Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Windows explorer steals focus on "p" keystroke: infection?

Started by clearly , Mar 03 2011 04:03 PM

Please log in to reply

#16
RKinner

Posted 09 March 2011 - 09:19 AM

Malware Expert

Expert
24,624 posts

Looks like the net 1.1 is back and has a friend from Office.

Microsoft has a couple of pages of suggestions and also offers free help for this:

http://support.microsoft.com/kb/824643

http://support.microsoft.com/kb/304498

http://support.microsoft.com/kb/906602

We are going off island today so won't be on the computer until late.

Ron

#17
clearly

Posted 11 March 2011 - 01:51 AM

Member

Topic Starter
Member
18 posts

Hi Ron,

Thank you for all the help with this mystery problem.

I have tried to decipher all the Microsoft help on this latest issue, but to be fair, this is their issue and not mine. I looked carefully at the .net cleanup tool and the required steps. They want me to uninstall all versions and service packs of .net from my system then manually re-install every .net version and service pack in the correct order (which depends on what I have currently)! I think this is preposterous and that they should take responsibility and send an update via windows update that does all this. The room for user error is very large and it is not fair for them to pass their responsibility onto the user. Given that the rest of my system appears to be working fine, I'm just not prepared to take that risk.

I have been able to hide the erroneous update on Windows Update like I did to a previous erroneous update. I hope I don't get any more errors and that this is a good enough solution.

I gather through all the cleans and tools you've helped me with that it is fair to say my system is clear of viruses and malware. Would you agree? I was surprised that the MBR tool picked up problems but that these turned out to be nothing.

First prize would have been figuring out how I got infected (and how the "p" keystroke problem began, nevermind how it went away!) so I can avoid the same actions/results in the future. Nevertheless, I'm wanting to try and move forward now. I'll be running Autorun Eater and using Avira and MalwareBytes as my main protection. I also run CCleaner to clean out temp files on a regular basis. File backups will be performed with Second Copy and system backups with Norton Ghost. Any advice or suggestions regarding my protection strategy are most welcomed.

Thank you so much for all your determined efforts and patient assistance.

Kind regards,
Morgan

#18
RKinner

Posted 11 March 2011 - 09:59 AM

Malware Expert

Expert
24,624 posts

Some of the newer programs are written in .net. Just keep it in mind if something doesn't want to work.

I'm pretty sure the following 3 files are good but before we put them back it's probably best to submit them one at a time to http://virustotal.com and make sure.
C:\Qoobox\Quarantine\C\WINDOWS\dropcpyr.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\copyfstq.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\system\VI30AUT.DLL.vir

Assuming vitrustotal OKs them then to put them back:

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\dropcpyr.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\copyfstq.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\system\VI30AUT.DLL.vir

Quit::

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Copy and paste the log.

The following is my generic "goodbye for XP"

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Then Start, Run, cmd, OK then right click, Paste, (or Edit, Paste) then hit Enter.

OTL has a cleanup tab which will remove it and its files as well as some of our common tools.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

Make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past. They are also offering something from Mcafee which you should uncheck or uninstall afterward.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.5.
http://download.cnet...4-10752777.html
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password!

If you need additional protection try the free Online Armor firewall
http://www.online-ar...-armor-free.php

Ron

#19
clearly

Posted 12 March 2011 - 11:48 PM

Member

Topic Starter
Member
18 posts

Hi Ron,

Since your message I've had the "p" problem return once and disappear in the same Windows session! I could not link it to a running application either. I also continue to receive the "Windows - no disk" error seemingly at random.

I ran the ComboFix script to dequarantine the files. I'm not sure if it completed correctly as the only log I received was C:\DeQuarantine.txt which has
C:\Qoobox\Quarantine\C\WINDOWS\copyfstq.exe.vir -> C:\WINDOWS\copyfstq.exe ( 73728 bytes )
C:\Qoobox\Quarantine\C\WINDOWS\dropcpyr.dll.vir -> C:\WINDOWS\dropcpyr.dll ( 94636 bytes )
C:\Qoobox\Quarantine\C\WINDOWS\system\VI30AUT.DLL.vir -> C:\WINDOWS\system\VI30AUT.DLL ( 84225 bytes )

Jim's steps to cleanup System Restore are missing (404 error). I'm busy working through all the other tips and suggestions. Thank you.

Well I am truly mystified. I could almost cry.

Thanks,
Morgan

#20
RKinner

Posted 13 March 2011 - 01:48 AM

Malware Expert

Expert
24,624 posts

The de-quarantined worked anyway.

Try http://aumha.net/vie...581099691bf108f for Jim's steps.

Run the VEW.exe again as before and let's see what new events you have.

Ron

#21
clearly

Posted 13 March 2011 - 03:09 AM

Member

Topic Starter
Member
18 posts

Hi Ron,

Thank you for your continuing help.

I ran Jim's steps and cleaned my system restore. Sorry but I couldn't quite figure out what you meant by VEW.exe - which application was that again? Is that NirSoft's ShellExView?

Thanks,
Morgan

#22
RKinner

Posted 13 March 2011 - 08:30 AM

Malware Expert

Expert
24,624 posts

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

#23
clearly

Posted 13 March 2011 - 10:47 AM

Member

Topic Starter
Member
18 posts

Hi Ron,

I have been uninstalling more applications today and also finally succeeded in uninstalling ArcGIS which is an application I've tried and failed to uninstall several times in the last 2 years. This leads me to believe that some of the things you've done have "cleaned" an error. Thank you.

I ran VEW.exe, logs follow.

Thank you for all your help,
Morgan

Vino's Event Viewer v01c run on Windows XP in English
Report run at 13/03/2011 06:42:08 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 12/03/2011 09:01:21 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Folder Size service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 12/03/2011 05:51:22 PM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Log: 'System' Date/Time: 10/03/2011 05:51:20 PM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Log: 'System' Date/Time: 10/03/2011 12:51:01 PM
Type: error Category: 8
Event: 20 Source: Windows Update Agent
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2416447).

Log: 'System' Date/Time: 10/03/2011 12:31:49 PM
Type: error Category: 8
Event: 20 Source: Windows Update Agent
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2416447).

Log: 'System' Date/Time: 10/03/2011 12:08:36 PM
Type: error Category: 8
Event: 20 Source: Windows Update Agent
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2416447).

Log: 'System' Date/Time: 10/03/2011 04:03:02 AM
Type: error Category: 8
Event: 20 Source: Windows Update Agent
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2416447).

Log: 'System' Date/Time: 09/03/2011 12:31:27 PM
Type: error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume Local Disk.

Log: 'System' Date/Time: 09/03/2011 04:02:47 AM
Type: error Category: 8
Event: 20 Source: Windows Update Agent
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2416447).

Log: 'System' Date/Time: 09/03/2011 12:07:29 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 09/03/2011 12:05:10 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Log: 'System' Date/Time: 09/03/2011 12:05:10 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Log: 'System' Date/Time: 09/03/2011 12:04:26 AM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT nltdi RasAcd Rdbss SASDIFSV SASKUTIL ssmdrv Tcpip WS2IFSL

Log: 'System' Date/Time: 09/03/2011 12:04:26 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 09/03/2011 12:04:26 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 09/03/2011 12:04:26 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 09/03/2011 12:04:26 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 09/03/2011 12:04:26 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 09/03/2011 12:04:26 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 09/03/2011 12:04:26 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 13/03/2011 06:20:18 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 13/03/2011 04:20:20 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 04:05:15 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 04:04:40 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 04:03:55 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 04:03:20 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 04:02:38 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...us\azureus.statistics

Log: 'System' Date/Time: 13/03/2011 04:02:10 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 04:01:35 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 04:01:00 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 04:00:23 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...s\dht\contacts.saving

Log: 'System' Date/Time: 13/03/2011 03:59:40 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 03:59:05 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 03:58:23 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...us\azureus.statistics

Log: 'System' Date/Time: 13/03/2011 03:57:55 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 03:57:20 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...reus\logs\debug_1.log

Log: 'System' Date/Time: 13/03/2011 03:56:52 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 03:56:17 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Log: 'System' Date/Time: 13/03/2011 03:55:33 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...us\azureus.statistics

Log: 'System' Date/Time: 13/03/2011 03:55:07 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

Vino's Event Viewer v01c run on Windows XP in English
Report run at 13/03/2011 06:43:41 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 13/03/2011 04:50:40 PM
Type: error Category: 0
Event: 0 Source: VMCService
conflictManagerTypeValue

Log: 'Application' Date/Time: 13/03/2011 12:57:12 PM
Type: error Category: 3
Event: 4118 Source: Avira AntiVir
EXCEPTION calling function <Scan> for the file C:\Downloads\Ebooks\Philosophy\The Philosophy of Ayn Rand - For The New Intellectual.pdf [ACCESS_VIOLATION Exception!! EIP = 0x16997ca] Please inform Avira and submit the appropriate file!

Log: 'Application' Date/Time: 13/03/2011 12:46:02 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 13/03/2011 11:10:26 AM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 12/03/2011 10:03:49 PM
Type: error Category: 3
Event: 4118 Source: Avira AntiVir
EXCEPTION calling function <Scan> for the file C:\Downloads\Ebooks\Misc Ebooks\Richard Dawkins - The Blind Watchmaker.pdf [ACCESS_VIOLATION Exception!! EIP = 0x16997ca] Please inform Avira and submit the appropriate file!

Log: 'Application' Date/Time: 12/03/2011 09:06:10 PM
Type: error Category: 0
Event: 0 Source: VMCService
conflictManagerTypeValue

Log: 'Application' Date/Time: 12/03/2011 08:43:52 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 12/03/2011 08:42:14 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 12/03/2011 02:18:49 PM
Type: error Category: 3
Event: 4118 Source: Avira AntiVir
EXCEPTION calling function <Scan> for the file C:\Downloads\Ebooks\The Internet Encyclopedia Of Philosophy\The Internet Encyclopedia Of Philosophy.pdf [ACCESS_VIOLATION Exception!! EIP = 0x16997ca] Please inform Avira and submit the appropriate file!

Log: 'Application' Date/Time: 12/03/2011 01:54:26 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 11/03/2011 02:26:53 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 11/03/2011 02:26:53 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 11/03/2011 02:26:53 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 11/03/2011 02:26:53 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 11/03/2011 02:26:53 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 11/03/2011 02:26:53 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 11/03/2011 02:26:53 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 11/03/2011 02:26:53 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 11/03/2011 02:26:53 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Log: 'Application' Date/Time: 11/03/2011 02:26:53 PM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 13/03/2011 11:08:51 AM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\virus fixes\Flash_Disinfector.exe

Log: 'Application' Date/Time: 11/03/2011 02:25:11 PM
Type: warning Category: 2
Event: 100 Source: Norton Ghost
Error EC8F17E5: Your recovery point location of M:\c_drive\backup\ is running out of space. Please run the Cleanup Recovery Points task to free up some space. Details: Not enough storage is available to complete this operation. Source: Norton Ghost

Log: 'Application' Date/Time: 11/03/2011 12:01:27 PM
Type: warning Category: 2
Event: 100 Source: Norton Ghost
Error EC8F17E5: Your recovery point location of M:\c_drive\backup\ is running out of space. Please run the Cleanup Recovery Points task to free up some space. Details: Not enough storage is available to complete this operation. Source: Norton Ghost

Log: 'Application' Date/Time: 11/03/2011 09:15:43 AM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\virus fixes\Flash_Disinfector.exe

Log: 'Application' Date/Time: 11/03/2011 07:31:59 AM
Type: warning Category: 2
Event: 100 Source: Norton Ghost
Error EC8F17E5: Your recovery point location of M:\c_drive\backup\ is running out of space. Please run the Cleanup Recovery Points task to free up some space. Details: Not enough storage is available to complete this operation. Source: Norton Ghost

Log: 'Application' Date/Time: 10/03/2011 08:26:02 PM
Type: warning Category: 0
Event: 1001 Source: MsiInstaller
The event description cannot be found.

Log: 'Application' Date/Time: 10/03/2011 08:26:02 PM
Type: warning Category: 0
Event: 1004 Source: MsiInstaller
The event description cannot be found.

Log: 'Application' Date/Time: 10/03/2011 02:30:46 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\virus fixes\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 02:27:08 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\virus fixes\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 02:27:08 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 02:27:01 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 02:25:40 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 02:24:45 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 02:24:43 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 02:10:20 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 01:44:26 PM
Type: warning Category: 2
Event: 100 Source: Norton Ghost
Error EC8F17E5: Your recovery point location of M:\c_drive\backup\ is running out of space. Please run the Cleanup Recovery Points task to free up some space. Details: Not enough storage is available to complete this operation. Source: Norton Ghost

Log: 'Application' Date/Time: 10/03/2011 01:31:16 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 01:04:22 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 01:03:50 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

Log: 'Application' Date/Time: 10/03/2011 12:46:30 PM
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'APPL/NirCmd.2' in the file C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

#24
RKinner

Posted 13 March 2011 - 11:46 AM

Malware Expert

Expert
24,624 posts

Log: 'System' Date/Time: 09/03/2011 12:31:27 PM
Type: error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume Local Disk.

Not a good sign. Either the hard drive has a bad spot on it or you have some bad ram.

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check,

Run a memory test.

http://oca.microsoft.../en/windiag.asp or http://www.memtest.org/

Azureus.exe is having some problems or perhaps avira is having a problem with it:

Log: 'System' Date/Time: 13/03/2011 04:20:20 PM
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<Azureus.exe> C:\...eus\logs\thread_2.log

I'm also seeing:
Log: 'System' Date/Time: 13/03/2011 06:20:18 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

This is usually caused by P2P software trying to talk to too many other PCs but can also be a sign of a worm infection. In any event running any P2P software is dangerous.

Avira is also having problems with some of your ebooks. Perhaps the files are too big for avira.

Log: 'Application' Date/Time: 13/03/2011 12:57:12 PM
Type: error Category: 3
Event: 4118 Source: Avira AntiVir
EXCEPTION calling function <Scan> for the file C:\Downloads\Ebooks\Philosophy\The Philosophy of Ayn Rand - For The New Intellectual.pdf [ACCESS_VIOLATION Exception!! EIP = 0x16997ca] Please inform Avira and submit the appropriate file!

Log: 'Application' Date/Time: 12/03/2011 10:03:49 PM
Type: error Category: 3
Event: 4118 Source: Avira AntiVir
EXCEPTION calling function <Scan> for the file C:\Downloads\Ebooks\Misc Ebooks\Richard Dawkins - The Blind Watchmaker.pdf [ACCESS_VIOLATION Exception!! EIP = 0x16997ca] Please inform Avira and submit the appropriate file!

Folder Size is having a lot of problems:
Log: 'Application' Date/Time: 13/03/2011 11:10:26 AM
Type: error Category: 0
Event: 0 Source: FolderSize
The event description cannot be found.

Finally Microsoft updates is not connecting:
Log: 'System' Date/Time: 12/03/2011 05:51:22 PM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Possibly because Azureus is using all of the available connections but sometimes this is a sign of an infection. Either a malware proxy
In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

In FireFox, Tools, Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

In Chrome, Wrench, Options, Under the Hood, Change Proxy Settings, uncheck all boxes, OK.

or a DNS hijack

1. Click "Start," click "Control Panel," click "Network and Internet Connections," and then click "Network Connections."
2. Right-click the network connection that you want to configure (the one you use to connect to the Internet), and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click "Internet Protocol (TCP/IP)", and then click "Properties."

4. Click "Use the following DNS server addresses," and then type 8.8.8.8 in the Preferred DNS server and 4.2.2.1 in the Alternate DNS server boxes.

5. Click "OK"

(These aren't the best DNS servers for South Africa but they should still work. You can replace the two IP addresses with those of your local ISP if you know them.)

Ron

#25
RKinner

Posted 13 March 2011 - 11:47 AM

Malware Expert

Expert
24,624 posts

Forgot one:

Log: 'Application' Date/Time: 11/03/2011 02:25:11 PM
Type: warning Category: 2
Event: 100 Source: Norton Ghost
Error EC8F17E5: Your recovery point location of M:\c_drive\backup\ is running out of space. Please run the Cleanup Recovery Points task to free up some space. Details: Not enough storage is available to complete this operation. Source: Norton Ghost

#26
clearly

Posted 14 March 2011 - 11:37 PM

Member

Topic Starter
Member
18 posts

Hi Ron,

Thank you for your help.

1. I have run chkdsk on my C:\ drive, log follows:

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 2011-03-15
Time: 12:24:37 AM
User: N/A
Computer: MORGAN
Description:
Checking file system on C:
The type of the file system is NTFS.
Volume label is Local Disk.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 139 unused index entries from index $SII of file 0x9.
Cleaning up 139 unused index entries from index $SDH of file 0x9.
Cleaning up 139 unused security descriptors.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

90886288 KB total disk space.
80836704 KB in 188218 files.
81308 KB in 16498 indexes.
0 KB in bad sectors.
247020 KB in use by the system.
4096 KB occupied by the log file.
9721256 KB available on disk.

4096 bytes in each allocation unit.
22721572 total allocation units on disk.
2430314 allocation units available on disk.

Internal Info:
b0 9d 03 00 b6 1f 03 00 17 7e 04 00 00 00 00 00 .........~......
bb 1d 00 00 02 00 00 00 8a 08 00 00 00 00 00 00 ................
e0 40 85 13 00 00 00 00 4a 5c fb da 00 00 00 00 [email protected]\......
2a 07 14 1f 00 00 00 00 50 41 e4 e2 0b 00 00 00 *.......PA......
bc 2a e2 21 01 00 00 00 6c 0e 31 19 0e 00 00 00 .*.!....l.1.....
99 9e 36 00 00 00 00 00 a0 39 07 00 3a df 02 00 ..6......9..:...
00 00 00 00 00 80 e1 45 13 00 00 00 72 40 00 00 .......E....r@..

Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at

http://go.microsoft....ink/events.asp.

I have previously noted disk errors in my Event Viewer. However, these errors appear to occur at random across all my drives. They began occuring even on a new 2TB purchased four months ago. I downloaded various manufacturers low-level hard drive checker utilities and scanned exhaustively all my drives. No errors were ever found, yet the event log still has disk errors to this day. There are 18 such errors from the 8th of March until the 14th of March. Here is the most recent error in the "System" section of the Event Viewer:

Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 51
Date: 2011-03-14
Time: 05:13:51 AM
User: N/A
Computer: MORGAN
Description:
An error was detected on device \Device\Harddisk4\D during a paging operation.

For more information, see Help and Support Center at http://go.microsoft....ink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..€
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 4d 5c 25 00 00 00 00 00 M\%.....
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 09 00 00 00 00 @.......
0040: 00 20 0a 12 40 03 20 40 . ..@. @
0048: 00 10 00 00 0a 00 00 00 ........
0050: 00 00 00 00 60 9d 69 89 ....`�i‰
0058: 00 00 00 00 30 aa 0a 8a ....0ª.Š
0060: 00 00 00 00 87 fe 55 00 ....‡þU.
0068: 28 00 00 55 fe 87 00 00 (..Uþ‡..
0070: 08 00 00 00 00 00 00 00 ........
0078: 00 00 00 00 00 00 00 00 ........
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Strangely, my DVD drive/burner has become rather unreliable of late, going back some two or three months. I had to trash several attempts at burning the .iso to run the memory checker bootable software. Even then, after a failed burn the burning software (Nero), says the disk is blank, even though it failed during the track writing stage. One of these "failed" burn DVDs that Nero said was blank actually had the Microsoft Memory checker software on it because when I rebooted with this "blank" disk in, the Memory testing software booted and ran.

2. I ran the Microsoft Memory checker from a bootable DVD and there were no errors. I also ran the extended memory tests without errors.

3. Azureus.exe was uninstalled just after those errors. I mentioned I had uninstalled several apps. Azureus I had running to extract my settings before an uninstall. This application can "flood" the TCP/IP connections as noted. I do find it useful, am very aware of potential problems, but have uninstalled to eliminate it as a possible cause of my system problems.

4. Avira problems accessing certain files (ebooks). I think this is caused because at the time Azureus was actually downloading those files which were not completely downloaded yet. Azureus has a lock on the file/s while they are downloaded, preventing Avira from scanning the file/s.

5. I have stopped the FolderSize service for now. This is a tiny application that runs as a service and provides what one would think is core Windows functionality: a column in Windows Explorer showing the size of the folder.

6. Microsoft Update is not a big problem. I update manually via windowsupdate.com fairly often. Often I have the yellow system tray icon for Microsoft Update which says "Downloading Updates... 0%" when I hover over it. This never seems to change. It used to say "Downloading Updates... 9%", and never go anywhere. There are no options and double-clicking the system tray icon does nothing. Now that I have hidden that stubborn .net 1.1 update that wouldn't download I don't have the "9%" problem. An update in the past used to cause similar microsoft update symptoms but that also disappeared (along with the option to "Install Updates and Shut down", which never installed) when I hid the update on windowsupdate.com. I have mentioned this in an earlier post.

7. Malware proxy - I followed your steps to ensure proxy servers were turned off in my internet browsers.

8. DNS hijack - I followed your steps changing the TCP/IP settings on my Network Connection. I use an ADSL router/modem and so have changed my default gateway to the address of my router (192.168.0.1), with an alternate as 8.8.8.8. I use strong security on my router, with no defaults, no DHCP and MAC address-based access only.

Thank you so much,
Morgan

#27
clearly

Posted 15 March 2011 - 03:30 AM

Member

Topic Starter
Member
18 posts

Hi Ron,

I forgot to add some comment about Norton Ghost. This type of application is really excellent and has become essential to me. The problem is Norton Ghost is a real system hog and is not reliable. It chews a lot of CPU when running. It regularly runs to completion but the created drive image file [.v2i (the base backup) or .iv2i (the incremental backup)] is deleted at the very end of the backup process and the backup fails. Usually the error given relates to insufficient system resources (likely Norton Ghost stole them all itself) or insufficient space (almost always not true, this error can occur when there is 120GB or more available to create a 40GB file). Norton Ghost has always given these sorts of errors and I've been using it for probably three years now.

So I'm wanting to find a less system intensive and more reliable drive imaging tool. It should be able to do base backups, along with incremental backups. Also the created backups/image files should ideally be mountable as a drive.

I gather you would support such a form of backup. Do you have any preferences, recommendations or suggestions?

Thanks so much,
Morgan

#28
RKinner

Posted 15 March 2011 - 09:07 AM

Malware Expert

Expert
24,624 posts

Look into clonezilla. Lot's of good reviews about it. http://clonezilla.sourceforge.net/

Ron

#29
clearly

Posted 16 March 2011 - 10:34 AM

Member

Topic Starter
Member
18 posts

Hi Ron,

Thank you for this recommendation. I am looking into it as well as a couple of other contenders I found reviewed at this rather useful freeware site: http://www.techsuppo...ory-editors.htm

I'm not sure if you saw my main reply to your comments on the errors and problems found in the Event Viewer. I ran memory tests and the chkdsk on my C: drive.

Thank you,
Morgan

#30
RKinner

Posted 16 March 2011 - 10:45 AM

Malware Expert

Expert
24,624 posts

IF the memory is good then it may be something weird like a bad or loose IDE ribbon cable or a failing IDE controller. Things are not running too hot are they? Did we check the temp?

Get SIW

http://www.snapfiles.com/get/siw.html

Run it and under Hardware look for Sensors. Click on Sensors and look in the right pane there should be some temperature readings. What are they? Watch your video for a little bit then look again. Are the temps going up?

Ron