Hello from New Zealand everyone - Page 2

Ried · 08-03-2006, 06:15 AM

No, do not debug. At what point in these instructions did these run time errors begin to appear?

What steps have you completed so far?

Download Junkie · 08-03-2006, 03:37 PM

they started appearing after the 2nd last set of instructions you sent me

I've done all the steps except for the last lot you sent

Ps. I've downloaded IE spyad but havnt installed it yet was waiting to hear back from you about the runtime errors and get the okay from you whether or not to procceed or not

Ried · 08-03-2006, 06:03 PM

Quote:

I've done all the steps except for the last lot you sent

I'm a bit confused--you've downloaded IESpyAd, but you haven't done any of the other instructions yet? Have you completed any of the HijackThis fixes or the file deletions? I apologize for all the questions, but I need to know exactly where we are here.

Download Junkie · 08-04-2006, 07:08 PM

while doing the last set of instructions all was going fine till I Insalled IEspyad I'm not saying it caused what happened next cause I just dont know ....I'd just finished installing it and left the computer to make a cuppa and when i got back about 5 mins later there was an error message up saying ..Your system has just recovered from a Serious error..... I did the send error report I also made a copy of if your interested in what it sent to Microsoft

I then Rebooted the PC got online and tried the panda active scan the page loaded up quite slow almost 3 mins I clicked on the active scan link and a small window appeared with a yellow triangle with a exclamation mark in it. and the words Pepe and an ok button I pressed it and nothing happened :( ......there were two other buttons on the page that said scan now so I pressed one of those a window appeared asking for country and email I filled them in pressed scan now ....the green progress bar came up full with no seconds remaining ..... It was still like that three hours later

I tried several times after that with the same result

all the other steps were done just like you asked
the files you wanted deleted didnt exist after the Highjack this scan

so here is the results without the panda report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:43 06-08-04

+ Scan result:

C:\WINDOWS\system32\FQ20ENU.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Application Data\Starware -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Application Data\Starware\Manager -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Application Data\Starware\Manager\ManagerOptions.xml -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Application Data\Starware\Manager\ManagerOptions.xml.backup -> Adware.Starware : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[1].txt.pvaa.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[2].txt.pvaa.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@tribalfusion[1].txt.pvaa.dkb -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@tribalfusion[2].txt.pvaa.dkb -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@yadro[1].txt.pvaa.dkb -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvaa.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvab.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvac.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvad.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvae.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pdac.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pmaa.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvad.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvae.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvaf.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvag.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvah.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pwab.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

::Report end

New HijackThis log from Normal Mode

Logfile of HijackThis v1.99.1
Scan saved at 12:20, on 06-08-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\TURBOC~1\netdetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Black Dragon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153690380437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ried · 08-04-2006, 09:01 PM

Hi Download Junkie,

First, let's see if this helps with the Runtime errors:

Open Internet Explorer.
Click on Tools and select Options.
Click on the Advanced tab.
Put a check in the box next to Disable script debugging

Uncheck in the box next to Display a notification about every script error if this box is currently checked.

Click OK to confirm your changes.

--------------------------------------

Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet.

-------------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

-------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

Network Monitor

-------------------------------------

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more. Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

Restart one more time back into Normal Mode.

Download gmer from http://www.gmer.net & unzip it to desktop.
Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Press scan & when it has finished press copy & paste the log back here along with the winpfind.txt

Please let me know of any problems incurred while carrying out the above procedures.

Download Junkie · 08-05-2006, 12:22 AM

after doing runtime help thingy you sent. downloaded WinPfind.Not installed as asked. I rebooted into safe mode, went to control panel add/remove clicked on network monitor and got an error message telling me.

---------------------------
Windows Script Host
---------------------------
Can not find script file "C:\WINDOWS\uninstall_nmon.vbs".

---------------------------
OK
---------------------------

thats as far as I've gotten.

Ried · 08-05-2006, 12:51 AM

That's fine, and actually a good thing.

Please continue with the remaining instructions.

