Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32:Hpigon-AX and Win32:Adware-gen in registry


  • This topic is locked This topic is locked

#16
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Looks clean, could you plug in another keyboard and let me know if the symptoms persist
  • 0

Advertisements


#17
}:{

}:{

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I hve done as you asked, still blocked Not sure ifths is the same as the zip file . I till cant attch the viru scan when clickd save I had to choose where o put it. t is on desktop. only could save it a text file opns with notepad. When right clickd I sent to zip then clicked brose then clickd attach. Anerror messageno I will copy andpaste the virus scan . Im sorr realized missd post of yours will do it get back to you.Im sory havent any idea what I did wrong. can tex fles be zi on Gathering system information: completed 18 hours ago (events: 247, time: 00:20:02)
7/25/2011 09:41:35 Task started Gathering system information
7/25/2011 09:42:09 Main script of analysis
7/25/2011 09:42:12 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
7/25/2011 09:42:12 System Restore: enabled
7/25/2011 09:42:42 1.1 Searching for user-mode API hooks
7/25/2011 09:42:43 Analysis: kernel32.dll, export table found in section .text
7/25/2011 09:42:43 IAT modification detected: CreateProcessA - 00B40010<>7C80236B
7/25/2011 09:42:43 IAT modification detected: GetModuleFileNameA - 00B40080<>7C80B56F
7/25/2011 09:42:43 IAT modification detected: FreeLibrary - 00B400F0<>7C80AC7E
7/25/2011 09:42:43 IAT modification detected: GetModuleFileNameW - 00B40160<>7C80B475
7/25/2011 09:42:43 IAT modification detected: CreateProcessW - 00B401D0<>7C802336
7/25/2011 09:42:43 IAT modification detected: LoadLibraryW - 00B402B0<>7C80AEEB
7/25/2011 09:42:43 IAT modification detected: LoadLibraryA - 00B40320<>7C801D7B
7/25/2011 09:42:43 IAT modification detected: GetProcAddress - 00B40390<>7C80AE40
7/25/2011 09:42:44 Analysis: ntdll.dll, export table found in section .text
7/25/2011 09:42:44 Analysis: user32.dll, export table found in section .text
7/25/2011 09:42:45 Analysis: advapi32.dll, export table found in section .text
7/25/2011 09:42:45 Analysis: ws2_32.dll, export table found in section .text
7/25/2011 09:42:45 Analysis: wininet.dll, export table found in section .text
7/25/2011 09:42:46 Analysis: rasapi32.dll, export table found in section .text
7/25/2011 09:42:47 Analysis: urlmon.dll, export table found in section .text
7/25/2011 09:42:50 Analysis: netapi32.dll, export table found in section .text
7/25/2011 09:43:00 >> Danger ! Process masking detected
7/25/2011 09:43:00 1.2 Searching for kernel-mode API hooks
7/25/2011 09:43:07 Driver loaded successfully
7/25/2011 09:43:07 SDT found (RVA=0832A0)
7/25/2011 09:43:07 Kernel ntoskrnl.exe found in memory at address 804D7000
7/25/2011 09:43:07 SDT = 8055A2A0
7/25/2011 09:43:07 KiST = 804E26B8 (284)
7/25/2011 09:43:07 Function NtAdjustPrivilegesToken (0B) intercepted (8059B554->ED096690), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:07 >>> Function restored successfully !
7/25/2011 09:43:07 >>> Hook code blocked
7/25/2011 09:43:07 Function NtClose (19) intercepted (80567AED->ED096F94), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:07 >>> Function restored successfully !
7/25/2011 09:43:07 >>> Hook code blocked
7/25/2011 09:43:07 Function NtConnectPort (1F) intercepted (8059110B->ED097DC8), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:07 >>> Function restored successfully !
7/25/2011 09:43:07 >>> Hook code blocked
7/25/2011 09:43:07 Function NtCreateEvent (23) intercepted (80570022->ED098312), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:07 >>> Function restored successfully !
7/25/2011 09:43:07 >>> Hook code blocked
7/25/2011 09:43:07 Function NtCreateFile (25) intercepted (8056F864->ED097270), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:07 >>> Function restored successfully !
7/25/2011 09:43:07 >>> Hook code blocked
7/25/2011 09:43:07 Function NtCreateKey (29) intercepted (8057376F->ED095500), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:07 >>> Function restored successfully !
7/25/2011 09:43:07 >>> Hook code blocked
7/25/2011 09:43:07 Function NtCreateMutant (2B) intercepted (805775C8->ED0981F8), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:07 >>> Function restored successfully !
7/25/2011 09:43:07 >>> Hook code blocked
7/25/2011 09:43:07 Function NtCreateNamedPipeFile (2C) intercepted (80585619->ED09627E), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:07 >>> Function restored successfully !
7/25/2011 09:43:07 >>> Hook code blocked
7/25/2011 09:43:07 Function NtCreatePort (2E) intercepted (805893C7->ED0980CC), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:07 >>> Function restored successfully !
