Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

PC Crashing [CLOSED]

Started by GeekNeeder , Jul 13 2005 09:25 AM

This topic is locked

#16
GeekNeeder

Posted 23 August 2005 - 11:37 AM

Member

Topic Starter
Member
24 posts

After I run Silent Runners, the CPU usage went crazy. From 0% to 100% then 0% again in every two seconds! I'm surprised my PC didn't crash. As far as I know, Windows media player was installed with windows and it is now found in Program Files. That is where the new versions were installed. Now here is the Silent Runners log:

"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MessengerPlus3" = ""C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart" ["Patchou"]
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"AutoUpdate" = "C:\Documents and Settings\Angelos\My Documents\Serials3k\s3k_autoupdate.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"SiSSoundMan" = "C:\WINDOWS\System32\SoundMan.exe" ["Avance Logic, Inc."]
"SiSSetCDfmt" = "C:\WINDOWS\System32\SetCDfmt.exe" [null data]
"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"MessengerPlus3" = ""C:\Program Files\Messenger Plus! 3\MsgPlus.exe"" ["Patchou"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0\bin\jusched.exe" ["Sun Microsystems, Inc."]
"DataLayer" = "C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]
"PCSuiteTrayApplication" = "C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [empty string]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"WinampAgent" = "C:\Documents and Settings\Angelos\My Documents\Winamp\winampa.exe" [null data]
"StarSkin" = "C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H" ["RocketDivision.com"]
"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\PC-cillin 2000\Tmdshell.dll" ["Trend Micro Inc."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\PC-cillin 2000\VBProp.dll" ["Trend Micro Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}" = "Zinio Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
"{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}" = "Zinio Magazine Column Provider"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
"{091D66CD-24B7-4210-A790-78463B1B3D7A}" = "Zinio Shell Extension UI Object"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "st"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\winacpi.dll" [file not found]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]
"{D9F81151-62CA-4858-B45E-82B3EC41A549}" = "RExpCtxU"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Resco\Pocket Encryption\RExpCtxU.dll" [empty string]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{3FCEF010-09A4-11D4-8D3B-D12F9D3D8B02}" = "TIShelEx Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\TISHAR~1\TICONN~1\TIShlExt.dll" ["Texas Instruments Incorporated"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\btneighborhood.dll" ["Broadcom Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
RExpCtxU\(Default) = "{D9F81151-62CA-4858-B45E-82B3EC41A549}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Resco\Pocket Encryption\RExpCtxU.dll" [empty string]
sysacpildap\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\winacpi.dll" [file not found]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tds3shl.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
RExpCtxU\(Default) = "{D9F81151-62CA-4858-B45E-82B3EC41A549}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Resco\Pocket Encryption\RExpCtxU.dll" [empty string]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tds3shl.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Firefox Wallpaper.bmp"

Startup items in "Angelos" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"BTTray" -> shortcut to: "C:\Program Files\Creative\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Real-time Monitor" -> shortcut to: "C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_520FCCE.exe" [null data]

Enabled Scheduled Tasks:
------------------------

"{1A2E362C-A3E9-461D-9A07-F73489EA872C}_GV-GT9DZEWK_Kaith" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{1A2E362C-A3E9-461D-9A07-F73489EA872C}_GV-GT9DZEWK_Kaith"" [MS]
"{3C5DABE7-89C2-459A-ACB8-D4CE2C1F24E9}_GV-GT9DZEWK_Angelos" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{3C5DABE7-89C2-459A-ACB8-D4CE2C1F24E9}_GV-GT9DZEWK_Angelos"" [MS]
"{81A70C0C-B91D-430F-94C3-05D84F40F8DB}_GV-GT9DZEWK_Kaith" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{81A70C0C-B91D-430F-94C3-05D84F40F8DB}_GV-GT9DZEWK_Kaith"" [MS]
"{906BE0EE-BB9D-40D7-BCFA-513E20274D65}_GV-GT9DZEWK_Kaith" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{906BE0EE-BB9D-40D7-BCFA-513E20274D65}_GV-GT9DZEWK_Kaith"" [MS]
"{C55CA879-B1D1-4E33-8ACB-3519420B57A7}_GV-GT9DZEWK_Angelos" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{C55CA879-B1D1-4E33-8ACB-3519420B57A7}_GV-GT9DZEWK_Angelos"" [MS]
"{FEDBF4A1-68B9-4B92-98FD-31FD28984EFA}_GV-GT9DZEWK_Angelos" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{FEDBF4A1-68B9-4B92-98FD-31FD28984EFA}_GV-GT9DZEWK_Angelos"" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{014DA6C9-189F-421A-88CD-07CFE51CFF10}" = "My Search Bar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL" [file not found]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Program Files\Creative\Bluetooth Software\btsendto_ie.htm" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Bluetooth Service, btwdins, "C:\Program Files\Creative\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 329 seconds, including 19 seconds for message boxes)

#17
tampabelle

Posted 23 August 2005 - 12:57 PM

Member 5k

Retired Staff
6,363 posts

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

My Search

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folder -

C:\Program Files\MySearch

Please run about:buster by RubbeRDuckY:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp!Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

#18
GeekNeeder

Posted 23 August 2005 - 02:40 PM

Member

Topic Starter
Member
24 posts

I could not update any of the two things you told me to. No, they were not blocked by the firewall as I gave the yes for connection to the internet.
My Search was not in the Add or Remove Programs. However, I think it was not there because I removed it as you told me previously. The thing I found, though, was 'My Search Bar'. It could not be removed because, as I understood, no files were found for that. Again, I think I deleted its files when you told me previously from C:\Program Files\MySearch. This is why the 'MySearch' folder was not there (it was deleted).
about:buster could not be run twice. The first time it went perfect, but when it asked me if I want a second time and said yes, the PC crashed at 98%. I try it again after a reboot into safe mode, but second time was worse, crashing at 22%. After a lot of tries I've decided to only run it once, save log, reboot to safe mode, run it again once, and save log. Here is the log:

Scanned at: 11:03:29 µµ on: 23/8/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 11:10:06 µµ on: 23/8/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

CWShredder found nothing. This is probably because I run it in the past, before I seeked your help. This is hopefuly good news that it found nothing.
I run CleanUp! and thankfully, nothing unexpected happened.

The on-line virus scans require Internet Explorer. As I said before I do not dare open IE, so a scan was unfortunately not completed.

The HiJackThis log is attached.

Thank you once again!

Attached Files

hijackthis.txt 5.91KB 95 downloads

#19
tampabelle

Posted 23 August 2005 - 05:10 PM

Member 5k

Retired Staff
6,363 posts

Hi,

I need to update my database. There is a newer version of About Buster.

Please follow the instructions to download and use it here - http://www.besttechi...?showtopic=1488

What issues did you have with updating the programs ???

Please download Firefox Mozilla Browser and install it.

Use Firefox to do a scan at -

http://uk.trendmicro...call_launch.php

Post back the scan report and the About Buster log

#20
GeekNeeder

Posted 26 August 2005 - 11:32 AM

Member

Topic Starter
Member
24 posts

Here is the About Buster log:

AboutBuster 5.0 reference file 28
Scan started on [24/8/2005] at [5:30:33 µµ]
------------------------------------------------
Removed Stream! C:\WINDOWS\Thumbs.db:encryptable
Removed Stream! C:\WINDOWS\_default.pif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:33:38 µµ

Now about the scan: it scanned my computer and said that it could not clean the viruses. I was in a hurry when I read that, so I may have to do another scan if you need me to, for a log. I didn't see anywhere about a log. It found 19 infected files and most file names were starting with "JAVA". I'm gonna do another scan to see if they can be cleaned and for a log. Here is also the HJT log just in case:

Logfile of HijackThis v1.99.1
Scan saved at 8:30:30 µµ, on 26/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Angelos\My Documents\Winamp\winampa.exe
C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Block Checker\block-checker.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Creative\Bluetooth Software\BTTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\PROGRA~1\Creative\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Creative\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Documents and Settings\Angelos\My Documents\Firefox\firefox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\System32\navshext.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SiSSoundMan] C:\WINDOWS\System32\SoundMan.exe
O4 - HKLM\..\Run: [SiSSetCDfmt] C:\WINDOWS\System32\SetCDfmt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Angelos\My Documents\Winamp\winampa.exe
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AutoUpdate] C:\Documents and Settings\Angelos\My Documents\Serials3k\s3k_autoupdate.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Creative\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Creative\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Creative\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Creative\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

As for the updates, it, at first, says "Gathering information for Update" and then "An error has occured while updating". Yes, they are enabled to connect to the internet by the firewall.

Thank you for your help!

#21
tampabelle

Posted 26 August 2005 - 11:49 AM

Member 5k

Retired Staff
6,363 posts

Dont run a scan again at Kaspersky. I think I know what the issue is !!!

Click on Start ---> Settings ---> Control panel ---> Java (with an icon like a coffee cup) ----> Update. Click on Update now.

After the update is complete, close all the windows.

Download Blockrem from HERE

Unzip it to its own folder on your desktop.
Boot your computer to safe mode by rebooting and tapping the F8 button repeatedly until it brings up a boot menu.
From that menu, select Safe Mode by using the arrow keys to highlight it then pressing enter.
Once in safe mode open the Blockrem folder on your desktop and double-click blockrem.bat (this is the file with the gear icon) to run it.
Once it is running please follow the onscreen instructions.
Reboot and post a HijackThis log.

Edited by tampabelle, 26 August 2005 - 11:50 AM.

#22
GeekNeeder

Posted 26 August 2005 - 01:26 PM

Member

Topic Starter
Member
24 posts

Once more :@ I can't update. It tells me "Error - The request has timed out." Why can't I update anything. I'm thinking that it is the firewall, but why? when it asks me if I want them to access the internet, I say yes, so what is the problem? I even tried closing the firewall, and still had the same problem. By the way, it is Sygate Personal Firewall. Should I proceed with your other instructions? Oh, and I didn't run the scan at Kapersky because I have Firefox. You told me to run a scan at Trend Micro. I'll just assume that you meant Trend Micro and not scan again. Thank you.

Edited by GeekNeeder, 26 August 2005 - 01:29 PM.

#23
tampabelle

Posted 26 August 2005 - 04:45 PM

Member 5k

Retired Staff
6,363 posts

Uninstall Sygate and then try updating Java.

Even if that doesnt work, please do the Blockrem fix and post back the HJT log

#24
GeekNeeder

Posted 26 August 2005 - 05:21 PM

Member

Topic Starter
Member
24 posts

Here is what Blockrem told me:

BlockChecker Removal Tool v1.00
By Atri
http://www.atribune.org
To remove Block Checker
This tool will only work in safe mode
toget to safe mode tap the
F8 key on reboot and select
safe mode from the menu
that appears.
Press any key to continue . . .
The system cannot find the file specified.
The system cannot find the file specified.
Could Not Find C:\WINDOWS\system32\ccapp.exe
Could Not Find C:\WINDOWS\system32\navshext.dll
Could Not Find C:\WINDOWS\system32\ustart.exe
Could Not Find C:\WINDOWS\system32\~ustart.exe
Please post a HijackThis log on
one of the various online Anti-Malware sites
I personally recommend
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
To close this window
Press any key to continue . . .

A friend of mine told me to download Block Checker yesterday for MSN Messenger. It was not working, though. Is it that block checker it is talking about? Oh and I said that most of the viruses started with "JAVA" but NOT all. I remember two being: 'JAVA_BYTEVER.R' and 'JAVABYTEVER.R' BUT there were more :tazz:

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:17:35 pµ, on 27/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Angelos\My Documents\Winamp\winampa.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Creative\Bluetooth Software\BTTray.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\PROGRA~1\Creative\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Creative\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Angelos\My Documents\Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SiSSoundMan] C:\WINDOWS\System32\SoundMan.exe
O4 - HKLM\..\Run: [SiSSetCDfmt] C:\WINDOWS\System32\SetCDfmt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!

3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer]

C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication]

C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe

-startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Angelos\My

Documents\Winamp\winampa.exe
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION

SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program

Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!

3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AutoUpdate] C:\Documents and Settings\Angelos\My

Documents\Serials3k\s3k_autoupdate.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: AltaVista Search - file://C:\Program

Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program

Files\Creative\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate - file://C:\Program

Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}

- C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\inetrepl.dll
O9 - Extra button: @btrez.dll,-4015 -

{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\Creative\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 -

{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\Creative\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} -

C:\WINDOWS\System32\btxppanel.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation -

C:\Program Files\Creative\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program

Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate

Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program

Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc.

- C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

Edited by GeekNeeder, 26 August 2005 - 05:27 PM.

#25
tampabelle

Posted 26 August 2005 - 05:36 PM

Member 5k

Retired Staff
6,363 posts

yeah thats the block checker !!! It is bad.

Please do a online scan again and post the log here

#26
GeekNeeder

Posted 28 August 2005 - 05:21 PM

Member

Topic Starter
Member
24 posts

I'm really sorry for the delay, but the online scans take too long, and I just can't find the time at the moment. I'll get back to you, though, probably in the next two days. Thank you for all your help.

#27
tampabelle

Posted 28 August 2005 - 05:46 PM

Member 5k

Retired Staff
6,363 posts

Sure no problem

#28
tampabelle

Posted 22 September 2005 - 11:35 AM

Member 5k

Retired Staff
6,363 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.