My HJT Log

[purified3]

Logfile of HijackThis v1.99.1
Scan saved at 2:33:43 PM, on 5/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Matthew\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[sUBs]

Hi purified3 and Welcome to TSF!

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst. I will be back with a fix for your problem as soon as possible.

Please be patient with me during this time.

In the meanwhile, I would like for you to update Windows and Internet Explorer at Windows Update website.
I strongly recommend that you make the upgrade to Windows XP Service Pack 2 (SP2).

We recommend that you subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please scroll up to the 1st post of this thread. Click Thread Tools and then Subscribe to this thread; on the next page, make sure "Instant notification by email" is selected, then click Add subscription.

Thanks.

[sUBs]

Hello again.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Download and install CleanUp!. We shall use it to clean out the Temp folders as installation programs and hijack programs leave a lot of junk there. Don't run it yet. We'll run it later.

Open HijackThis and click on Scan. Check the following entries (make sure you do not miss any)
Please remember to close all other windows, including browsers then click Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Run CleanUp! now. Click Yes when it asks you if you want to logoff.

If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus. Select the “autoclean” option when using Trend Micro. Note the names and locations of any file it detects but fails to clean.

* Note: You should turn off the real time scanner of any existing antivirus program while you're doing the online scan

Run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

Do you have any other issues? Or is this just a general check up?

[purified3]

Well I have a problem with Mozilla and Firefox when I open mp3 files in the Quicktime plugin, they only play a few seconds, and Mozilla and Firefox are begining to become slower. I also have a blue screen that comes up every now and then that says dumping memory or something like that. But do I have to backup my system before I do cleanup? If I do then how do I?

Thank You for your reply

[purified3]

Logfile of HijackThis v1.99.1
Scan saved at 10:13:30 PM, on 5/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Matthew\My Documents\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The file to make the result txt log didnt work, so I just ran HJT again and saved the logfile.

[sUBs]

Your log is clean.

Heard there were quite a few people complaining about Firefox's Quicktime plug-in. Perhaps those guys at Alternative Computing may be able to help.

Blue screens may be attributed to many reasons. A corrupt OS, dying PSU or simply malfunctioning RAM. The Microsoft Computing & Hardware forums would be good places to look for more info.

Do you have anymore malware related problems? If not, you should be set to go

Now, just a few bits of housekeeping to help keep it that way:

We recommend you clear out your existing System Restore Points so the problem isn't inadvertently regenerated at a later time:

1. Click Start > Run > type sysdm.cpl & press Enter
2. Click System Restore Tab
3. Tick Turn off System Restore on all drives & Click Apply
4. Then untick Turn off System Restore on all drives & Click OK

Make sure to update Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us. May I suggest that you make the upgrade to Windows XP SP2. It has much better security security features.

This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial.

[purified3]

I have ZoneAlarm, SpywareBlaster, AdAware SE 1.06, Microsoft AntiSpyware, Spybot SD and Cleanup on my computer, they all work great, I do not think I have any more malware. What exactly does cleaning all restore points do?

I will see what I can find about the Quicktime plugin. I dont know what the cause of my blue screen is but it happened after the bios settings for my sound was changed.

Do you think it would be wise to get Sp2, windows shows I need the update because I always send error reports after crashes, and I used to have it and it didnt do great for me, I heard that if you have a specific file on your computer then it doesnt cooperate very well.

Thank you for replying

[sUBs]

Windows XP periodically records a snapshot of your computer. These snapshots are called restore points. Windows XP also creates restore points at the time of significant system events (such as when an application or driver is installed) or you can create and name your own restore points at any time. If you’ve installed a program that has made your computer unstable, you can open system restore, choose a restore point, and return your computer to its previous stable state.

Unfortunately, these restore points may also contain the malware which we had just fixed. This necessitates the flushing of these restore points.

Unless you have some outdated devices which conflicts, SP2 generally works great with equipment that you've purchased within the last 3-5 years. Please get the upgrade. It may resolve your BSOD issues.

In the unlikely event that you experience problems, you can still rollback to your previous configuration.

[purified3]

Thank you for your support and replying, once again.

I still cannot figure out my problems with the Quicktime plugin, nobody seems to have any real help.

When you do system restore doesnt it basically just erase everything from your hard drive until that one specific date? Im just wondering because I dont want to lose alot of my music, and I have new programs on my computer that help me and I dont want to redownload them.

[sUBs]

Don't worry. I assure you that none of your current mp3's/ programs will be affected. Think of it as just clearing out some rubbish. It will create a new restore point when it's done.

So, please carry out the instructions as laid out in post # 6.

[purified3]

Thank you once agian. But what about my programs, like Microsoft Antispyware and adaware se 1.0.6 what will it do to those. Will it get rid of all my updates?

[sUBs]

There's nothing harmful in flushing system restore points. It will not harm of your current setup in anyway.

[purified3]

Thank you for your help

Do you know of anything that could cause the problem with the Quicktime plugin in Mozilla and Firefox? I cant figure it out, my computer is fine, Mozilla is starting to run pretty slow now...and my programs say Im pretty much clean execpt for cookies, I also have a cookie that comes up every now and then that nobody seems to know of called n-case, when I next see it I will let you know.

I have recently reinstalled Quicktime and Mozilla and I get the same problems..

[purified3]

I do not have acess to my computer now...other than this laptop, but I cannot get onto my computer because it loops the startup. It boots, goes to the screen in which you choose your booting mode, waits 30 seconds, and reboots. This happened while I was installing SP2 and I opened a browser during that and the blue screen I mentioned came up, I hit restart and it started to do that. This had to be a hardware problem, but I think it had something to do with trojans, worms..anything that could harm my computer, but none of my antispyware programs find anything other than tracking cookies that always come up.

Any ideas on that, I posted something in Windows Xp but I posted in here because I think it was the safety of my computer and all the viruses or spyware that were on it that none of my programs could track. I think this because alot of times today my programs started crashing, adaware would crash when I hit exit, Mozilla and Firefox would crash randomly, and normally Windows Explorer crashes when Im in my computer. I am just asking for a little help on this and a little more help in security.

By the way I had once had SP2 and it made everything impossible to acess. I had it fixed and then I thought that I could install it because it might have been something else, and I thought my computer was fine and I didnt have T.V Media, which is said to mess up the installation or corrupt SP2.

[sUBs]

If you're stuck in an endless loop, I sugget that you uninstall SP2 first. If you feel it's malware related, you may submit a fresh copy of HJT log fter that.

Quote:

USING THE RECOVERY CONSOLE TO UNINSTALL SP2

To recover your computer to a bootable state and remove Windows XP SP2

1.Start your computer by using the Windows XP Recovery Console. To use the Recovery Console, follow these steps:

* Insert the original release version of the Microsoft Windows XP CD in your computer's CD drive or DVD drive, and then restart your computer. REMEMBER: Your computer must be configured to start from the CD drive or DVD drive. The information is probably in your computer documentation about the BIOS.
* When the "Press any key to boot from CD" message appears, press a key to start your computer from the Windows XP CD.
* When the "Welcome to Setup" screen is displayed, press R to start the Recovery Console.
* When you are prompted, type the number that corresponds to the installation of Windows that you want to access from the Recovery Console, and then press ENTER. For example, if you have one installation of Windows on your computer, type 1, and then press ENTER.
* When you are prompted, type the Administrator password, and then press ENTER.

2. At the command prompt in Recovery Console, type the following lines. Press ENTER after each line.

* cd $NtServicePackUninstall$Spuninst
* batch spuninst.txt
* exit

3. Remove the Windows XP CD from your computer's CD drive or DVD drive, and then restart your computer.

[purified3]

Well it just uninstalls SP2? I thought it was nearly impossible to do that...I guess not. Will that work if I cant even get to the windows loading screen? Would anything else happen from the uninstallation of sp2, Im only asking to be safe.

Doesnt the windows xp disk read the drivers first, I was told that it would not be able to load because it doenst know how to read dvd and rewriteable cd drives, if this will not work, then what should I do?

[sUBs]

Before you try uninstalling SP2, have you tried "Last Known Good Configuration" ?

If you're unsure how to do that, here's some instructions..

1. Shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
   Windows Advanced Options menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Last Known Good Configuration menu item, and then press Enter.

Try that 1st. Did you manage to fully install SP2 or did it fail midway?

[purified3]

I was reinstalling it, it was halfway through installing when the blue screen I mentioned came up, thats when it started to loop, I tried all settings and when I selected safe mode it would show a bunch of things that looked like this ....Multi(0)Disk(0)partition\windows\system32\drivers\ ardagp.sys and it had alot of diferent files, and then it would loop again.

Nomatter what I did it wouldnt help.

[purified3]

Do you think uninstalling SP2 will solve my problems? If it doesnt do you know of anything that could get my computer to boot again, without losing anything in my memory or hard drive?

[sUBs]

Quote:

Originally Posted by purified3

Do you think uninstalling SP2 will solve my problems? If it doesnt do you know of anything that could get my computer to boot again, without losing anything in my memory or hard drive?

First off. SP2 isn't an Operating system. It's merely a package of fixes (mainly security related) for the Windows XP Operating System. If there's nothing inherently wrong with your OS, uninstalling it shall restore our computer back to a working condition.

Uninstalling it will not cause you to lose your hard drive's data. It will only rollback your computer to the time before you install SP2. You cannot lose any data from memory. In the 1st place, there isn't any data in there. RAM holds only temporary data & those data gets erased when you shut down your pc.

If you're not that pc savvy, you may have to get on-site assistance from a friends who's more technically inclined. Too bad I live too far from you.

Have you tried uninstalling SP2 yet?