7/25/2011 09:43:07 >>> Hook code blocked
7/25/2011 09:43:07 Function NtCreateSection (32) intercepted (80565333->ED096426), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:07 >>> Function restored successfully !
7/25/2011 09:43:07 >>> Hook code blocked
7/25/2011 09:43:08 Function NtCreateSemaphore (33) intercepted (8057B80D->ED098432), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtCreateThread (35) intercepted (80578803->ED096C1C), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtCreateWaitablePort (38) intercepted (805DB3E4->ED098162), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtDebugActiveProcess (39) intercepted (8065BF7D->ED099B1A), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtDeleteKey (3F) intercepted (80597FFA->ED095B0A), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtDeleteValueKey (41) intercepted (80595C1A->ED095EBE), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtDeviceIoControlFile (42) intercepted (805795B9->ED0976F2), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtDuplicateObject (44) intercepted (805748C2->ED09AD26), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtEnumerateKey (47) intercepted (80573E7D->ED09600A), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtEnumerateValueKey (49) intercepted (8057FB2B->ED0960A2), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtFsControlFile (54) intercepted (805770E0->ED097500), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtLoadDriver (61) intercepted (805A425D->ED099C0C), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtLoadKey (62) intercepted (805AF5C3->ED0954DC), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtLoadKey2 (63) intercepted (805AF400->ED0954EE), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtMapViewOfSection (6C) intercepted (8057AC99->ED09A374), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtNotifyChangeKey (6F) intercepted (80593FAA->ED0961CE), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtOpenEvent (72) intercepted (8057FC98->ED0983A8), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:08 Function NtOpenFile (74) intercepted (8056F7FF->ED097016), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:08 >>> Function restored successfully !
7/25/2011 09:43:08 >>> Hook code blocked
7/25/2011 09:43:09 Function NtOpenKey (77) intercepted (80568F68->ED0956C0), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtOpenMutant (78) intercepted (80577676->ED098288), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtOpenProcess (7A) intercepted (80574AA9->ED0968CC), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtOpenSection (7D) intercepted (8056E467->ED09A10E), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtOpenSemaphore (7E) intercepted (805DD9AC->ED0984C8), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtOpenThread (80) intercepted (8059323B->ED0967BE), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtQueryKey (A0) intercepted (80573B86->ED09613A), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtQueryMultipleValueKey (A1) intercepted (8064F0A7->ED095D72), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtQuerySection (A7) intercepted (8057EE6E->ED09A6AE), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtQueryValueKey (B1) intercepted (8056A419->ED09599C), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtQueueApcThread (B4) intercepted (8058F954->ED099FA0), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtRenameKey (C0) intercepted (8064F526->ED095C2C), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtReplaceKey (C1) intercepted (8064FE82->ED094F16), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtReplyPort (C2) intercepted (8057E67C->ED09882C), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtReplyWaitReceivePort (C3) intercepted (8056BC24->ED0986F2), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtRequestWaitReplyPort (C8) intercepted (8056DC86->ED0998B4), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtRestoreKey (CC) intercepted (8064FA19->ED09528E), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtResumeThread (CE) intercepted (80578E76->ED09ABC8), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:09 Function NtSaveKey (CF) intercepted (8064FB1A->ED094EAE), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:09 >>> Function restored successfully !
7/25/2011 09:43:09 >>> Hook code blocked
7/25/2011 09:43:10 Function NtSecureConnectPort (D2) intercepted (80599040->ED097B0E), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtSetContextThread (D5) intercepted (8062E33F->ED096E38), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtSetInformationToken (E6) intercepted (805A8E5C->ED099154), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtSetSecurityObject (ED) intercepted (8059D2BD->ED099DAA), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtSetSystemInformation (F0) intercepted (805A8349->ED09A7FE), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtSetValueKey (F7) intercepted (8057BC5B->ED095816), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtSuspendProcess (FD) intercepted (8062FF21->ED09A8F0), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtSuspendThread (FE) intercepted (805E05AB->ED09AA2A), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtSystemDebugControl (FF) intercepted (8064AA57->ED099A3E), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtTerminateProcess (101) intercepted (805839B9->ED096A68), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtTerminateThread (102) intercepted (80577F1F->ED0969C8), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtUnmapViewOfSection (10B) intercepted (8057A81E->ED09A552), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:10 Function NtWriteVirtualMemory (115) intercepted (8057F712->ED096B52), hook C:\WINDOWS\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:10 >>> Function restored successfully !
7/25/2011 09:43:10 >>> Hook code blocked
7/25/2011 09:43:11 Function FsRtlCheckLockForReadAccess (80512959) - machine code modification Method of JmpTo. jmp ED088FD0 \SystemRoot\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:11 >>> Function restored successfully !
7/25/2011 09:43:11 Function IoIsOperationSynchronous (804E876A) - machine code modification Method of JmpTo. jmp ED0893AC \SystemRoot\system32\DRIVERS\3320355drv.sys, driver recognized as trusted
7/25/2011 09:43:11 >>> Function restored successfully !
7/25/2011 09:43:13 Functions checked: 284, intercepted: 60, restored: 62
7/25/2011 09:43:13 1.3 Checking IDT and SYSENTER
7/25/2011 09:43:13 Analysis for CPU 1
7/25/2011 09:43:13 CmpCallCallBacks = 0013AD62
7/25/2011 09:43:13 Disable callback OK
7/25/2011 09:43:13 Checking IDT and SYSENTER - complete
7/25/2011 09:43:22 1.4 Searching for masking processes and drivers
7/25/2011 09:43:22 Checking not performed: extended monitoring driver (AVZPM) is not installed
7/25/2011 09:43:22 1.5 Checking of IRP handlers
7/25/2011 09:43:22 Driver loaded successfully
7/25/2011 09:43:23 Checking - complete
7/25/2011 09:46:31 >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
7/25/2011 09:46:31 >> Services: potentially dangerous service allowed: TlntSvr ()
7/25/2011 09:46:31 >> Services: potentially dangerous service allowed: Messenger (Messenger)
7/25/2011 09:46:31 >> Services: potentially dangerous service allowed: Alerter (Alerter)
7/25/2011 09:46:31 >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
7/25/2011 09:46:31 >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
7/25/2011 09:46:31 >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
7/25/2011 09:46:31 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
7/25/2011 09:46:31 >> Security: disk drives' autorun is enabled
7/25/2011 09:46:32 >> Security: administrative shares (C$, D$ ...) are enabled
7/25/2011 09:46:32 >> Security: anonymous user access is enabled
7/25/2011 09:46:41 >> Disable HDD autorun
7/25/2011 09:46:41 >> Disable autorun from network drives
7/25/2011 09:46:41 >> Disable CD/DVD autorun
7/25/2011 09:46:41 >> Disable removable media autorun
7/25/2011 09:46:47 System Analysis in progress
7/25/2011 10:01:34 System Analysis - complete
7/25/2011 10:01:34 Deleting service/driver: uti2nzy4
7/25/2011 10:01:35 [microprogram of healing]> registry key deleted HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uti2nzy4
7/25/2011 10:01:35 Delete file:C:\WINDOWS\system32\Drivers\uti2nzy4.sys
7/25/2011 10:01:36 Deleting service/driver: uji2nzy4
7/25/2011 10:01:37 Main script of analysis
7/25/2011 10:01:38 Task completed Gathering system information
Manual Disinfection: malfunction (events: 4, time: 00:00:08)
7/26/2011 04:18:03 Task started Manual Disinfection
7/26/2011 04:18:11 Script error: 'BEGIN' expected, position [1:1]
7/26/2011 04:18:11 Processing error Error: 'BEGIN' expected at position 1:1 Error code: 00000000
7/26/2011 04:18:11 Unable to start tasks Manual Disinfection Error code: 99C63001
Manual Disinfection: malfunction (events: 4, time: 00:00:02)
7/26/2011 04:18:35 Task started Manual Disinfection
7/26/2011 04:18:37 Script error: 'BEGIN' expected, position [1:1]
7/26/2011 04:18:37 Processing error Error: 'BEGIN' expected at position 1:1 Error code: 00000000
7/26/2011 04:18:37 Unable to start tasks Manual Disinfection Error code: 99C63001
Manual Disinfection: malfunction (events: 4, time: 00:00:01)
7/26/2011 04:18:47 Task started Manual Disinfection
7/26/2011 04:18:48 Script error: 'BEGIN' expected, position [1:1]
7/26/2011 04:18:48 Processing error Error: 'BEGIN' expected at position 1:1 Error code: 00000000
7/26/2011 04:18:48 Unable to start tasks Manual Disinfection Error code: 99C63001