Download Junkie · 08-05-2006, 02:44 AM

After launching WinPFind and rebooting into normal mode I got another system error saying ...The system has recovered from a serious error.

error signature

BCCode : d1 BCP1 : 8059B000 BCP2 : 00000005 BCP3 : 00000000
BCP4 : F9BD1E16 OSVer : 5_1_2600 SP : 1_0 Product : 768_1

I sent the error report of to microsoft and saved a copy of it for you if you would like to see it let me know and I'll post in the next reply

anyway here are the reports you asked for

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 99-12-21 08:58:02 21312 C:\WINDOWS\choice.exe

Items found in C:\WINDOWS\HOSTS

ad-w-a-r-e.com 06-08-05 09:11:18 606936 C:\WINDOWS\setupapi.log

Checking %System% folder...
aspack 05-07-22 19:59:04 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
PEC2 02-08-30 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 06-06-27 03:32:34 620180 C:\WINDOWS\SYSTEM32\divx.dll
PECompact2 06-06-27 03:32:34 620180 C:\WINDOWS\SYSTEM32\divx.dll
Umonitor 02-08-30 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 02-08-30 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 06-07-23 09:50:28 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 06-07-23 09:50:28 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 06-07-23 09:50:28 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 06-07-23 09:50:28 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
06-08-05 19:05:24 S 2048 C:\WINDOWS\bootstat.dat
06-07-31 14:22:04 HS 10752 C:\WINDOWS\Thumbs.db
06-07-21 22:24:36 RH 749 C:\WINDOWS\WindowsShell.Manifest
06-07-23 19:52:58 RHS 227 C:\WINDOWS\assembly\Desktop.ini
06-07-21 22:24:42 H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
06-07-21 22:25:10 HS 67 C:\WINDOWS\Fonts\desktop.ini
06-07-27 21:55:58 H 8628 C:\WINDOWS\Help\netcfg.GID
06-08-02 12:15:48 H 0 C:\WINDOWS\inf\oem10.inf
06-07-22 11:38:46 H 0 C:\WINDOWS\inf\oem7.inf
06-07-22 11:49:26 H 0 C:\WINDOWS\inf\oem8.inf
06-07-21 22:24:42 H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
06-07-21 22:24:54 RHS 727 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_1.cab
06-07-21 22:24:54 RHS 19854 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_2.cab
06-07-21 22:24:54 RHS 243124 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_3.cab
06-07-21 22:25:32 H 229376 C:\WINDOWS\repair\ntuser.dat
06-08-03 13:29:50 HS 8704 C:\WINDOWS\Resources\Boot\Thumbs.db
06-08-03 13:29:50 HS 6144 C:\WINDOWS\Resources\BootScreens\Thumbs.db
06-08-03 13:29:50 HS 8704 C:\WINDOWS\Resources\Logon\Thumbs.db
06-07-31 10:43:14 HS 0 C:\WINDOWS\system32\.exe
06-07-21 22:24:36 RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
06-07-21 22:24:42 RH 488 C:\WINDOWS\system32\logonui.exe.manifest
06-07-21 22:24:36 RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
06-07-21 22:24:36 RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
06-07-21 22:24:36 RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
06-08-05 17:59:28 H 237 C:\WINDOWS\system32\vsconfig.xml
06-07-21 22:24:42 RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
06-07-21 22:24:36 RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
06-07-29 11:08:42 H 4212 C:\WINDOWS\system32\zllictbl.dat
06-08-05 19:05:10 H 8192 C:\WINDOWS\system32\config\default.LOG
06-08-05 19

10 H 1024 C:\WINDOWS\system32\config\SAM.LOG
06-08-05 19:05:24 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
06-08-05 19

32 H 81920 C:\WINDOWS\system32\config\software.LOG
06-08-05 19:05:26 H 872448 C:\WINDOWS\system32\config\system.LOG
06-07-22 10:10:18 H 1024 C:\WINDOWS\system32\config\TempKey.LOG
06-07-22 10:10:18 H 1024 C:\WINDOWS\system32\config\userdiff.LOG
06-07-22 10:13:48 HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
06-07-22 08:35:24 HS 2572 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
06-07-22 08:35:30 HS 139 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
06-07-22 08:35:28 HS 122 C:\WINDOWS\system32\config\systemprofile\Favorites\Desktop.ini
06-07-22 10:13:48 HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
06-07-22 08:35:26 HS 82 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
06-07-21 22:24:56 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
06-07-22 08:35:22 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
06-07-21 22:24:56 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
06-07-21 22:24:56 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\85OFIPOX\desktop.ini
06-07-21 22:24:56 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OLU54N2V\desktop.ini
06-07-21 22:24:56 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SRKTC7C9\desktop.ini
06-07-21 22:24:56 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y7KTOPUH\desktop.ini
06-07-22 08:35:28 HS 77 C:\WINDOWS\system32\config\systemprofile\My Documents\desktop.ini
06-07-22 08:35:28 HS 182 C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\Desktop.ini
06-07-22 08:35:28 HS 184 C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini
06-07-22 08:35:28 HS 150 C:\WINDOWS\system32\config\systemprofile\Recent\Desktop.ini
06-07-21 22:24:42 HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
06-07-22 10:13:48 HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
06-07-22 08:35:34 HS 292 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
06-07-22 08:35:26 HS 542 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
06-07-21 22:25:26 HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
06-07-21 22:25:26 HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
06-07-21 22:25:26 HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
06-07-23 20:02:48 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\8777738a-e326-44a7-b1ba-874c4b576ba1
06-07-23 20:02:48 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
06-07-21 22:58:06 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\00c67454-1683-4118-ac06-a653743319a9
06-07-21 22:58:06 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
06-07-22 11:38:50 RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
06-08-05 19:04:30 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 02-08-30 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 03-04-01 21:47:50 6652928 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 02-08-30 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 02-08-30 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 02-08-30 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 02-08-30 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 02-08-30 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 02-08-30 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 02-08-30 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 02-08-30 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 02-08-30 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 02-08-30 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 02-08-30 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 02-08-30 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 02-08-30 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 02-08-30 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 02-08-30 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 05-05-26 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 02-08-30 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 02-08-30 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 02-08-30 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 02-08-30 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 02-08-30 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 02-08-30 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 02-08-30 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 02-08-30 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 02-08-30 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 02-08-30 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 02-08-30 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 02-08-30 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 02-08-30 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 02-08-30 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 02-08-30 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 02-08-30 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 02-08-30 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
06-07-21 22:25:26 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
06-07-28 12:00:54 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
06-07-29 11:07:48 742 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm Pro.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
06-07-22 10:13:50 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
06-08-05 17:57:48 1015 C:\Documents and Settings\Black Dragon\Start Menu\Programs\Startup\DataKeeper.lnk
06-07-21 22:25:26 HS 84 C:\Documents and Settings\Black Dragon\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
06-07-22 10:13:48 HS 62 C:\Documents and Settings\Black Dragon\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{04849C74-016E-4a43-8AA5-1F01DE57F4A1}
ButtonText = Trace :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMan SOUNDMAN.EXE
SiS Tray
SiS KHooker C:\WINDOWS\System32\khooker.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AGRSMMSG AGRSMMSG.exe
KernelFaultCheck %systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TurboConnect C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
STYLEXP C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
Network Monitor 2
cmdService 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 06-08-05 19:12:40

>>>....

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-05 20:07:58
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwConnectPort
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F659AEE0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F659AEE0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [FA41E85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F659AEE0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F659AEE0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [FA41E85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F659AEE0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F659AEE0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [FA41E85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F659AEE0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F659AEE0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [FA41E85A] avgtdi.sys

---- Files - GMER 1.0.10 ----

File F:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----

PS: havent had any more Runtime errors yet .....THANKS [;0)

sUBs · 08-06-2006, 01:58 AM

Download & run this file

The log it produces shall be lengthy

You shan't be able to post it. Please attached it instead.

Download Junkie · 08-06-2006, 03:41 AM

Hello sUBs what happened to Reid

Ried · 08-06-2006, 10:35 AM

I'm still here Download Junkie,

We have a great team here and I had asked sUBs to look in on this thread.

Upload this file C:\WINDOWS\system32\vksec0ce.sys to http://virusscan.jotti.org and report back what it found.

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

Download Junkie · 08-06-2006, 03:06 PM

Service
Service load: 0% 100%

File: vksec0ce.sys
Status: OK
MD5 952281d8260f00d414e1a2a96983c9f0
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Ps: I just woke up to the fact I been spellin Ya name wrong ....Duh....Sorry

Download Junkie · 08-06-2006, 03:30 PM

Did i stuff this one up or are the two SMILEY'S supposed to be there or does it have anything to do with the name of the log ...we had a young bloke staying with us with the name SAM

These are the lines I'm refering to

06-08-05 1910 H 1024 C:\WINDOWS\system32\config\SAM.LOG

06-08-05 1932 H 81920 C:\WINDOWS\system32\config\software.LOG

Cheer's Download Junkie

Ried · 08-06-2006, 04:45 PM

Pure coincidence.

I'd like to look at this problem from a different angle.

Make sure you do not need your computer for at least 12 hours before proceeding with this step. This scan may take that long and cannot be stopped.

Click Start>Run and type in chkdsk /r

If it asks you to 'run chkdsk on restart' please click yes, and restart your computer.

This will check your hard drive for errors, and correct any minor errors it finds.

Please let me know how that goes.

Download Junkie · 08-07-2006, 04:05 PM

I did the CHKDSK /r
took just under an hour came back as Volume is clean
It didnt say if there were any errors

Ps: My Hard Drive is Only 2 weeks old. It is a Western Digital HDD, 160GB. IDE, 8M CACHE

Ried · 08-07-2006, 08:30 PM

I'm going to have you do a few things and see if we can't narrow this error down.

Delete your current combofix.exe.

Download combofix from one of these locations:

--------------------------------

Download & run this registry file - VBAS file association fix

-----------------------------

Now lLet's try invoking Windows File Protection.

Go to the Run box on the Start Menu and type in or copy/paste sfc /scannow (there is a space between sfc and /)

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. If any problems are found, you will be prompted to insert the Windows XP install disc so have it handy.

-----------------------------

Now try to run combofix.exe and see if we can get a log this time:

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------

If the error still persists:

Let's have a look at Windows Event Viewer. It might give us a clue as to what is causing these issues

Go to Start > Run - type in eventvwr <Press Enter>

This is a picture of what the event viewer looks like.
You will see Application, Security & System listed in the left pane.

In the left pane click on Application.
Click the gray title “Type” at the top of the source name column in the right pane to sort by type name
Look for “Error” & double-click on the most recent 5, and evaluate the event description for any indication of the cause of the problem.
Make note of the Description, EventID and Source of these Event Properties.
From the right pane, doubleclick on the line where it says error & you should get a window like the example below
In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down.
There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard)
Open notepad & paste the info in there. This will copy the event information to the clipboard. Paste the information for each event here

Repeat steps 1-6 for System

Download Junkie · 08-08-2006, 02:47 AM

Here it is finally got the slippery little sucker

Ps: Earlier in the day before got your instructions... I turned my PC of and while shutting down a ending programme window appeared for about 2 seconds just long enough for me to read [color="Red"] YOU SHOULDNT SEE ME [color="red"] ?

......

I restarted My PC and opened up Task manager to see if it was listed and only got a current processes window ...No Applications running tab OR any other tabs

Ried · 08-08-2006, 08:30 AM

Hi,

Run CleanUp again:

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

-----------------------------------
Is your Task Manager still 'messed up' after running CleanUp?

Were any errors detected and repaired when you ran the System File Checker? (sfc /scannow)

Is your system still crashing unexpectedly?

Can you post the information from the Event Viewer?

I'd also like to check another file:

Upload this file C:\WINDOWS\system32\.exe to http://virusscan.jotti.org and report back what it found.

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

Download Junkie · 08-08-2006, 07:39 PM

Deleted old Combofix and replaced it with this one http://www.techsupportforum.com/sectools/combofix.exe

Downloaded & ran this registry file - VBAS file association fix

Did the sfc /scannow. It asked for the XP Disk I let it run it's course. It didn't tell me if it found any Errors or not.

Did the New ComboFix which you have the report o.

Went to Start > Run - typed in eventvwr <Pressed Enter>

The Windows appeared just like you said they would. I clicked on Application
In the Type collum was a lot of icons that looked like a document icon with a shredded flag in the middle of it.
I clicked on it and another window appeared like the one you sent. But all it said was. No event record is selected,or details for the selected event are unavailable.

Ps: this is the second time iI posted this the other one just disapeared.

Pps: my Pc is a little bit better now(faster)...

I'm of to run the cleanup now..

Download Junkie · 08-08-2006, 08:11 PM

Hi, Ried
I ran Cleanup It said it deleted 20mb, thats on top of the 60Mb it deleted the other time it was run.

Task Manager Is still 'messed up' after running CleanUp.

system Is still crashing unexpectedly. Though not as frequently

I'm getting a few Errors about DataKeeper encountering problems and needing to close.

08-03-2006, 06:15 AM	#21 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,861 OS: WinXP and Vista	No, do not debug. At what point in these instructions did these run time errors begin to appear? What steps have you completed so far? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-03-2006, 03:37 PM	#22 (permalink)
Download Junkie Registered User Join Date: Jul 2006 Posts: 57 OS: XP Home edition	Hi Reid RE the runtime errors they started appearing after the 2nd last set of instructions you sent me I've done all the steps except for the last lot you sent Ps. I've downloaded IE spyad but havnt installed it yet was waiting to hear back from you about the runtime errors and get the okay from you whether or not to procceed or not

08-04-2006, 07:08 PM	#24 (permalink)
Download Junkie Registered User Join Date: Jul 2006 Posts: 57 OS: XP Home edition	Hi Reid Im havin a problem getting the active scan to run while doing the last set of instructions all was going fine till I Insalled IEspyad I'm not saying it caused what happened next cause I just dont know ....I'd just finished installing it and left the computer to make a cuppa and when i got back about 5 mins later there was an error message up saying ..Your system has just recovered from a Serious error..... I did the send error report I also made a copy of if your interested in what it sent to Microsoft I then Rebooted the PC got online and tried the panda active scan the page loaded up quite slow almost 3 mins I clicked on the active scan link and a small window appeared with a yellow triangle with a exclamation mark in it. and the words Pepe and an ok button I pressed it and nothing happened :( ......there were two other buttons on the page that said scan now so I pressed one of those a window appeared asking for country and email I filled them in pressed scan now ....the green progress bar came up full with no seconds remaining ..... It was still like that three hours later I tried several times after that with the same result all the other steps were done just like you asked the files you wanted deleted didnt exist after the Highjack this scan so here is the results without the panda report --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 19:43 06-08-04 + Scan result: C:\WINDOWS\system32\FQ20ENU.DLL -> Adware.Look2Me : Cleaned with backup (quarantined). C:\Documents and Settings\Black Dragon\Application Data\Starware -> Adware.Starware : Cleaned with backup (quarantined). C:\Documents and Settings\Black Dragon\Application Data\Starware\Manager -> Adware.Starware : Cleaned with backup (quarantined). C:\Documents and Settings\Black Dragon\Application Data\Starware\Manager\ManagerOptions.xml -> Adware.Starware : Cleaned with backup (quarantined). C:\Documents and Settings\Black Dragon\Application Data\Starware\Manager\ManagerOptions.xml.backup -> Adware.Starware : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[1].txt.pvaa.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[2].txt.pvaa.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@tribalfusion[1].txt.pvaa.dkb -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@tribalfusion[2].txt.pvaa.dkb -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@yadro[1].txt.pvaa.dkb -> TrackingCookie.Yadro : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvaa.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvab.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvac.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvad.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvae.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pdac.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pmaa.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvad.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvae.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvaf.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvag.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvah.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pwab.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). ::Report end New HijackThis log from Normal Mode Logfile of HijackThis v1.99.1 Scan saved at 12:20, on 06-08-05 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\TURBOC~1\netdetect.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Black Dragon\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1 O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153690380437 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72 O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

08-04-2006, 09:01 PM	#25 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,861 OS: WinXP and Vista	Hi Download Junkie, First, let's see if this helps with the Runtime errors: Open Internet Explorer. Click on Tools and select Options. Click on the Advanced tab. Put a check in the box next to Disable script debugging Uncheck in the box next to Display a notification about every script error if this box is currently checked. Click OK to confirm your changes. -------------------------------------- Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet. ------------------------------------- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. ------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) Network Monitor ------------------------------------- Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more. Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here. Restart one more time back into Normal Mode. Download gmer from http://www.gmer.net & unzip it to desktop. Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked. Press scan & when it has finished press copy & paste the log back here along with the winpfind.txt Please let me know of any problems incurred while carrying out the above procedures. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-05-2006, 12:22 AM	#26 (permalink)
Download Junkie Registered User Join Date: Jul 2006 Posts: 57 OS: XP Home edition	Hi Reid. re: Uninstall network monitor after doing runtime help thingy you sent. downloaded WinPfind.Not installed as asked. I rebooted into safe mode, went to control panel add/remove clicked on network monitor and got an error message telling me. --------------------------- Windows Script Host --------------------------- Can not find script file "C:\WINDOWS\uninstall_nmon.vbs". --------------------------- OK --------------------------- thats as far as I've gotten.

08-05-2006, 12:51 AM	#27 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,861 OS: WinXP and Vista	That's fine, and actually a good thing. Please continue with the remaining instructions. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-06-2006, 01:58 AM	#29 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,445 OS: N/A	Download & run this file The log it produces shall be lengthy You shan't be able to post it. Please attached it instead. __________________ Question - what have you done for the community today?

08-06-2006, 10:35 AM	#31 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,861 OS: WinXP and Vista	I'm still here Download Junkie, We have a great team here and I had asked sUBs to look in on this thread. Upload this file C:\WINDOWS\system32\vksec0ce.sys to http://virusscan.jotti.org and report back what it found. At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-06-2006, 03:06 PM	#32 (permalink)
Download Junkie Registered User Join Date: Jul 2006 Posts: 57 OS: XP Home edition	Hi RIED RE: Here are the results of virus scan at jotti.org/ Service Service load: 0% 100% File: vksec0ce.sys Status: OK MD5 952281d8260f00d414e1a2a96983c9f0 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing Ps: I just woke up to the fact I been spellin Ya name wrong ....Duh....Sorry Last edited by Download Junkie; 08-06-2006 at 03:17 PM.

08-06-2006, 03:30 PM	#33 (permalink)
Download Junkie Registered User Join Date: Jul 2006 Posts: 57 OS: XP Home edition	Hi RIED RE: post I sent 08-05-2006 08:44 PM Did i stuff this one up or are the two SMILEY'S supposed to be there or does it have anything to do with the name of the log ...we had a young bloke staying with us with the name SAM These are the lines I'm refering to 06-08-05 1910 H 1024 C:\WINDOWS\system32\config\SAM.LOG 06-08-05 1932 H 81920 C:\WINDOWS\system32\config\software.LOG Cheer's Download Junkie

08-06-2006, 04:45 PM	#34 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,861 OS: WinXP and Vista	Pure coincidence. I'd like to look at this problem from a different angle. Make sure you do not need your computer for at least 12 hours before proceeding with this step. This scan may take that long and cannot be stopped. Click Start>Run and type in chkdsk /r If it asks you to 'run chkdsk on restart' please click yes, and restart your computer. This will check your hard drive for errors, and correct any minor errors it finds. Please let me know how that goes. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-07-2006, 04:05 PM	#35 (permalink)
Download Junkie Registered User Join Date: Jul 2006 Posts: 57 OS: XP Home edition	Hi RIED RE: Here are the results CHKDSK I did the CHKDSK /r took just under an hour came back as Volume is clean It didnt say if there were any errors Ps: My Hard Drive is Only 2 weeks old. It is a Western Digital HDD, 160GB. IDE, 8M CACHE

08-07-2006, 08:30 PM	#36 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,861 OS: WinXP and Vista	I'm going to have you do a few things and see if we can't narrow this error down. Delete your current combofix.exe. Download combofix from one of these locations: http://www.techsupportforum.com/sectools/combofix.exe http://download.bleepingcomputer.com/sUBs/combofix.exe -------------------------------- Download & run this registry file - VBAS file association fix ----------------------------- Now lLet's try invoking Windows File Protection. Go to the Run box on the Start Menu and type in or copy/paste sfc /scannow (there is a space between sfc and /) This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. If any problems are found, you will be prompted to insert the Windows XP install disc so have it handy. ----------------------------- Now try to run combofix.exe and see if we can get a log this time: Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ----------------------------- If the error still persists: Let's have a look at Windows Event Viewer. It might give us a clue as to what is causing these issues Go to Start > Run - type in eventvwr <Press Enter> This is a picture of what the event viewer looks like. You will see Application, Security & System listed in the left pane. In the left pane click on Application. Click the gray title “Type” at the top of the source name column in the right pane to sort by type name Look for “Error” & double-click on the most recent 5, and evaluate the event description for any indication of the cause of the problem. Make note of the Description, EventID and Source of these Event Properties. From the right pane, doubleclick on the line where it says error & you should get a window like the example below In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down. There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard) Open notepad & paste the info in there. This will copy the event information to the clipboard. Paste the information for each event here Repeat steps 1-6 for System __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-08-2006, 08:30 AM	#38 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,861 OS: WinXP and Vista	Hi, Run CleanUp again: WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files"* and uncheck the box for "Scan drives for file matching" if it's checked. Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. ----------------------------------- Is your Task Manager still 'messed up' after running CleanUp? Were any errors detected and repaired when you ran the System File Checker? (sfc /scannow) Is your system still crashing unexpectedly? Can you post the information from the Event Viewer? I'd also like to check another file: Upload this file C:\WINDOWS\system32\.exe to http://virusscan.jotti.org and report back what it found. At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 08-08-2006 at 08:36 AM.

08-08-2006, 07:39 PM	#39 (permalink)
Download Junkie Registered User Join Date: Jul 2006 Posts: 57 OS: XP Home edition	Hi RIED RE: eventvwr AND sfc /scannow Deleted old Combofix and replaced it with this one http://www.techsupportforum.com/sectools/combofix.exe Downloaded & ran this registry file - VBAS file association fix Did the sfc /scannow. It asked for the XP Disk I let it run it's course. It didn't tell me if it found any Errors or not. Did the New ComboFix which you have the report o. Went to Start > Run - typed in eventvwr <Pressed Enter> The Windows appeared just like you said they would. I clicked on Application In the Type collum was a lot of icons that looked like a document icon with a shredded flag in the middle of it. I clicked on it and another window appeared like the one you sent. But all it said was. No event record is selected,or details for the selected event are unavailable. Ps: this is the second time iI posted this the other one just disapeared. Pps: my Pc is a little bit better now(faster)... I'm of to run the cleanup now..

08-08-2006, 08:11 PM	#40 (permalink)
Download Junkie Registered User Join Date: Jul 2006 Posts: 57 OS: XP Home edition	Hi RIED RE: CleanUp Hi, Ried I ran Cleanup It said it deleted 20mb, thats on top of the 60Mb it deleted the other time it was run. Task Manager Is still 'messed up' after running CleanUp. system Is still crashing unexpectedly. Though not as frequently I'm getting a few Errors about DataKeeper encountering problems and needing to close.