000 - 0000000077e6b000: H:\WINDOWS\system32\ADVAPI32.dll
(0000000077e70000 - 0000000077f01000: H:\WINDOWS\system32\RPCRT4.dll
(0000000077f10000 - 0000000077f56000: H:\WINDOWS\system32\GDI32.dll
(0000000077f60000 - 0000000077fd6000: H:\WINDOWS\system32\SHLWAPI.dll
(0000000077fe0000 - 0000000077ff1000: H:\WINDOWS\System32\Secur32.dll
(000000007c800000 - 000000007c8f4000: H:\WINDOWS\system32\kernel32.dll
(000000007c900000 - 000000007c9b0000: H:\WINDOWS\system32\ntdll.dll
(000000007c9c0000 - 000000007d1d4000: H:\WINDOWS\system32\SHELL32.dll
*----> State Dump for Thread Id 0x590 <----*
eax=00c33764 ebx=0007f104 ecx=1c01851c edx=00000005 esi=00000005 edi=0007efa8
eip=1c001d21 esp=0007ef04 ebp=0007f09c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for H:\Program Files\Ahead\InCD\incdshx.dll -
function: incdshx
1c001d06 ee out dx,al
1c001d07 016e34 add [esi+0x34],ebp
1c001d0a ffdb call ebx
1c001d0c a828 test al,0x28
1c001d0e ea25130fc422b7 jmp b722:c40f1325
1c001d15 1e push ds
1c001d16 05f93b97f1 add eax,0xf1973bf9
1c001d1b 3a3c78 cmp bh,[eax+edi*2]
1c001d1e 78cc js incdshx+0x1cec (1c001cec)
1c001d20 46 inc esi
FAULT ->1c001d21 eaba50f7dc821e jmp 1e82:dcf750ba
1c001d28 51 push ecx
1c001d29 314eb5 xor [esi-0x4b],ecx
1c001d2c 3623c1 and eax,ss:ecx
1c001d2f 8929 mov [ecx],ebp
1c001d31 29e3 sub ebx,esp
1c001d33 52 push edx
1c001d34 4d dec ebp
1c001d35 0dfc045b05 or eax,0x55b04fc
1c001d3a 644c dec esp
1c001d3c e6a5 out a5,al
*----> Stack Back Trace <----*
*** ERROR: Symbol file could not be found. Defaulted to export symbols for H:\WINDOWS\system32\SHELL32.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for H:\WINDOWS\system32\USER32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for H:\WINDOWS\system32\ntdll.dll -
Not sure what to do next....
I also noticed a new icon on my desktop titled Thumbs. I'm not sure where this came from, but it may be from one of the programs downloaded to help clean this mess up.
Application exception occurred:
App: H:\WINDOWS\Explorer.EXE (pid=1420)
When: 4/20/2005 @ 19:58:38.843
Exception number: c0000005 (access violation)
*----> System Information <----*
Computer Name: DRAGON
User Name: JT
Terminal Session Id: 0
Number of Processors: 1
Processor Type: x86 Family 15 Model 2 Stepping 9
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
Current Type: Multiprocessor Free
Registered Organization: JOPA International
Registered Owner: Joel Taylor
*----> Task List <----*
0 System Process
4 System
560 smss.exe
628 csrss.exe
652 winlogon.exe
696 services.exe
708 lsass.exe
840 Ati2evxx.exe
860 svchost.exe
952 svchost.exe
988 svchost.exe
1012 InCDsrv.exe
1180 svchost.exe
1296 svchost.exe
1332 Ati2evxx.exe
1420 Explorer.EXE
1648 spoolsv.exe
1696 SCardSvr.exe
1780 avgamsvr.exe
1792 avgupsvc.exe
1896 mdm.exe
2028 InCD.exe
2036 avgcc.exe
136 Error 0xD0000022
156 ctfmon.exe
208 raidman.exe
244 speedupmypc.exe
296 svchost.exe
588 wdfmgr.exe
1096 Error 0xD0000022
2412 alg.exe
3216 FIREFOX.EXE
748 wuauclt.exe
1524 wmiprvse.exe
260 drwtsn32.exe
*----> Module List <----*
(0000000000a90000 - 0000000000adb000: H:\WINDOWS\system32\MSCTF.dll
(0000000001000000 - 00000000010ff000: H:\WINDOWS\Explorer.EXE
(00000000074a0000 - 00000000074b3000: H:\PROGRA~1\WINDOW~3\wmpband.dll
(000000000ffd0000 - 000000000fff8000: H:\WINDOWS\system32\rsaenh.dll
(000000001c000000 - 000000001c027000: H:\Program Files\Ahead\InCD\incdshx.dll
(0000000020000000 - 00000000202c5000: H:\WINDOWS\system32\xpsp2res.dll
(000000005ad70000 - 000000005ada8000: H:\WINDOWS\system32\UxTheme.dll
(000000005b860000 - 000000005b8b4000: H:\WINDOWS\system32\NETAPI32.dll
(000000005ba60000 - 000000005bad1000: H:\WINDOWS\System32\themeui.dll
(000000005cb70000 - 000000005cb96000: H:\WINDOWS\system32\ShimEng.dll
(000000005d090000 - 000000005d127000: H:\WINDOWS\system32\comctl32.dll
(00000000605d0000 - 00000000605d9000: H:\WINDOWS\system32\mslbui.dll
(000000006f880000 - 000000006fa4a000: H:\WINDOWS\AppPatch\AcGenral.DLL
(0000000071aa0000 - 0000000071aa8000: H:\WINDOWS\system32\WS2HELP.dll
(0000000071ab0000 - 0000000071ac7000: H:\WINDOWS\system32\WS2_32.dll
(0000000071ad0000 - 0000000071ad9000: H:\WINDOWS\System32\WSOCK32.dll
(0000000071b20000 - 0000000071b32000: H:\WINDOWS\system32\MPR.dll
(0000000071bf0000 - 0000000071c03000: H:\WINDOWS\system32\SAMLIB.dll
(0000000071c10000 - 0000000071c1e000: H:\WINDOWS\System32\ntlanman.dll
(0000000071c80000 - 0000000071c87000: H:\WINDOWS\System32\NETRAP.dll
(0000000071c90000 - 0000000071cd0000: H:\WINDOWS\System32\NETUI1.dll
(0000000071cd0000 - 0000000071ce7000: H:\WINDOWS\System32\NETUI0.dll
(0000000071d40000 - 0000000071d5c000: H:\WINDOWS\System32\actxprxy.dll
(0000000073030000 - 0000000073040000: H:\WINDOWS\system32\WZCSAPI.DLL
(00000000745e0000 - 00000000748a6000: H:\WINDOWS\system32\msi.dll
(0000000074ad0000 - 0000000074ad8000: H:\WINDOWS\System32\POWRPROF.dll
(0000000074af0000 - 0000000074afa000: H:\WINDOWS\System32\BatMeter.dll
(0000000074b30000 - 0000000074b76000: H:\WINDOWS\System32\webcheck.dll
(00000000754d0000 - 0000000075550000: H:\WINDOWS\system32\CRYPTUI.dll
(0000000075f60000 - 0000000075f67000: H:\WINDOWS\System32\drprov.dll
(0000000075f70000 - 0000000075f79000: H:\WINDOWS\System32\davclnt.dll
(0000000075f80000 - 000000007607c000: H:\WINDOWS\system32\BROWSEUI.dll
(0000000076280000 - 00000000762a1000: H:\WINDOWS\System32\stobject.dll
(0000000076360000 - 0000000076370000: H:\WINDOWS\system32\WINSTA.dll
(0000000076380000 - 0000000076385000: H:\WINDOWS\System32\MSIMG32.dll
(0000000076400000 - 00000000765a6000: H:\WINDOWS\system32\NETSHELL.dll
(0000000076600000 - 000000007661d000: H:\WINDOWS\System32\CSCDLL.dll
(0000000076980000 - 0000000076988000: H:\WINDOWS\system32\LINKINFO.dll
(0000000076990000 - 00000000769b5000: H:\WINDOWS\system32\ntshrui.dll
(00000000769c0000 - 0000000076a73000: H:\WINDOWS\system32\USERENV.dll
(0000000076b20000 - 0000000076b31000: H:\WINDOWS\system32\ATL.DLL
(0000000076b40000 - 0000000076b6d000: H:\WINDOWS\system32\WINMM.dll
(0000000076c00000 - 0000000076c2e000: H:\WINDOWS\system32\credui.dll
(0000000076c30000 - 0000000076c5e000: H:\WINDOWS\system32\WINTRUST.dll
(0000000076c90000 - 0000000076cb8000: H:\WINDOWS\system32\IMAGEHLP.dll
(0000000076d60000 - 0000000076d79000: H:\WINDOWS\system32\iphlpapi.dll
(0000000076e80000 - 0000000076e8e000: H:\WINDOWS\system32\rtutils.dll
(0000000076f50000 - 0000000076f58000: H:\WINDOWS\System32\WTSAPI32.dll
(0000000076f60000 - 0000000076f8c000: H:\WINDOWS\system32\WLDAP32.dll
(0000000076fd0000 - 000000007704f000: H:\WINDOWS\system32\CLBCATQ.DLL
(0000000077050000 - 0000000077115000: H:\WINDOWS\system32\COMRes.dll
(0000000077120000 - 00000000771ac000: H:\WINDOWS\system32\OLEAUT32.dll
(00000000771b0000 - 0000000077256000: H:\WINDOWS\system32\WININET.dll
(0000000077260000 - 00000000772fe000: H:\WINDOWS\system32\urlmon.dll
(00000000773d0000 - 00000000774d2000: H:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
(00000000774e0000 - 000000007761d000: H:\WINDOWS\system32\ole32.dll
(0000000077760000 - 00000000778cc000: H:\WINDOWS\system32\SHDOCVW.dll
(0000000077920000 - 0000000077a13000: H:\WINDOWS\system32\SETUPAPI.dll
(0000000077a20000 - 0000000077a74000: H:\WINDOWS\System32\cscui.dll
(0000000077a80000 - 0000000077b14000: H:\WINDOWS\system32\CRYPT32.dll
(0000000077b20000 - 0000000077b32000: H:\WINDOWS\system32\MSASN1.dll
(0000000077b40000 - 0000000077b62000: H:\WINDOWS\system32\appHelp.dll
(0000000077be0000 - 0000000077bf5000: H:\WINDOWS\system32\MSACM32.dll
(0000000077c00000 - 0000000077c08000: H:\WINDOWS\system32\VERSION.dll
(0000000077c10000 - 0000000077c68000: H:\WINDOWS\system32\msvcrt.dll
(0000000077d40000 - 0000000077dd0000: H:\WINDOWS\system32\USER32.dll
(0000000077dd0000 - 0000000077e6b000: H:\WINDOWS\system32\ADVAPI32.dll
(0000000077e70000 - 0000000077f01000: H:\WINDOWS\system32\RPCRT4.dll
(0000000077f10000 - 0000000077f56000: H:\WINDOWS\system32\GDI32.dll
(0000000077f60000 - 0000000077fd6000: H:\WINDOWS\system32\SHLWAPI.dll
(0000000077fe0000 - 0000000077ff1000: H:\WINDOWS\System32\Secur32.dll
(000000007c800000 - 000000007c8f4000: H:\WINDOWS\system32\kernel32.dll
(000000007c900000 - 000000007c9b0000: H:\WINDOWS\system32\ntdll.dll
(000000007c9c0000 - 000000007d1d4000: H:\WINDOWS\system32\SHELL32.dll
*----> State Dump for Thread Id 0x590 <----*
eax=00c33764 ebx=0007f104 ecx=1c01851c edx=00000005 esi=00000005 edi=0007efa8
eip=1c001d21 esp=0007ef04 ebp=0007f09c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for H:\Program Files\Ahead\InCD\incdshx.dll -
function: incdshx
1c001d06 ee out dx,al
1c001d07 016e34 add [esi+0x34],ebp
1c001d0a ffdb call ebx
1c001d0c a828 test al,0x28
1c001d0e ea25130fc422b7 jmp b722:c40f1325
1c001d15 1e push ds
1c001d16 05f93b97f1 add eax,0xf1973bf9
1c001d1b 3a3c78 cmp bh,[eax+edi*2]
1c001d1e 78cc js incdshx+0x1cec (1c001cec)
1c001d20 46 inc esi
FAULT ->1c001d21 eaba50f7dc821e jmp 1e82:dcf750ba
1c001d28 51 push ecx
1c001d29 314eb5 xor [esi-0x4b],ecx
1c001d2c 3623c1 and eax,ss:ecx
1c001d2f 8929 mov [ecx],ebp
1c001d31 29e3 sub ebx,esp
1c001d33 52 push edx
1c001d34 4d dec ebp
1c001d35 0dfc045b05 or eax,0x55b04fc
1c001d3a 644c dec esp
1c001d3c e6a5 out a5,al
*----> Stack Back Trace <----*
*** ERROR: Symbol file could not be found. Defaulted to export symbols for H:\WINDOWS\system32\SHELL32.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for H:\WINDOWS\system32\USER32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for H:\WINDOWS\system32\ntdll.dll -
Not sure what to do next....
I also noticed a new icon on my desktop titled Thumbs. I'm not sure where this came from, but it may be from one of the programs downloaded to help clean this mess up.
Edited by buckt, 21 April 2005 - 08:31 AM.
#22
Posted 23 April 2005 - 07:45 AM
little eagle
-
- Member
-
- 170 posts
Member
Click HERE to download DllCompare. Start the Program with and click the Run Locate.com - be sure the \Windows\System32 directory is in the box and wait until the the blue text says it has 'completed the scan'.
Click the Compare button to start the next process. The results appear in two panes - files in the upper pane have been verified to 'exist', files in the lower pane were 'not able to be accessed'. Very few files should be listed in the lower pane when the Compare scan is complete. Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button and post the log here in this thread and wait for further instructions.
Click the Compare button to start the next process. The results appear in two panes - files in the upper pane have been verified to 'exist', files in the lower pane were 'not able to be accessed'. Very few files should be listed in the lower pane when the Compare scan is complete. Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button and post the log here in this thread and wait for further instructions.
#23
Posted 23 April 2005 - 03:37 PM
buckt
- Topic Starter
-
- Member
-
- 23 posts
Member
I hope this is good...
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"
________________________________________________
1,319 items found: 1,319 files, 0 directories.
Total of file sizes: 281,179,618 bytes 268.15 M
Administrator Account = True
--------------------End log---------------------
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"________________________________________________
1,319 items found: 1,319 files, 0 directories.
Total of file sizes: 281,179,618 bytes 268.15 M
Administrator Account = True
--------------------End log---------------------
#24
Posted 24 April 2005 - 12:37 PM
little eagle
-
- Member
-
- 170 posts
Member
Can you post another log from Hijackthis.
#25
Posted 24 April 2005 - 01:10 PM
buckt
- Topic Starter
-
- Member
-
- 23 posts
Member
Absolutely...
Logfile of HijackThis v1.99.1
Scan saved at 2:08:31 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
H:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...0R&zoommode=pan
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wundergro...y, TX&type=N0R"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://H%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HighPoint ATA RAID Management Software.lnk = H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpeedUpMyPC.lnk = H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://h:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kaldm1-web.f...0018/iNotes.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092958210928
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - H:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe
Still having the right click=Dr Watson issue, other than that the only other problem I see is that the PC is exteremly slow, primarily internet speed.
Logfile of HijackThis v1.99.1
Scan saved at 2:08:31 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
H:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...0R&zoommode=pan
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wundergro...y, TX&type=N0R"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://H%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HighPoint ATA RAID Management Software.lnk = H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpeedUpMyPC.lnk = H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://h:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kaldm1-web.f...0018/iNotes.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092958210928
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - H:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe
Still having the right click=Dr Watson issue, other than that the only other problem I see is that the PC is exteremly slow, primarily internet speed.
Edited by buckt, 24 April 2005 - 02:03 PM.
#26
Posted 24 April 2005 - 03:08 PM
little eagle
-
- Member
-
- 170 posts
Member
You have high CPU Usage which can be caused by the Blaster, Nachi or Welchia trojan. To remove this and several other trojans there is a tool which needs to be downloaded and run.
1. Please download Stinger and save it to your desktop
2. Double-click on the stinger.exe file and open the tool
3. Choose your entire hard drive to scan.
4. Choose Scan Now
5. Stinger will fix anything that it finds
6. Click the File menu and select Save report to file
7. Post the log file results here in this thread.
1. Please download Stinger and save it to your desktop
2. Double-click on the stinger.exe file and open the tool
3. Choose your entire hard drive to scan.
4. Choose Scan Now
5. Stinger will fix anything that it finds
6. Click the File menu and select Save report to file
7. Post the log file results here in this thread.
#27
Posted 24 April 2005 - 04:55 PM
buckt
- Topic Starter
-
- Member
-
- 23 posts
Member
Here's the Stinger report followed by a new HJT log.
No changes to performance problems.
McAfee AVERT Stinger Version 2.5.3 built on Mar 1 2005
Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on Mar 1 2005.
Ready to scan for 53 viruses, trojans and variants.
Scan initiated on Sun Apr 24 17:12:34 2005
Number of clean files: 129890
-------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:54:29 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\savedump.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\WINDOWS\system32\wuauclt.exe
H:\PROGRA~1\MOZILL~1\FIREFOX.EXE
H:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...0R&zoommode=pan
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wundergro...y, TX&type=N0R"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://H%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HighPoint ATA RAID Management Software.lnk = H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpeedUpMyPC.lnk = H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://h:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kaldm1-web.f...0018/iNotes.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092958210928
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - H:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe
No changes to performance problems.
McAfee AVERT Stinger Version 2.5.3 built on Mar 1 2005
Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on Mar 1 2005.
Ready to scan for 53 viruses, trojans and variants.
Scan initiated on Sun Apr 24 17:12:34 2005
Number of clean files: 129890
-------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:54:29 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\savedump.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\WINDOWS\system32\wuauclt.exe
H:\PROGRA~1\MOZILL~1\FIREFOX.EXE
H:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...0R&zoommode=pan
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wundergro...y, TX&type=N0R"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://H%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HighPoint ATA RAID Management Software.lnk = H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpeedUpMyPC.lnk = H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://h:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kaldm1-web.f...0018/iNotes.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092958210928
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - H:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe
#28
Posted 25 April 2005 - 04:23 AM
little eagle
-
- Member
-
- 170 posts
Member
Spybot S&D lets you kill the 04's, the startups. Start Spybot click mode at the top left,
make sure that advanced mode is checked. Then click on tools on the lower left.
Then system startup, to the right is a double arrow bar click it to expand.
Now clicking on a value you will get a description of the command line. Removing the green
check mark will stop the startup, should you decide that you need or want it back just
replace the check mark. Restarting your PC will complete the change.
Remove the check marks from the ones listed below.
This one may be the trouble
O4 - Global Startup: VTAgentReboot.exe
After running it for awhile if that doesn't fix it disable this one also.
O4 - Global Startup: SpeedUpMyPC.lnk = H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
Let me know if this helps.
make sure that advanced mode is checked. Then click on tools on the lower left.
Then system startup, to the right is a double arrow bar click it to expand.
Now clicking on a value you will get a description of the command line. Removing the green
check mark will stop the startup, should you decide that you need or want it back just
replace the check mark. Restarting your PC will complete the change.
Remove the check marks from the ones listed below.
This one may be the trouble
O4 - Global Startup: VTAgentReboot.exe
After running it for awhile if that doesn't fix it disable this one also.
O4 - Global Startup: SpeedUpMyPC.lnk = H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
Let me know if this helps.
Edited by little eagle, 25 April 2005 - 04:24 AM.
#29
Posted 25 April 2005 - 07:18 PM
buckt
- Topic Starter
-
- Member
-
- 23 posts
Member
Spybot did not find
O4 - Global Startup: VTAgentReboot.exe
I unchecked
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
and
O4 - Global Startup: SpeedUpMyPC.lnk = H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
with no changes the problems.
I tried to let HJT fix the problem with O4 - Global Startup: VTAgentReboot.exe, but it wouldn't stating it was a running process and use task manager to end process. It's not showing up in task manager.
I just checked spybot and O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe is on the list twice and one is checked.
I also forgot to post this
Logfile of HijackThis v1.99.1
Scan saved at 8:24:22 PM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
H:\WINDOWS\explorer.exe
H:\WINDOWS\system32\taskmgr.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
H:\PROGRA~1\MOZILL~1\FIREFOX.EXE
H:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...0R&zoommode=pan
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wundergro...y, TX&type=N0R"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://H%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HighPoint ATA RAID Management Software.lnk = H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpeedUpMyPC.lnk.disabled
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://h:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kaldm1-web.f...0018/iNotes.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092958210928
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - H:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe
O4 - Global Startup: VTAgentReboot.exe
I unchecked
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
and
O4 - Global Startup: SpeedUpMyPC.lnk = H:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
with no changes the problems.
I tried to let HJT fix the problem with O4 - Global Startup: VTAgentReboot.exe, but it wouldn't stating it was a running process and use task manager to end process. It's not showing up in task manager.
I just checked spybot and O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe is on the list twice and one is checked.
I also forgot to post this
Logfile of HijackThis v1.99.1
Scan saved at 8:24:22 PM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
H:\WINDOWS\explorer.exe
H:\WINDOWS\system32\taskmgr.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
H:\PROGRA~1\MOZILL~1\FIREFOX.EXE
H:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...0R&zoommode=pan
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wundergro...y, TX&type=N0R"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://H%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (H:\Documents and Settings\JT\Application Data\Mozilla\Profiles\default\41bt8evi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HighPoint ATA RAID Management Software.lnk = H:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpeedUpMyPC.lnk.disabled
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://h:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kaldm1-web.f...0018/iNotes.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092958210928
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - H:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe
Edited by buckt, 25 April 2005 - 07:24 PM.
#30
Posted 25 April 2005 - 09:49 PM
little eagle
-
- Member
-
- 170 posts
Member
Description:ctfmon.exe is a part of the Microsoft Office suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.
Your computer shows no sign of sypware. Kind of at a loss as to the trouble.
Your computer shows no sign of sypware. Kind of at a loss as to the trouble.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