Edited by }:{, 26 July 2011 - 03:33 AM.

  • 0

#18
}:{

}:{

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
heres kvrt scan log i hope
  • 0

#19
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Have you tried with a different keyboard ?
  • 0

#20
}:{

}:{

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
yes i was typing on the new one the last 2 posts, still blocked from using a keyboard. Can only use the one on the screen which is being scrambled, and red lines around each key as cursor clicks on it.Red lines are confined to that key board now. at work now so no problem typing. Havent done dr web yet sorry I missed that post. Symptoms : system very slow of course, windows whited out or partially whited out such as every thing below the toolbar or after closing a window the spot where that window was is white, these things seem to happen only when i am doing some thing threatening ti the virus such as scans or downloading programs to scan. Another thing the virus does when threatened it freezes windows, or when several windows are layered i close the upper most one but the part of the window Ive closed is still visible were it over lapped the window below. It has also caused an interesting invisible effect with the little windows produced by right click of mouse, could see a thin line were one corner of window was hidden. As I moved cursor over it that portion would appear.
Some of the original icons for my folders have been restored but those that were gibberish due to virus, are still gibberish. Last week icons on my desktop were switched with each other. Another thing is the title to some folders and files are blue. This is only files created by the virus but not all of the virus created files are blue. There are many new files some contain my files.There are thumbs.db and desk.ini files scattered around files of mine and desk.ini is on my desktop now if I remember correctly. Im warned not to delete because they contain something important to the system, I do any way and they reappear.
Cant get into most of the virus files but once I did get into 2 very interesting logs of the my actions on the computer and the viruses actions. There were error messages mentioned (there have been plenty of error massages created by the virus) and some thing about whitelist mentioned. The virus had created them when blocking me from doing something. "Invoking cloak" was mentioned periodically. I tried to post those logs but one was lost before i could and the other i pasted in to a reply that was gone the next time i signed in. My error probably which reminds me ahnlabs.com, they have a nice list of viruses along with what is known about it, links to scans for the virus and program to remove it if possible. Unfortunately neither is available for what Ive got. One of the characteristics of Wintrojan HupigonAX has the ability to hide, I think its still in my registry because not one program I tried could remove it or the2 different types of win adware\mysearch. Yet hupigon just dropped out of the scan results on its own.
Heres another thing the virus messes with downloads. Kaspersky VRT was downloading non stop and wouldnt close or be deleted. Ahnlabs security program file I downloaded was smaller when downloaded than it was then the run box said it was so i didnt reinstall it. I had to uninstall it to run the last KVRT scan because it had been messed with. One of the disable/enable buttons refused to be disabled. It has interfered with my use of the mouse. Today for example tried to copy and paste the report of KVRT virus scan since it wont attach. THE ARROW OF MY CURSOR BECOMES A a flashing kind OF 'I' figure as soon as I put the cursor were the virus doesnt want me to be, in this case the reply box. Or it prevent the little windows you get with right click from opening.
Thank you again for your time and effort to help me, and also your patience with my ignorance and failures to produce what you ask for.
Catherine

I almost forgot. I managed to attack the Kvrt scan report to and email I sent myself. I don't know if they are any good did it twice, still worried I destroyed the text in zipping it!I was so pleased with my success that I realized I still havent a clue how to get it to you. Maybe attaching it from my email to my post will work. I will try that next. Unfortunately this last run of KVRT found only 1 threat. The first run found 4. Maybe it removed 3 but wonder if they are hiding.
  • 0

#21
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I feel it time to work outside of windows. Any questions about this procedure then just shout

Are you able to use another computer to burn a CD ?

Can you burn a CD ? If so we will run a live disc from outside of windows

There is a programme I have used that has reasonable results in severe cases like this - but it will require you to burn a Linux live cd from an ISO file. This is a full blown operating sytem and includes a browser for going on line. It runs from the CD and is not installed on your hard drive

OK then two programmes to download

FIRST

Download Imgburn and install this will allow you to burn Dr Web ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic.

SECOND

DrWeb Live CD Download the iso file and once on your desktop double click, this will open imgburn to do its work


Having made the bootable CD set your system to boot from CD - Do you know how to do this ?
Or you could follow the steps on this page and continue through to step 7

Once Dr Web starts select Dr.Web LiveCD (Default)

When the system is loaded, check disks or folders you want to scan and press Start

If the operating system failed to configure access to your network, you can do it manually using Networks Configure Manager. Start->Settings->Networks Configure manager. This will enable you to get online if needed
  • 0

#22
}:{

}:{

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I sent you a private message with three links to my google docs, never linked before hope id it correctly. The unlinkable kasper virus scan is there and a recent ahnlabs scan. The lin is viewable to anyone didnt know if that should be posted here. Feel free to post them or tell me and I will. Ran first dr web scan as instructed n safe mode Hours later went to computer monitor was white and no response to my moving/clicked mouse Wouldnt turn off either we have had that prob before not sure how long but maybe before virus. So unplugged back in safe mode with no log. Should I try it again or just move on and do the quick one?
  • 0

#23
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Run the quick scan with DR Web as it should find any major problem under that

Most of the stuff found to date was within OTL moved files
  • 0

#24
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#25
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Please download SINO by Artellos.
  • Save SINO to a place you can remember and run SINO.exe. (If you downloaded the ZIP version you will need to extract it first)
  • Then please check the following checkboxes:

    System Info
    ServicesBoot
    CheckTasklist
    Startup Items
    Event Log
    IpconfigPing
    Netstat
    Hosts file
    SharesRouting Table

  • Once checked, hit the Run Scan! button and wait for the program to finish the scan.
  • A notepad window will pop up. Please copy all of the content into your next reply.
Note: If you try to interact with the program once it’s started scanning it might appear to hang. The scan however will continue.

Please be kind to all members - click the on quality posts that are helpful!!
  • 0

Advertisements


#26
}:{

}:{

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
System Investigator by Olrik
Log Created On: 0422_07-08-2011
SINO Version: 3.1.0.0

Total RAM: 446 MB | Free RAM: 176 MB | Pagefile Size: 1053 MB
A: | None | 3 1/2 Inch Floppy Drive
C: | 29891 MB out of 76285 MB Free | Local Fixed Disk
D: | None | CD-ROM Disc
E: | None | CD-ROM Disc

<<<< System Information >>>>

Computer Name: OWNER-DEBBA350B
Username: owner_2
Language Setting: ENU
Windows Directory: C:\WINDOWS
Windows Version: Windows XP Service Pack 3

<<<< Tasklist >>>>

[System Idle Process] - Process ID: 0
[System] - Process ID: 4
[C:\WINDOWS\System32\smss.exe] - Process ID: 484
[csrss.exe] - Process ID: 532
[C:\WINDOWS\system32\winlogon.exe] - Process ID: 556
[C:\WINDOWS\system32\services.exe] - Process ID: 600
[C:\WINDOWS\system32\lsass.exe] - Process ID: 612
[C:\WINDOWS\system32\svchost.exe] - Process ID: 768
[svchost.exe] - Process ID: 876
[C:\WINDOWS\system32\svchost.exe] - Process ID: 996
[svchost.exe] - Process ID: 1040
[svchost.exe] - Process ID: 1144
[C:\WINDOWS\System32\dmadmin.exe] - Process ID: 1448
[C:\WINDOWS\Explorer.EXE] - Process ID: 1792
[C:\Program Files\Mozilla Firefox\firefox.exe] - Process ID: 264
[C:\DOCUME~1\owner_2\LOCALS~1\Temp\SINO\SINO.exe] - Process ID: 792
[wmiprvse.exe] - Process ID: 964

<<<< Startup Items >>>>

[OneNote 2007 Screen Clipper and Launcher.lnk] - <Startup> - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
[Windows Search.lnk] - <Common Startup> - C:\Program Files\Windows Desktop Search\WindowsSearch.exe
[VTTimer] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - VTTimer.exe
[SoundMan] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - SOUNDMAN.EXE
[SetDefPrt] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
[PaperPort PTD] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
[NeroFilterCheck] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[IndexSearch] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
[rfagent] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\RFA\rfagent32.exe"
[iTunesHelper] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\iTunes\iTunesHelper.exe"
[Adobe ARM] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[QuickTime Task] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\QuickTime\qttask.exe" -atboottime
[Microsoft Default Manager] - <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
[ctfmon.exe] - <HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run> - C:\WINDOWS\system32\ctfmon.exe

<<<< MS Services >>>>

Computer Browser (Browser) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
CryptSvc (CryptSvc) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
DCOM Server Process Launcher (DcomLaunch) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k DcomLaunch
DHCP Client (Dhcp) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Logical Disk Manager Administrative Service (dmadmin) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\dmadmin.exe /com
Logical Disk Manager (dmserver) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
DNS Client (Dnscache) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k NetworkService
Event Log (Eventlog) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\services.exe
Help and Support (helpsvc) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Server (lanmanserver) - Running [Auto | Stoppable | Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Workstation (lanmanworkstation) - Running [Auto | Stoppable | Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
TCP/IP NetBIOS Helper (LmHosts) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Messenger (Messenger) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Network Connections (Netman) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
NT LM Security Support Provider (NtLmSsp) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\lsass.exe
Plug and Play (PlugPlay) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\services.exe
Remote Procedure Call (RPC) (RpcSs) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k rpcss
Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
System Restore Service (srservice) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Terminal Services (TermService) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k DComLaunch
Windows Management Instrumentation (winmgmt) - Running [Auto | Stoppable | Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration (WZCSVC) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Alerter (Alerter) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Application Layer Gateway Service (ALG) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\alg.exe
Application Management (AppMgmt) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
ASP.NET State Service (aspnet_state) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
Windows Audio (AudioSrv) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Background Intelligent Transfer Service (BITS) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Indexing Service (cisvc) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\cisvc.exe
ClipBook (ClipSrv) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\clipsrv.exe
.NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Stopped [Manual | Not_Stoppable | Not_Pausable] - c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
COM+ System Application (COMSysApp) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Wired AutoConfig (Dot3svc) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k dot3svc
Extensible Authentication Protocol Service (EapHost) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k eapsvcs
Error Reporting Service (ERSvc) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System (EventSystem) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Stopped [Manual | Not_Stoppable | Not_Pausable] - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
HID Input Service (HidServ) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Health Key and Certificate Management Service (hkmsvc) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
HTTP SSL (HTTPFilter) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
Windows CardSpace (idsvc) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
IMAPI CD-Burning COM Service (ImapiService) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\imapi.exe
NetMeeting Remote Desktop Sharing (mnmsrvc) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\mnmsrvc.exe
Distributed Transaction Coordinator (MSDTC) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\msdtc.exe
Windows Installer (MSIServer) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\msiexec.exe /V
Network Access Protection Agent (napagent) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Network DDE (NetDDE) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\netdde.exe
Network DDE DSDM (NetDDEdsdm) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\netdde.exe
Net Logon (Netlogon) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\lsass.exe
Net.Tcp Port Sharing Service (NetTcpPortSharing) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
Network Location Awareness (NLA) (Nla) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Removable Storage (NtmsSvc) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Microsoft Office Diagnostics Service (odserv) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"
Office Source Engine (ose) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
IPSEC Services (PolicyAgent) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\lsass.exe
Protected Storage (ProtectedStorage) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\lsass.exe
Remote Access Auto Connection Manager (RasAuto) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Remote Access Connection Manager (RasMan) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Remote Desktop Help Session Manager (RDSessMgr) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\sessmgr.exe
Routing and Remote Access (RemoteAccess) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Remote Procedure Call (RPC) Locator (RpcLocator) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\locator.exe
QoS RSVP (RSVP) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\rsvp.exe
Security Accounts Manager (SamSs) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\lsass.exe
Smart Card (SCardSvr) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\SCardSvr.exe
Task Scheduler (Schedule) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon (seclogon) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification (SENS) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Shell Hardware Detection (ShellHWDetection) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Print Spooler (Spooler) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\spoolsv.exe
SSDP Discovery Service (SSDPSRV) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Windows Image Acquisition (WIA) (stisvc) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k imgsvc
MS Software Shadow Copy Provider (SwPrv) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\dllhost.exe /Processid:{AF1C0D42-04EE-4BF9-B9BC-F38B087E5773}
Performance Logs and Alerts (SysmonLog) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\smlogsvc.exe
Telephony (TapiSrv) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes (Themes) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client (TrkWks) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Universal Plug and Play Device Host (upnphost) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Uninterruptible Power Supply (UPS) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\ups.exe
Volume Shadow Copy (VSS) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\vssvc.exe
Windows Time (W32Time) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
WebClient (WebClient) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Portable Media Serial Number Service (WmdmPmSN) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
WMI Performance Adapter (WmiApSrv) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\wbem\wmiapsrv.exe
Windows Media Player Network Sharing Service (WMPNetworkSvc) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\Windows Media Player\WMPNetwk.exe"
Security Center (wscsvc) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates (wuauserv) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
Network Provisioning Service (xmlprov) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs

<<<< Non-MS Services >>>>

Apple Mobile Device (Apple Mobile Device) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"
Bonjour Service (Bonjour Service) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\Bonjour\mDNSResponder.exe"
getPlus® Helper (getPlusHelper) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k getPlusHelper
Google Update Service (gupdate) (gupdate) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\Program Files\Google\Update\GoogleUpdate.exe /svc
Google Update Service (gupdatem) (gupdatem) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\Program Files\Google\Update\GoogleUpdate.exe /medsvc
Google Updater Service (gusvc) - Stopped [Manual | Not_Stoppable | Not_Pausable] - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
iPod Service (iPod Service) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\iPod\bin\iPodService.exe"
Java Quick Starter (JavaQuickStarterService) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
NBService (NBService) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
Norton Internet Security (NIS) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe" /s "NIS" /m "C:\Program Files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll" /prefetch:1
NMIndexingService (NMIndexingService) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"
Norton Safe Web Lite (NSL) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe" /s "NSL" /m "C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\diMaster.dll" /prefetch:1
SeaPort (SeaPort) - Stopped [Auto | Not_Stoppable | Not_Pausable] - "C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe"
VideoScavenger Service (VideoScavenger_1eService) - Stopped [Auto | Not_Stoppable | Not_Pausable] - None
Windows Search (WSearch) - Stopped [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\SearchIndexer.exe /Embedding

<<<< Boot.ini >>>>

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

<<<< Last 5 Application Errors or Warnings >>>>

Computer Name: OWNER-DEBBA350B | ID: 8 | Source: crypt32 | Type: Error | Date: 6-8-11 0:50:17 | Log: Application
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.




Computer Name: OWNER-DEBBA350B | ID: 8 | Source: crypt32 | Type: Error | Date: 6-8-11 0:50:17 | Log: Application
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.




Computer Name: OWNER-DEBBA350B | ID: 5000 | Source: NativeWrapper | Type: Error | Date: 5-8-11 8:6:9 | Log: Application
Message: <The description for Event ID ( 5000 ) in Source ( u'NativeWrapper' ) could not be found. It contains the following insertion string(s):u'visualstudio7x80update, msiexec.exe, 1.0.1686.5002, kb2416447, 1033, 643, f, install, x86, 5.1.2600.2.3.0.768, 0'.>
Computer Name: OWNER-DEBBA350B | ID: 1023 | Source: MsiInstaller | Type: Error | Date: 5-8-11 8:6:2 | Log: Application
Message: Product: Microsoft .NET Framework 1.1 - Update '{2F6EFCE6-10DF-49F9-9E64-9AE3775B2588}' could not be installed. Error code 1603. Additional information is available in the log file C:\WINDOWS\TEMP\NDP1.1sp1-KB2416447-X86\NDP1.1sp1-KB2416447-X86-msi.0.log.


Computer Name: OWNER-DEBBA350B | ID: 11706 | Source: MsiInstaller | Type: Error | Date: 5-8-11 8:5:50 | Log: Application
Message: Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source could be found for product Microsoft .NET Framework 1.1. The Windows installer cannot continue.


<<<< Last 5 System Errors or Warnings >>>>

Computer Name: OWNER-DEBBA350B | ID: 7026 | Source: Service Control Manager | Type: Error | Date: 7-8-11 2:17:37 | Log: System
Message: The following boot-start or system-start driver(s) failed to load:

BHDrvx86

eeCtrl

Fips

intelppm

Lbd

SABKUTIL

SRTSPX

SymIRON

SYMTDI


Computer Name: OWNER-DEBBA350B | ID: 7023 | Source: Service Control Manager | Type: Error | Date: 7-8-11 2:17:37 | Log: System
Message: The Application Management service terminated with the following error:

%%126


Computer Name: OWNER-DEBBA350B | ID: 10005 | Source: DCOM | Type: Error | Date: 7-8-11 2:16:38 | Log: System
Message: DCOM got error "%1084" attempting to start the service EventSystem with arguments ""

in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB926AF}


Computer Name: OWNER-DEBBA350B | ID: 3095 | Source: NETLOGON | Type: Error | Date: 7-8-11 2:16:7 | Log: System
Message: This computer is configured as a member of a workgroup, not as

a member of a domain. The Netlogon service does not need to run in this

configuration.


Computer Name: OWNER-DEBBA350B | ID: 1002 | Source: Dhcp | Type: Error | Date: 7-8-11 2:15:56 | Log: System
Message: The IP address lease 172.16.0.4 for the Network Card with network address 00E04D5E88C2 has been

denied by the DHCP server 172.16.0.1 (The DHCP Server sent a DHCPNACK message).


<<<< Special Events >>>>

There were no special events found

<<<< Ipconfig >>>>

Windows IP Configuration

Host Name . . . . . . . . . . . . : owner-debba350b
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VIA Compatable Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-E0-4D-5E-88-C2
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 172.16.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.0.1
DHCP Server . . . . . . . . . . . : 172.16.0.1
DNS Servers . . . . . . . . . . . : 172.16.0.1
Lease Obtained. . . . . . . . . . : Sunday, August 07, 2011 02:15:59
Lease Expires . . . . . . . . . . : Monday, August 08, 2011 02:15:59


<<<< Netstat >>>>

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 876
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
-- unknown component(s) --
[svchost.exe]

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[System]

TCP 172.16.0.2:139 0.0.0.0:0 LISTENING 4
[System]

TCP 127.0.0.1:1025 127.0.0.1:1026 ESTABLISHED 264
[firefox.exe]

TCP 127.0.0.1:1026 127.0.0.1:1025 ESTABLISHED 264
[firefox.exe]

TCP 127.0.0.1:1027 127.0.0.1:1028 ESTABLISHED 264
[firefox.exe]

TCP 127.0.0.1:1028 127.0.0.1:1027 ESTABLISHED 264
[firefox.exe]

TCP 172.16.0.2:1029 63.245.217.43:443 LAST_ACK 264
[firefox.exe]

TCP 172.16.0.2:1031 69.163.234.194:80 TIME_WAIT 0
UDP 0.0.0.0:445 *:* 4
[System]

UDP 172.16.0.2:138 *:* 4
[System]

UDP 172.16.0.2:137 *:* 4
[System]


<<<< Routing Table >>>>

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 e0 4d 5e 88 c2 ...... VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.255.0 172.16.0.2 172.16.0.2 20
172.16.0.2 255.255.255.255 127.0.0.1 127.0.0.1 20
172.16.255.255 255.255.255.255 172.16.0.2 172.16.0.2 20
224.0.0.0 240.0.0.0 172.16.0.2 172.16.0.2 20
255.255.255.255 255.255.255.255 172.16.0.2 172.16.0.2 1
Default Gateway: 172.16.0.1
===========================================================================
Persistent Routes:
None

Route Table

<<<< Hosts File >>>>

The HOSTS file is 27 Bytes in size.

There were 0 lines which refer to an external IP address.

<<<< Active Shares >>>>

Share: IPC$ - Path:


------ End of File ------
  • 0

#27
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
All system files and services look OK

Next we will check your temperatures

Download Speedfan and install it.

Once it's installed, run the program and post here the information it shows.
The information I want you to post is the stuff that is circled in the example picture I have attached.
If you are running on a vista machine, please go to where you installed the program and run the program as administrator.

Posted Image(this is a screenshot from a vista machine)
  • 0

#28
}:{

}:{

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Dear Sir, As you requested
fan1 3309RPM AND 3245 ONCE,FAN2 0RPM, FAN3 0 RPM.

TEMP1 33 TO 38C, TEMP2 -9 TO +51C, TEMP3 -1 TO +58, HDQ RANGES FROM 48 TO 53 ,TEMP1 33 TO 38C.

VCORE1 1.47 , VCORE2 1.57 , +33V 3.26V , +5V 5.08V; +12V 10.37V , -12V -8.91V, -5V -0.03 TO -4.35, +5V 473, VBAL 323

THE TEMP2, TEMP3 AND HDQ VALUES CHANGED BY THE SECOND

IF I understand you correctly you are thinking that my trojan and adware problem maybe fixed. My keyboard remains useless once computer when windows starts but is usable before safe mode starts and when used dr web live cd. New keyboard had same issues. Red lines continue to surround each key of the on screen keyboard as my cursor passes over it. Hoped this would end with the removal of trojan/adware.

AVAST scan foond no problems but couldnt scan 2 files. C\Doc...\drwtsn32.log and C\SystemVol...\A0266475.lnk AVAST aid it was due to Data Error Cyclic redundancy check . One of the trojan\adware was located in System Volume in previous scans. No solution was suggested.

Thank you for your help. Catherine
  • 0

#29
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
System volume is your system restore so that just needs resetting.. When you installed Avast was it a clean install or did you install over the top of an old version ?

As Avast uses a red border to denote processes/programmes running in the sandbox
  • 0

#30
}:{

}:{

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I installed the free avast then paid for it no long after . Uninstalled it when olt said it was running even though i turned it off. you said i needed to turn it off later on, i found a second avst program was installed and running i dont know how i did it. anyway i uninstalled the second one it wasnt turning off when i clicked. just reinstalled it a few days ago. red line has been been on keyboard ever since real keyboard as been useless . avast was uninstalled during part of that time Catherine
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP