HJT Log help requested

anno · 09-22-2006, 05:09 AM

For the last couple of months I have noticed my system becoming slower and slower with no apparent cause. Startup and rightclick operations in particular.

F-Secure virus scan came up negative.

The TrendMicro search found JAVA_BYTEVER.R and delt with it. F-Secure did alert me to a vunerability when Trend was scanning however, but I put that down to the Trend search. Was I wrong to do so?

Ad-Aware and Spybot found nothing of consequence, only cookies.

My log:

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:13, on 22/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\tblmouse.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wt32exe.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/22640b6b...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095788993124
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/z...ylomloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\system32\Wt32exe.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

Thanks for taking the time to look at this.

**Eclipse2003** · 09-22-2006, 07:42 AM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

In the meantime, make sure you subscribe to this thread so that you will receive an instant email when I have replied with a fix to your problem. You may do this by clicking the Thread Tools option at the top of your post and then clicking Subscribe to this thread. Then, make sure Instant Notification by email is selected and click Add Subscription

Please be patient with me during this time.

anno · 09-22-2006, 09:43 AM

Thanks very much. A quick update:

I ran ewido. It found and then quarantined a piece of malware called Backdoor.Genlot.DX, which by the sounds of it was rather nasty. My system is still slow though so I’ll see if any of the other recommended scanners can find anything else.

**Eclipse2003** · 09-22-2006, 10:07 PM

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

====================================================================================================

Downloads

Cleanup!

Cleanup! and install it. You will use this later.
====================================================================================================

HiJackThis! Fixes

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/22640b6b...p/RdxIE601.cab

Please remember to close all other windows, including browsers then click Fix checked.
====================================================================================================

Tools

CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Uncheck the following :

Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program and reboot when prompted.

====================================================================================================

Rebooting in Normal Mode

Reboot your system in Normal Mode.
====================================================================================================

Online Virus/Spyware Scan

Panda Activescan

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan
====================================================================================================

Tools

HiJackThis!

Please run a new HiJackThis! Scan and post the results with your next reply
====================================================================================================

Summary: Please make sure you have completed all of the steps above and include the following in your next post

New HiJackThis! Log
Panda ActiveScan Log

anno · 09-23-2006, 06:20 AM

Thanks for your help! The actions that I have taken so far don't seem to have made that much impact, as it took ~15 seconds to open a 3KB text file...

My ActiveScan log:

Quote:

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Euan!\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Euan!\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Euan!\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\cookies.txt[.zedo.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Euan!\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Euan!\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\cookies.txt[c5.zedo.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Euan!\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Euan!\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Euan!\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\cookies.txt[ad.yieldmanager.com/]

And my new HJT log:

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 13:13:37, on 23/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\tblmouse.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wt32exe.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095788993124
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/z...ylomloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7782335-4096-498C-A717-8E4E763C793E}: NameServer = 212.74.112.66,212.74.112.67
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\system32\Wt32exe.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

**Eclipse2003** · 09-23-2006, 10:45 AM

Hm…your log appears to be clean but your system is still running slow huh? Let’s try a few other things here to see if we can find out what the source of your problems might be

Downloads

GetSystemInfo

Download & run GetSystemInfo.exe
It shall produce a log for you to post back here

Gmer

Download gmer from http://www.gmer.net & extract the contents to desktop
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say NO.
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked and uncheck the Registry box. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

* * * * *

Click Gmer's Autostar tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please.

RootKitRevealer

Please download RootKitRevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file. Please post the entire contents of the log file in your next reply
====================================================================================================

Event Viewer Log

Let's have a look at Windows Event Viewer. It might give us a clue as to what is causing these issues

Go to Start > Run - type in eventvwr <Press Enter>

This is a picture of what the event viewer looks like.
You will see Application, Security & System listed in the left pane.

1. In the left pane click on Application.
2. Click the gray title “Type” at the top of the source name column in the right pane to sort by type name
Look for “Error” & double-click on the most recent 10, and evaluate the event description for any indication of the cause of the problem.
3. Make note of the Description, EventID and Source of these Event Properties.
4. From the right pane, doubleclick on the line where it says error & you should get a window like the example below

5. In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down.
There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard)
6. Open notepad & paste the info in there. This will copy the event information to the clipboard. Paste the information for each event here

Repeat steps 1-6 for System
====================================================================================================

Summary: Please make sure you have completed all of the steps above and include the following in your next post

GetSystemInfo Log
Gmer Log
RootkitRevealer Log
Event Viewer Log

anno · 09-23-2006, 01:52 PM

Thanks for this Eclipse, you must be very patient!

My GetSystemInfo log is 1.33MB, shall I post all of it?

Gmer log:

Quote:

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-23 18:59:18
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.11 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.11 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F87C6D60] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F87C6D60] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F87C6D60] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL [F87C6D60] sfsync02.sys
Device \Driver\USBSTOR \Device\0000007a IRP_MJ_INTERNAL_DEVICE_CONTROL [F87C6D60] sfsync02.sys
Device \Driver\USBSTOR \Device\0000007c IRP_MJ_INTERNAL_DEVICE_CONTROL [F87C6D60] sfsync02.sys

---- Processes - GMER 1.0.11 ----

Process guard.exe (*** hidden *** ) [532] 81E87DA0

---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----

Gmer Autostart log:

Quote:

GMER 1.0.11.11349 - http://www.gmer.net
Autostart 2006-09-23 19:01:55
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
BackWeb Client - 7681197 /*F-Secure BackWeb*/@ = C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
Belkin 54g Wireless USB Network Adapter Service /*Belkin 54g Wireless USB Network Adapter*/@ = C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
Brother XP spl Service /*BrSplService*/@ = C:\WINDOWS\system32\brsvc01a.exe
ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Program Files\ewido anti-spyware 4.0\guard.exe
F-Secure Gatekeeper Handler Starter /*F-Secure Gatekeeper Handler Starter*/@ = "C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe"
FSAA /*F-Secure Authentication Agent*/@ = "C:\Program Files\F-Secure\Common\FSAA.EXE"
FSMA /*F-Secure Management Agent*/@ = "C:\Program Files\F-Secure\Common\FSMA32.EXE"
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
ssoftservice /*Cryptainer service*/@ = ssoftsrv.exe
TabletService /*Tablet Service*/@ = C:\WINDOWS\system32\Wt32exe.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
UserAccess7 /*SecuROM User Access Service (V7)*/@ = C:\WINDOWS\system32\UAService7.exe /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@F-Secure Manager"C:\Program Files\F-Secure\Common\FSM32.EXE" /splash = "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
@nwiznwiz.exe /install = nwiz.exe /install
@NvMediaCenterRunDLL32.exe NvMCTray.dll,NvTaskbarInit = RunDLL32.exe NvMCTray.dll,NvTaskbarInit
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@tblfunctblmouse.exe = tblmouse.exe
@RemoteControl"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@ControlCenter2.0C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun /*file not found*/ = C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun /*file not found*/
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe /*file not found*/ = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@updateMgr"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
@Skype"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
@ares"C:\Program Files\Ares\Ares.exe" -h /*file not found*/ = "C:\Program Files\Ares\Ares.exe" -h /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{23814B80-52A2-11d0-BC1A-004095606CB9} = C:\Program Files\F-Secure\Common\fpshx.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{23814B80-52A2-11d0-BC1A-004095606CB9} = C:\Program Files\F-Secure\Common\fpshx.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.mail.yahoo.com/ = http://www.mail.yahoo.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\Euan!\Start Menu\Programs\Startup = Office Startup.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Acrobat Assistant.lnk = Acrobat Assistant.lnk
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk

---- EOF - GMER 1.0.11 ----

RootKitRevealer Log:

Quote:

