Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Deeply hidden malware?

Started by Charles Baah , Sep 16 2005 08:54 PM

  • Please log in to reply

#1
Charles Baah
Posted 16 September 2005 - 08:54 PM

Charles Baah

    New Member

  • Member
  • Pip
  • 8 posts
Hi Folks

This posting was originally started in the Internet and Browsers Forum. I was advised by the moderator to start a new topic here after the problem studied and troubleshot it:

Starting with my home PC setup:
OS - Windows XP Pro, SP2 (XP Firewall Off)
NIC Controller :Integrated Intel 10/100 Ethernet
Cable Modem : Motorola Surfboard SB4200, (no driver update at Motorola site)
Router: 4 port Wireless Linksys BEFWS11 V2 (latest Firmware from Linksys updated)
AntiVirus Software: Norton AntiVirus and Firewall
Other Software: Ad-Aware SE Personal Edition, SpyBot Search & Destroy, HiJackThis, WinsockXPFix,
Windows XP AntiSpyware Beta Version, avast! Antivirus

I have been losing Internet connection after a few minutes (5mins at most) over the last month or so. I can send and receive Email without any problem, Before it fails, the Internet connection sits and churns for a long time before "The page cannot be displayed" error is displayed. The only way I can reconnect is to reboot the computer.

Strangely, I do not lose the connection when I boot into "Safe Mode with Networking". I can surf all day.

The problem happens only on my desktop machine and not on my laptop. The two machines are connected to the Internet through the same Cable Modem and Router. I can also surf all day on the laptop without having to reboot even once. So that should rule out the Router and/or the Cable Modem as the source of the problem. When both computers are connected, the Router port for the laptop shows a lot of activity but the port for the desktop appears rather sluggish and it eventually dies. Changing ports and switching cables have not helped so far. Removing the laptop from the setup does not help. I have gone through at least 4 long troubleshooting sessions with my ISP Tech Support.


My Hijackthis 1.99 results:

Logfile of HijackThis v1.99.1
Scan saved at 8:19:02 PM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\KwasiHome\Desktop\HijackThis1991.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

Any help will be appreciated.
  • 0

Advertisements

#2
Armodeluxe
Posted 14 November 2005 - 09:22 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi Charles,

That log looks clean, though it has been a long time since you posted it..

Please post a new log along with the following:

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
  • 0

#3
Charles Baah
Posted 15 November 2005 - 07:35 AM

Charles Baah

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Armodeluxe,
Here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 7:45:21 AM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


RootkitReveal Scan Results:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 11/14/2005 8:54 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun 11/14/2005 8:53 PM 16 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\TriFile_automatic$20liveupdate_2.5.55_english 11/14/2005 8:57 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\TriFile_ccpd$5fretail$5flicensing$5ftechnology_5.0_english 11/14/2005 8:57 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\TriFile_common$20client$20core_103.0.5_english 11/14/2005 8:57 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\TriFile_drm$5fcom$5fmodules$5f02_5.0_english 11/14/2005 8:57 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\TriFile_drm$5fcom$5fmodules_5.0_english 11/14/2005 8:57 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\TriFile_drm$5fintegratorcategoryhook$5f02_5.0_english 11/14/2005 8:57 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\lulock.dat 11/14/2005 8:56 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp2bd3.tmp 11/14/2005 8:56 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5a35.tmp 11/14/2005 8:56 PM 0 bytes Visible in Windows API, but not in MFT or directory index.


MWav Scan Results (you were right...scan took 6hrs to complete):

Object "adware.7000n Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "clipgenie Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor.topicks.a Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\avsniff.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\GrooveAX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\rufsi.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\cliconf.hlp". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\System\OLE DB\sqlsoldb.hlp". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\spool\DRIVERS\W32X86\bvrpwf2000.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\spool\DRIVERS\W32X86\bvrpwf2000.gpd". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM32\ZoneLabs\vsdb.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM32\ZoneLabs\html.tdr". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM32\ZoneLabs\vsruledb.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM32\ZoneLabs\cerbprovider.pvx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\rufsi.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\avsniff.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Printme\PMAdobeIndex.url". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\PoohK.exe" refers to invalid object "E:\Setup\PoohK\US\HD\PoohK.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\PoohP.exe" refers to invalid object "E:\Setup\PoohP\US\HD\PoohP.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Dell Computer\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Dell Computer\Dell Image Expert\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Dell Computer\Dell Image Expert\offline\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Dell Computer\Dell Image Expert\system\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Dell Computer\Dell Picture Studio\LangDLLs\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Sunbelt Software\CounterSpy\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Sunbelt Software\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bak". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rnx". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".SBS". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824151". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828741". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB834707-IE6-20040929.115007". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB835732". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB842773". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329048". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329115". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329170". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329390". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329441". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329834". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810577". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810833". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q817606". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{66D08203-FB46-4D27-A609-FFE9A77FAA1F}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{DA256408-A2E7-41A5-8AD6-62ACB86A0FD7}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}" refers to invalid object "E:\ACROBA~5\READER\ACRORD32.EXE". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{60ACE49B-F247-4E12-B740-EF8DB1941D0F}" refers to invalid object "C:\Program Files\ewido\security suite\context.dll". Action Taken: No Action Taken.
Entry "HKCR\.jpg" refers to invalid object "DellImageExpertImage". Action Taken: No Action Taken.
Entry "HKCR\.shtml" refers to invalid object "FirefoxHTML". Action Taken: No Action Taken.
Entry "HKCR\.xht" refers to invalid object "FirefoxHTML". Action Taken: No Action Taken.
Entry "HKCR\.xhtml" refers to invalid object "FirefoxHTML". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Context.test" refers to invalid object "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}". Action Taken: No Action Taken.
Entry "HKCR\Context.test.1" refers to invalid object "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\ppifile\shell\open\command" refers to invalid object "%SystemRoot%\System32\msppcnfg.exe /Config %1". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
File C:\unzipped\Pstools\psexec.exe tagged as not-a-virus:RiskTool.Win32.PsExec.153. No Action Taken.
File C:\unzipped\Pstools\psexec.exe tagged as not-a-virus:RiskTool.Win32.PsExec.153. No Action Taken.


Thanks

Charles

Edited by Charles Baah, 15 November 2005 - 07:37 AM.

  • 0

#4
Armodeluxe
Posted 15 November 2005 - 08:38 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
There's nothing showing up in those logs that can cause your problem..

Your HijackThis log looks clean, Rootkitrevealer log looks clean and all MWAV found is orphaned registry entries..

I believe your problem may be caused by one of the legitimate startup programs or services..

Here are some possible culprits..the comments are from the site Answers That Work..

NVIDIA Display Driver Service (NVSvc) NVIDIA Driver Helper Service which gets installed under Windows NT4/2000/XP/2003 by the NVIDIA drivers for some of their graphics cards (or graphics cards based on an NVIDIA chipset). We do not at this stage know what this process does except consume memory ! And we also have no idea as to what a “Driver Helper Service” is supposed to do !!

Recommendation :
This service is often responsible for various glitches, from significant shutdown delays to excessive memory usage. Disabling it, however, does not result in our experience in any ill-effect as regards the proper operation of your NVIDIA or NVIDIA chipset graphics card, so we recommend that you definitely set the Startup Mode of this service to Disabled

KodakCCS Kodak Camera Connection Software (also called “Kodak DC Ring 3 Conduit (Win32)”). This task is installed by the Kodak EasyShare software as a startup item on Windows 98/ME, or as a service on Windows 2000/XP. This task/service recognizes when your Kodak camera is plugged via the USB port and fires up the EasyShare software so that you can transfer your pictures to the PC.

Recommendation :
The history of this task/service is not a good one, from the days that it used to be called DCFSSVC to now in 2005 (Time of writing : 30‑May‑2005). From problems transferring pictures, problems shutting Windows 98/ME down, inability to use other USB devices while this software is installed (not in the current version of the software), and a general instability of the software when the PC has other programs installed on it which also work with USB ports. From a technical standpoint we do not understand why Kodak still insists on using this task on Windows XP. While it made sense when Windows 98SE was still on over 50% of PCs back in 2003 and earlier, it makes no sense with Windows ME/2000/XP since those versions of Windows have the inbuilt facility to associate an event on a USB port with the running of a specific program which can then use Windows to transfer from the USB device (your Kodak camera) to the hard disk. In our view it is because Kodak insist on using KODAKCCS that there are still more problems with this software than there should be. That said :

1) If you are not experiencing any problems with either the Kodak EasyShare software or your PC, leave this task alone. There is no point fixing what ain’t broke !

2) If you are experiencing problems, you may first try to download the latest version of the EasyShare software, www.EasyShare.com (read everything thoroughly before downloading and upgrading).

3) If you still have problems after installing the latest version of the EasyShare software, and you have Windows XP, then set the Startup Mode of this service to Disabled; next, reboot your PC, with your Kodak camera still plugged in, and, once Windows has restarted, right-click on the drive which corresponds to your camera in Windows Explorer (or “My Computer”), choose the AUTOPLAY tab, choose “Pictures” in the drop-down, choose “Select an action to perform”, choose the “Kodak EasyShare” software and then OK all the way out. We have found this to work.

4) Alternatively, purchase a card-reader and transfer your pictures using the card reader and Windows Explorer (or “My Computer”) (after disabling this startup task, Win98/ME, or setting the startup mode of this service to disabled, Win2000/XP). Note that in Windows XP you can make the same AUTOPLAY modifications mentioned in (3) above on the drive letters used by the card reader.

Wcescomm Microsoft ActiveSync Connection Manager. ActiveSync is Microsoft’s free Synchronization manager which enables you to synchronize your Windows CE based handheld/palm-size PC with your desktop PC. You can synchronize documents but also e-mail and calendaring items. WCESCOMM starts whenever the PC boots up and runs in the background in the System Tray until it detects that a Pocket PC has been connected to your PC, at which points it shows up to begin the synchronization process.

Recommendation :
One of the most common problems with ActiveSync is the WCESCOMM process hanging because ActiveSync encountered problems during synchronization. When that happens the user often has no option but to shutdown and restart his PC before ActiveSync will again recognize his Pocket PC. Another issue is WCESCOMM interfering with your connection to a network, or preventing the user from using some of his serial or USB ports with other software. Finally, when not in use, WCESCOMM can often still consume up to 10% of CPU processing time ! Disabling it does not work because it is re-installed as a startup item the next time you manually start ActiveSync ! If you have any of the above problems, download ActiveSyncToggle from our Downloads page – it enables you to stop and start ActiveSync (in the shape of WCESCOMM) as and when you really need it. http://www.answersth...s/downright.htm

Dumprep Windows Error Reporting Dump Reporting Tool. Found on Windows XP/2003. It shows as a startup item whose execution line usually reads as "KernelFaultCheck" %systemroot%\system32\dumprep 0 –k. DUMPREP creates memory dump reports that you can send to Microsoft if you answer "Yes" when prompted to send such reports. In our experience this entry only shows up for the first time after your PC has experienced a Windows XP "dump" crash, or an Office XP or Internet Explorer 6 crash where you were prompted about sending the crash results to Microsoft.

Recommendation :
It is our experience that having Error Reporting set to ON only causes more crashes. The mind boggles at this : in both Netscape and Internet Explorer our experience shows that if you turn error reporting ON, you will crash often in either browser, if not sometimes always !! You’ve guessed it, avoid Error Reporting like the plague. In both Windows XP and Windows 2003 turn it OFF by opening the SYSTEM icon in the Control Panel, choosing the ADVANCED tab, and then clicking on Error Reporting.

If you will disable the first two above listed services, this is how to do it:

Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

NVIDIA Display Driver Service (NVSvc)

Kodak Camera Connection Software (KodakCCS)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.


I hope one of the above solves your problem..
  • 0

#5
Charles Baah
Posted 15 November 2005 - 10:06 AM

Charles Baah

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Armodeluxe,

At least it is good to know that the root of my problem may not necessarily be some nasty Malware lurking inside my computer and waiting to pounce.

I will try the suggestion you have provided and post back the results.

Thanks for your help

Charles
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP