Tech Support banner

Status
Not open for further replies.
1 - 10 of 10 Posts

·
Premium Member
Joined
·
68 Posts
Discussion Starter #1
My computer, beside just acting a little sluggish will not shut down using the normal windows shut down procedure OR by using task manager. I have to manually hold the power button down until it shuts down. I hope you can help.

Here is log from HJT analyzer after running updated versions of cleanup, adaware and S& D.
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Windows\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Windows\system32\ZoneLabs\isafe.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:15:48 PM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\Ares Lite Edition\Ares.exe
C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Gary\Desktop\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgmain.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123305001062
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\Windows\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello roadstump and thank you for your patience.

I'm not seeing anything in this log.

Click Start>Run and type in sfc /scannow (there is a space between sfc and /) and let it scan for missing/corrupt files. You may need your Windows XP Install disc so have it handy.

Please run this online virus scan: ActiveScan
** Use the 'free use active scan' link in the right hand corner.] - requires Internet Explorer
  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply along with a new HijackThis log.
* Turn off the real time scanner of any existing antivirus program while performing the online
 

·
Premium Member
Joined
·
68 Posts
Discussion Starter #4
Here is the Active Scan report:

Incident Status Location

Adware:adware/ist.istbar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ISTactivex.inf
Adware:adware/sidesearch No disinfected C:\WINDOWS\sepsd.bin
Adware:adware/savenow No disinfected C:\PROGRAM FILES\Save
Adware:adware/iedriver No disinfected Windows Registry
Adware:Adware/MediaTickets No disinfected C:\hjt\backups\backup-20041205-234543-775
Adware:Adware/MediaTickets No disinfected C:\hjt\backups\backup-20041205-234543-775.inf
Adware:Adware Program No disinfected C:\hjt\backups\backup-20041205-234544-328.inf
Dialer:Dialer.IX No disinfected C:\WINDOWS\Downloaded Program Files\igmp1f.exe
Dialer:Dialer.IX No disinfected C:\WINDOWS\Downloaded Program Files\wmdmp9x.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\Downloaded Program Files\WrapperOuter1154041108.EXE
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\cyx.dll
Adware:Adware/FastAccess No disinfected C:\WINDOWS\system32\myfastupdate.exe
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\tinybar.exe
Adware:Adware/PurityScan No disinfected F:\temp C backup\Carter\Application Data\elat.exe Fresh HJT analyzer log immediately after running ActiveScan

==================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Windows\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Windows\system32\ZoneLabs\isafe.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:45:43 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\Ares Lite Edition\Ares.exe
C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Gary\Desktop\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgmain.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123305001062
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\Windows\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Reboot into Safe Mode. (tapping F8 or F5)

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\ISTactivex.inf
C:\WINDOWS\sepsd.bin
C:\WINDOWS\Downloaded Program Files\igmp1f.exe
C:\WINDOWS\Downloaded Program Files\wmdmp9x.exe
C:\WINDOWS\Downloaded Program Files\WrapperOuter1154041108.EXE
C:\WINDOWS\system32\cyx.dll
C:\WINDOWS\system32\myfastupdate.exe
C:\WINDOWS\tinybar.exe
F:\temp C backup\Carter\Application Data\elat.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
*Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Save

Run a scan in HijackThis. Check the following and hit 'Fix checked':

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

Delete the following Folder:

C:\PROGRAM FILES\Save

Reboot into Normal Mode. Run another scan with Panda and posts the results here along with a new HijackThis log.

Are you able to shutdown now?
 

·
Premium Member
Joined
·
68 Posts
Discussion Starter #6
Had to leave the country for a while...sorry for delay in getting back to you.

Here is Panda scan and hijack analyzer file after executing above instructions. It did turn off today after about 10 minutes of sitting on the 'shutting down' blue screen.

Panda

Incident Status Location

Adware:adware/sidesearch No disinfected Windows Registry
Adware:Adware/MediaTickets No disinfected C:\hjt\backups\backup-20041205-234543-775
Adware:Adware/MediaTickets No disinfected C:\hjt\backups\backup-20041205-234543-775.inf
Adware:Adware Program No disinfected C:\hjt\backups\backup-20041205-234544-328.inf
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP638\A0217417.dll
Adware:Adware/FastAccess No disinfected C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP638\A0217418.exe
Adware:Adware/IST.ISTBar No disinfected C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP638\A0217419.exe
Adware:adware/savenow No disinfected C:\WINDOWS\system32\datastore.dll
Adware:Adware/PurityScan No disinfected G:\temp C backup\Carter\Application Data\elat.exe
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Windows\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Windows\system32\ZoneLabs\isafe.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:39:18 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\Ares Lite Edition\Ares.exe
C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Gary\Desktop\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgmain.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123305001062
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\Windows\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Welcome back :smile:

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Reboot into Safe Mode.(tapping F8 or F5)

Launch KillBox.exe & select the following options:
*Delete on Reboot
Select all the filenames listed below & then right-click & select Copy:

C:\WINDOWS\system32\datastore.dll
G:\temp C backup\Carter\Application Data\elat.exe


* Go to the File menu, and choose Paste from Clipboard

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt.
Click No at the 'Pending Operations' prompt.

---------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Reboot into Normal Mode. Run another scan with HijackThis and post the log here. Any improvement in the shutdown?
 

·
Premium Member
Joined
·
68 Posts
Discussion Starter #8
Shut down is down to 3 minutes but might improve since there was an update that loaded from auto update. I will keep checking it. The fact it is shutting down at all is wonderful.

While in Safe mode I could not load
G:\temp C backup\Carter\Application Data\elat.exe for some reason. It would not let me load both lines of text. Since the G drive is a firewire drive I could not browse to it in safe mode either. I deleted the C: drive file you indicated. rebooted into normal, ran killbox again and deleted the G: drive file above on reboot. Not sure if this is as good as doing it from safe.

Since you did not specify HJT analyzer file be posted here I am giving you both HJT and HJT analyzer.

Analyzer file
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Windows\system32\ZoneLabs\isafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Windows\system32\ZoneLabs\isafe.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:03:08 AM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\Ares Lite Edition\Ares.exe
C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Gary\Desktop\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgmain.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123305001062
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\Windows\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================

Hijack this log (pre analyzer)

Logfile of HijackThis v1.99.1
Scan saved at 10:23:40 AM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Windows\system32\ZoneLabs\isafe.exe
C:\Windows\System32\CTsvcCDA.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Windows\system32\PROMon.exe
C:\Windows\wanmpsvc.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Windows\System32\MsPMSPSv.exe
C:\Windows\MXOaldr.exe
C:\Windows\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Ares Lite Edition\Ares.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgmain.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Windows\system32\LVComS.exe
C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Documents and Settings\Gary\Desktop\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\Windows\MXOaldr.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Gary\Desktop\spyware\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\System32\Shdocvw.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123305001062
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Windows\system32\ZoneLabs\isafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\System32\CTsvcCDA.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\Windows\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Your HJT log looks clean. Let's use a different online scanner for a "second opinion".

Any other issues besides the shutdown?

Create a uninstall list:

  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Open Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from the notebook onto your post

Perform an online scan with Internet Explorer with

Kaspersky Online Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Premium Member
Joined
·
68 Posts
Discussion Starter #10
kaspersky tells me I need administrator rights...which I know I have on my user.

Here are some other issues I am having that maybe can help you figure out this crazy problem.

1. when attempting to download SP2 from microsoft site it tells me I need to enable 'userdata persistance', I do and it still doesn't.
2. HP USB scanner is not working correctly. will not scan from front panel or from application. I can get it to do a twain acquire from photoshop
3. Canon I70 USB printer is showing 'offline', unplugging and plugging back in does nothing. Computer doesn't seem to be detecting it.
4. each time I start up Zone Alarm is flagging me that a couple of apps are attempting to do things. They are:
a. Startup Splash, CTEaxSpl.exe
b. StartEAK.exe is trying to launch (this is something to do with Compaq Easy Button
c. CtHelper is trying to monitor your mous movements
5. I tried restoring to 3 previous dates. Upon reboot it tells me it cannot restore and that no files have been changed.

Gary
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top