HKLM\S-1-5-21-220523388-1383384898-1801674531-1003\RemoteAccess\InternetProfile 14/10/2005 00:16 7 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-220523388-1383384898-1801674531-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\36\Shell\WFlags 23/09/2006 19:04 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-220523388-1383384898-1801674531-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\36\Shell\ShowCmd 23/09/2006 19:04 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-220523388-1383384898-1801674531-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\36\Shell\FFlags 23/09/2006 19:04 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-220523388-1383384898-1801674531-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\36\Shell\ColInfo 23/09/2006 19:04 138 bytes Windows API length not consistent with raw hive data.
HKLM\S-1-5-21-220523388-1383384898-1801674531-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\36\Shell\WinPos1280x1024(1).left 23/09/2006 19:04 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-220523388-1383384898-1801674531-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\36\Shell\WinPos1280x1024(1).top 23/09/2006 19:04 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-220523388-1383384898-1801674531-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\36\Shell\WinPos1280x1024(1).right 23/09/2006 19:04 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-220523388-1383384898-1801674531-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\36\Shell\WinPos1280x1024(1).bottom 23/09/2006 19:04 4 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\03C43574d01 23/09/2006 19:12 25.46 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\14523DABd01 23/09/2006 19:18 37.34 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\3A63E95Fd01 23/09/2006 19:19 29.64 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\44390A35d01 23/09/2006 19:13 17.18 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\7CD398E0d01 23/09/2006 19:12 257.88 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\830DD26Dd01 23/09/2006 19:19 31.25 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\8A6567BBd01 23/09/2006 19:19 79.31 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\9D95DF7Bd01 23/09/2006 19:13 27.25 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\AC0FFE56d01 23/09/2006 19:19 55.50 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\B13F9FB8d01 23/09/2006 19:19 23.84 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\C3C153F7d01 23/09/2006 19:19 26.27 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\D9623514d01 23/09/2006 19:19 26.86 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\EB837985d01 23/09/2006 19:13 31.45 KB Hidden from Windows API.
C:\Documents and Settings\Euan!\Local Settings\Application Data\Mozilla\Firefox\Profiles\95yafp4t.default\Cache\FC1BC844d01 23/09/2006 19:15 162.78 KB Hidden from Windows API.

Event Viewer Application Log:

Quote:

Event Type: Error
Event Source: F-Secure Anti-Virus
Event Category: None
Event ID: 103
Date: 26/04/2006
Time: 09:59:04
User: N/A
Computer: EUAN
Description:
1 2006-04-26 09:59:04+01:00 euan EUAN\Euan! F-Secure Anti-Virus
Scanning of C:\PROGRAM FILES\ITUNES\ITUNES.EXE was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 26/04/2006
Time: 19:33:26
User: N/A
Computer: EUAN
Description:
Hanging application Photoshop.exe, version 8.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 50 68 6f 74 6f 73 Photos
0018: 68 6f 70 2e 65 78 65 20 hop.exe
0020: 38 2e 30 2e 30 2e 30 20 8.0.0.0
0028: 69 6e 20 68 75 6e 67 61 in hunga
0030: 70 70 20 30 2e 30 2e 30 pp 0.0.0
0038: 2e 30 20 61 74 20 6f 66 .0 at of
0040: 66 73 65 74 20 30 30 30 fset 000
0048: 30 30 30 30 30 00000

Event Type: Error
Event Source: F-Secure Anti-Virus
Event Category: None
Event ID: 103
Date: 28/04/2006
Time: 17:59:02
User: N/A
Computer: EUAN
Description:
1 2006-04-28 17:59:02+01:00 euan EUAN\Euan! F-Secure Anti-Virus
Scanning of C:\PROGRAM FILES\ITUNES\ITUNES.EXE was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).

Event Type: Error
Event Source: F-Secure Anti-Virus
Event Category: None
Event ID: 103
Date: 30/04/2006
Time: 19:09:58
User: N/A
Computer: EUAN
Description:
1 2006-04-30 19:09:57+01:00 euan EUAN\Euan! F-Secure Anti-Virus
Scanning of C:\PROGRAM FILES\ITUNES\ITUNES.EXE was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 04/05/2006
Time: 02:00:54
User: N/A
Computer: EUAN
Description:
Hanging application iTunes.exe, version 6.0.3.5, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 54 75 6e 65 73 iTunes
0018: 2e 65 78 65 20 36 2e 30 .exe 6.0
0020: 2e 33 2e 35 20 69 6e 20 .3.5 in
0028: 68 75 6e 67 61 70 70 20 hungapp
0030: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0038: 61 74 20 6f 66 66 73 65 at offse
0040: 74 20 30 30 30 30 30 30 t 000000
0048: 30 30 00

Event Type: Error
Event Source: F-Secure Anti-Virus
Event Category: None
Event ID: 103
Date: 04/05/2006
Time: 11:18:12
User: N/A
Computer: EUAN
Description:
1 2006-05-04 11:18:12+01:00 euan EUAN\Euan! F-Secure Anti-Virus
Scanning of C:\PROGRAM FILES\ITUNES\ITUNES.EXE was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 07/05/2006
Time: 14:32:24
User: N/A
Computer: EUAN
Description:
Faulting application firefox.exe, version 1.8.20060.42618, faulting module ws2_32.dll, version 5.1.2600.2180, fault address 0x0000a89d.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 66 69 72 ure fir
0018: 65 66 6f 78 2e 65 78 65 efox.exe
0020: 20 31 2e 38 2e 32 30 30 1.8.200
0028: 36 30 2e 34 32 36 31 38 60.42618
0030: 20 69 6e 20 77 73 32 5f in ws2_
0038: 33 32 2e 64 6c 6c 20 35 32.dll 5
0040: 2e 31 2e 32 36 30 30 2e .1.2600.
0048: 32 31 38 30 20 61 74 20 2180 at
0050: 6f 66 66 73 65 74 20 30 offset 0
0058: 30 30 30 61 38 39 64 0d 000a89d.
0060: 0a .

Event Type: Error
Event Source: F-Secure Anti-Virus
Event Category: None
Event ID: 103
Date: 08/05/2006
Time: 17:50:15
User: N/A
Computer: EUAN
Description:
1 2006-05-08 17:50:15+01:00 euan EUAN\Euan! F-Secure Anti-Virus
Scanning of D: was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 08/05/2006
Time: 19:02:30
User: N/A
Computer: EUAN
Description:
Hanging application iTunes.exe, version 6.0.3.5, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 54 75 6e 65 73 iTunes
0018: 2e 65 78 65 20 36 2e 30 .exe 6.0
0020: 2e 33 2e 35 20 69 6e 20 .3.5 in
0028: 68 75 6e 67 61 70 70 20 hungapp
0030: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0038: 61 74 20 6f 66 66 73 65 at offse
0040: 74 20 30 30 30 30 30 30 t 000000
0048: 30 30 00

Event Type: Error
Event Source: F-Secure Anti-Virus
Event Category: None
Event ID: 103
Date: 10/05/2006
Time: 16:37:30
User: N/A
Computer: EUAN
Description:
1 2006-05-10 16:37:30+01:00 euan EUAN\Euan! F-Secure Anti-Virus
Scanning of C:\PROGRAM FILES\ITUNES\ITUNES.EXE was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).

Event Viewer System Log:

Quote:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 05/09/2006
Time: 22:30:55
User: N/A
Computer: EUAN
Description:
The SecuROM User Access Service (V7) service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: ipnathlp
Event Category: None
Event ID: 31012
Date: 10/08/2006
Time: 16:57:08
User: N/A
Computer: EUAN
Description:
The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e8 00 00 00 è...

Event Type: Error
Event Source: ipnathlp
Event Category: None
Event ID: 31012
Date: 10/08/2006
Time: 16:57:08
User: N/A
Computer: EUAN
Description:
The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e8 00 00 00 è...

Event Type: Error
Event Source: ipnathlp
Event Category: None
Event ID: 31012
Date: 10/08/2006
Time: 16:57:08
User: N/A
Computer: EUAN
Description:
The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e8 00 00 00 è...

Event Type: Error
Event Source: ipnathlp
Event Category: None
Event ID: 31012
Date: 10/08/2006
Time: 16:57:08
User: N/A
Computer: EUAN
Description:
The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e8 00 00 00 è...

Event Type: Error
Event Source: ipnathlp
Event Category: None
Event ID: 31012
Date: 10/08/2006
Time: 16:57:08
User: N/A
Computer: EUAN
Description:
The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e8 00 00 00 è...

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 11/08/2006
Time: 00:33:38
User: N/A
Computer: EUAN
Description:
The SecuROM User Access Service (V7) service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: ipnathlp
Event Category: None
Event ID: 31012
Date: 11/08/2006
Time: 00:33:44
User: N/A
Computer: EUAN
Description:
The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e8 00 00 00 è...

Event Type: Error
Event Source: ipnathlp
Event Category: None
Event ID: 31012
Date: 11/08/2006
Time: 00:33:44
User: N/A
Computer: EUAN
Description:
The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e8 00 00 00 è...

Event Type: Error
Event Source: ipnathlp
Event Category: None
Event ID: 31012
Date: 11/08/2006
Time: 00:33:45
User: N/A
Computer: EUAN
Description:
The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e8 00 00 00 è...

**Eclipse2003** · 09-23-2006, 02:41 PM

Please zip the file up and attach it here. That would probably be best.

anno · 09-23-2006, 03:09 PM

Okiedoke.
.

anno · 09-25-2006, 11:27 AM

Hopeful bump.

**Eclipse2003** · 09-25-2006, 05:12 PM

Sorry about that anno. All of your logs seem to be clean. The only thing that I can tell by looking at some of those new logs that you gave me (sysinfo etc.) is that you have very little hard drive space left. Go through your computer and delete anything that you don't need and try to get it so you have at least 6 GB free. This will help speed things up. After you do that, you can do a disk defrag by following the steps below:

Disk Defragmentation

Click Start and then open My Computer
From here, right click on your main drive (C:) and click Properties
Now Click on the Tools Tab and then click Defragment Now
Finally, make sure the C: drive is highlighted and click Defragment

Basically what this does is, when you are running low on hard drive space, your computer "fragments" files into several open spaces on your hard drive to make them fit. The problem in this is when you try to access those files, your computer has to go find all the "pieces" of the files and put them together which will drastically slow down your system. This will "rearrange" those files so they aren't fragmented anymore.

After you have completed both of these steps, please post back with how your system is behaving now. Any better? Same? Thanks anno and again sorry for the delay in response

anno · 09-27-2006, 05:17 PM

There is no need to apologise, you’re doing this for free!

The defrag didn’t make a huge amount of difference to start-up, but slightly improved the general response time while running Windows, enough to allow me to use the system without feeling the need to chuck it out of the window in any case…

Thanks for all your help Eclipse, please feel free to move this to your resolved section.

**Eclipse2003** · 09-27-2006, 06:30 PM

No problem anno. Glad I could help.

Now please follow the next steps to prevent further infections:

Rehide System and hidden files

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Setting a clean restore point

To turn off System Restoreclick Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

To turn System Restore back on Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Spyware Prevention

This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster
Spyware Guard
IE-Spyad

Let me know if you have any other problems. If not you should be good to go.

09-22-2006, 09:43 AM	#3 (permalink)
anno Registered User Join Date: Aug 2006 Posts: 45 OS: Win XP	Thanks very much. A quick update: I ran ewido. It found and then quarantined a piece of malware called Backdoor.Genlot.DX, which by the sounds of it was rather nasty. My system is still slow though so I’ll see if any of the other recommended scanners can find anything else. Last edited by anno; 09-22-2006 at 09:44 AM. Reason: clarity

09-22-2006, 10:07 PM	#4 (permalink)
Eclipse2003 TSF Enthusiast Join Date: Apr 2005 Location: Ohio Posts: 1,156 OS: XP	Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. ==================================================================================================== Downloads Cleanup! Cleanup! and install it. You will use this later. ==================================================================================================== HiJackThis! Fixes Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/22640b6b...p/RdxIE601.cab *Please remember to close all other windows, including browsers then click Fix checked.* ==================================================================================================== Tools CleanUp! Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Uncheck the following : Scan local drives for temporary files Click OK, Press the CleanUp! button to start the program and reboot when prompted. ==================================================================================================== Rebooting in Normal Mode Reboot your system in Normal Mode. ==================================================================================================== Online Virus/Spyware Scan Panda Activescan Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan ==================================================================================================== Tools HiJackThis! Please run a new HiJackThis! Scan and post the results with your next reply ==================================================================================================== Summary: Please make sure you have completed all of the steps above and include the following in your next post New HiJackThis! Log Panda ActiveScan Log

09-27-2006, 06:30 PM	#13 (permalink)
Eclipse2003 TSF Enthusiast Join Date: Apr 2005 Location: Ohio Posts: 1,156 OS: XP	No problem anno. Glad I could help. Now please follow the next steps to prevent further infections: Rehide System and hidden files Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Setting a clean restore point To turn off System Restoreclick Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. To turn System Restore back on Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. *Microsoft Updates* It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Please go to Microsoft and download all the critical updates to help prevent possible re-infection. *Spyware Prevention* This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. More information and downloads are available at the following links: Spyware Blaster Spyware Guard IE-Spyad Let me know if you have any other problems. If not you should be good to go.

09-22-2006, 07:42 AM	#2 (permalink)
Eclipse2003 TSF Enthusiast Join Date: Apr 2005 Location: Ohio Posts: 1,156 OS: XP	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p In the meantime, make sure you subscribe to this thread so that you will receive an instant email when I have replied with a fix to your problem. You may do this by clicking the Thread Tools option at the top of your post and then clicking Subscribe to this thread. Then, make sure Instant Notification by email is selected and click Add Subscription Please be patient with me during this time.

09-23-2006, 10:45 AM	#6 (permalink)
Eclipse2003 TSF Enthusiast Join Date: Apr 2005 Location: Ohio Posts: 1,156 OS: XP	Hm…your log appears to be clean but your system is still running slow huh? Let’s try a few other things here to see if we can find out what the source of your problems might be Downloads GetSystemInfo Download & run GetSystemInfo.exe It shall produce a log for you to post back here Gmer Download gmer from http://www.gmer.net & extract the contents to desktop Disconnect from internet and close running programs. There is a small chance this application may crash your computer so save any work you have open. Double click gmer.exe. Let the gmer.sys driver load if asked. If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say NO. To the right of the program you will see a bunch of boxes that have been checked... leave everything checked and uncheck the Registry box. Then click the Scan button. Wait for the scan to finish. Once done click the Copy button. Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please. * * * * * Click Gmer's Autostar tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please. RootKitRevealer Please download RootKitRevealer.zip Unzip it to the desktop, run it, and click Scan. This will generate a log file. Please post the entire contents of the log file in your next reply ==================================================================================================== Event Viewer Log Let's have a look at Windows Event Viewer. It might give us a clue as to what is causing these issues Go to Start > Run - type in eventvwr <Press Enter> This is a picture of what the event viewer looks like. You will see Application, Security & System listed in the left pane. 1. In the left pane click on Application. 2. Click the gray title “Type” at the top of the source name column in the right pane to sort by type name Look for “Error” & double-click on the most recent 10, and evaluate the event description for any indication of the cause of the problem. 3. Make note of the Description, EventID and Source of these Event Properties. 4. From the right pane, doubleclick on the line where it says error & you should get a window like the example below 5. In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down. There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard) 6. Open notepad & paste the info in there. This will copy the event information to the clipboard. Paste the information for each event here Repeat steps 1-6 for System ==================================================================================================== Summary: Please make sure you have completed all of the steps above and include the following in your next post GetSystemInfo Log Gmer Log RootkitRevealer Log Event Viewer Log

09-23-2006, 02:41 PM	#8 (permalink)
Eclipse2003 TSF Enthusiast Join Date: Apr 2005 Location: Ohio Posts: 1,156 OS: XP	Please zip the file up and attach it here. That would probably be best.

09-25-2006, 11:27 AM	#10 (permalink)
anno Registered User Join Date: Aug 2006 Posts: 45 OS: Win XP	Hopeful bump.

09-25-2006, 05:12 PM	#11 (permalink)
Eclipse2003 TSF Enthusiast Join Date: Apr 2005 Location: Ohio Posts: 1,156 OS: XP	Sorry about that anno. All of your logs seem to be clean. The only thing that I can tell by looking at some of those new logs that you gave me (sysinfo etc.) is that you have very little hard drive space left. Go through your computer and delete anything that you don't need and try to get it so you have at least 6 GB free. This will help speed things up. After you do that, you can do a disk defrag by following the steps below: Disk Defragmentation Click Start and then open My Computer From here, right click on your main drive (C:) and click Properties Now Click on the Tools Tab and then click Defragment Now Finally, make sure the C: drive is highlighted and click Defragment Basically what this does is, when you are running low on hard drive space, your computer "fragments" files into several open spaces on your hard drive to make them fit. The problem in this is when you try to access those files, your computer has to go find all the "pieces" of the files and put them together which will drastically slow down your system. This will "rearrange" those files so they aren't fragmented anymore. After you have completed both of these steps, please post back with how your system is behaving now. Any better? Same? Thanks anno and again sorry for the delay in response

09-27-2006, 05:17 PM	#12 (permalink)
anno Registered User Join Date: Aug 2006 Posts: 45 OS: Win XP	There is no need to apologise, you’re doing this for free! The defrag didn’t make a huge amount of difference to start-up, but slightly improved the general response time while running Windows, enough to allow me to use the system without feeling the need to chuck it out of the window in any case… Thanks for all your help Eclipse, please feel free to move this to your resolved section.