Tech Support banner
Status
Not open for further replies.
1 - 15 of 15 Posts

·
Registered
Joined
·
21 Posts
Discussion Starter · #1 ·
:sigh: Hi, have been sent here from the hijackthis thread as i was having trouble with some spyware. went through a range of processes with tetonbob and got rid of what the scanners had found. however, my computer is still acting up and today whilst i was running my avg spyware scanner again it got cut off again midscan and the screen went dark, it goes dark but not off and i'm not able to do anything, this was the first reason i posted in the hijackthis thread. i thought it was all ok because occassionally the scanners will finish. have had trouble running the kaspersky online one as well as that always stops in the same place and cuts off. and today between restarts i got a white flash and white stripes on screen until the whole screen went black and then when i ran avgspyware again i got a blue screen and then it automatically restarted. i also get the error message "dwwin.exe" dll missing when i shut down or restart. so tetonbob passed me on to here saying he thinks i have an os problem. any ideas as to what is going on and is the error message linked at all to the problems?
 

·
TSF Team Emeritus , Microsoft Visiting Expert
Joined
·
3,258 Posts
Hi Agglos


Looks like you've been having a heck of a time with the infection & it's damage.

Since having the system free of malware is still your first priority, if you haven't included rootkit scans in your cleaning, it's time to include them now --- http://www.pcsupportadvisor.com/rootkits.htm

Having anti-malware scans stop with system restarts seems a little shady still. That's why I'm asking you to look at things carefully. Watch for any other activity or system misbehavior that's out-of-the-ordinary. Also, look in your EventViewer logs to see if there are any errors in the logs that occur at the same time as your system failures. Start/Control Panel/Performance and Maintenance/Administrative Tools/Event Viewer. It's possible that your system will be too damaged for EventViewer to run [especially since Error Reporting is already failing -- the "DW" in "dwwin.exe" is from that old trusty Doctor Watson = dwwin is part of the Error Reporting for Windows XP].

Some Registry entries might still be corrupted by the malware, so let's try cleaning it up a bit: you can try CCleaner for this. It's free, it's tiny, and it works --- http://www.download.com/CCleaner/3000-2144_4-10315544.html
--- Use the "Cleaning" functions to clear out your temp files [after all, malwares like to hide there] - and use the "Issues" functions to clean up the Registry. Run the "Issues" function a few times, until it reports "No Issues found".

Your malware infections, and the cleaning up of them, may have left some crucial files damaged or missing. So let's put back some clean copies. From the Start/Run box on your Start Menu, type

sfc /scannow

This will start the "Windows File Protection" program (like an XP version of the older "System File Checker" -- it still shares those initials for it's executable file). This program will run in the background, placing entries in the EventViewer logs when it starts, when it finds files needing replacing, and when it stops. When it finds a file that needs replacing, it may ask for either your Windows XP CD, or for you to point it to the location of the Windows XP installation files on your hard drive [major brand computers often put these installation files - which have the .cab extension - onto the hard drive = you can find them by using Windows Explorer to search for files with the .cab extension.

Should the system still behave badly after all this, let us know.

And, perhaps my most ominous questions = do you have backups of your most important data? And do you have either a Windows XP CD, or a Recovery/Restore Disk set?

Best of luck
. . . Gary
 

·
Registered
Joined
·
21 Posts
Discussion Starter · #3 ·
hi gary, i already tried blacklight with tetonbob under the hijackthis forum and he said nothing about the results so i tried rootkitrevealer, it found 12 i went to save on to the desktop and rootkit revealer error popped up and needed to close and straight after drwatson came up and with error and also needed to close, the rootkitrevealer screen however was still up but with only four of the problems left visible. after this i did the windows free online scan and it found nothing though thankfully finished. but then when i shut it both my internet explorer pages were not responding and the same error message came up saying they needed to be closed. i then ran event viewer hwich had entries under security and application, log to follow of the last couple of or so, maybe it will help.

other problems, when i turn on the computer and it goes to the desktop, all the icons flash once as if a program has just started and done something, when online the arrow often changes to an hourgalss and i'm not able to do anything but wait till it returns to normal, but still slower. i dont have drwatson installed, why is it on my computer?

and finally i havent run cccleaner as i dont have the xp cd, should i get hold of it before i try and clean the registry and there's not much on my computer that i cant replace, just some word documents which i can put on my memory stick. also tetonbob mentioned something like "dumprep" and linked me to this thread. whats that?

Application Section

12/12/2006 23:11:12 Application Hang Error (101) 1002 N/A RECLUSE Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
12/12/2006 22:18:25 Application Error Error (100) 1000 N/A RECLUSE Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
12/12/2006 22:18:11 Application Error Error (100) 1000 N/A RECLUSE Faulting application ULJV.exe, version 1.71.0.0, faulting module comctl32.dll, version 6.0.2900.2180, fault address 0x00004933.
12/12/2006 21:42:09 SecurityCenter Information None 1800 N/A RECLUSE The Windows Security Center Service has started.
12/12/2006 21:42:08 EAPOL Information None 2002 N/A RECLUSE EAPOL service was stopped successfully
12/12/2006 21:42:08 EAPOL Information None 2003 N/A RECLUSE EAPOL service is running
12/12/2006 21:42:07 AVGEMS Information None 1 N/A RECLUSE Service started
12/12/2006 21:42:06 RegSrvc Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
12/12/2006 21:42:06 OwnershipProtocol Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( OwnershipProtocol ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
12/12/2006 21:42:05 Avg7UpdSvc Information None 1 N/A RECLUSE Service started
12/12/2006 21:41:58 EvtEng Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
12/12/2006 00:15:45 SecurityCenter Information None 1800 N/A RECLUSE The Windows Security Center Service has started.
12/12/2006 00:15:45 AVGEMS Information None 1 N/A RECLUSE Service started
12/12/2006 00:15:41 RegSrvc Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
12/12/2006 00:15:41 OwnershipProtocol Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( OwnershipProtocol ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
12/12/2006 00:15:41 Avg7UpdSvc Information None 1 N/A RECLUSE Service started
12/12/2006 00:15:37 EAPOL Information None 2002 N/A RECLUSE EAPOL service was stopped successfully
12/12/2006 00:15:37 EAPOL Information None 2003 N/A RECLUSE EAPOL service is running
12/12/2006 00:15:27 EvtEng Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 17:20:58 EAPOL Information None 2002 N/A RECLUSE EAPOL service was stopped successfully
11/12/2006 17:20:58 EAPOL Information None 2003 N/A RECLUSE EAPOL service is running
11/12/2006 17:20:57 SecurityCenter Information None 1800 N/A RECLUSE The Windows Security Center Service has started.
11/12/2006 17:20:56 AVGEMS Information None 1 N/A RECLUSE Service started
11/12/2006 17:20:56 RegSrvc Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 17:20:56 OwnershipProtocol Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( OwnershipProtocol ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 17:20:55 Avg7UpdSvc Information None 1 N/A RECLUSE Service started
11/12/2006 17:20:48 EvtEng Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 17:14:07 EAPOL Information None 2002 N/A RECLUSE EAPOL service was stopped successfully
11/12/2006 17:14:07 EAPOL Information None 2003 N/A RECLUSE EAPOL service is running
11/12/2006 17:14:06 SecurityCenter Information None 1800 N/A RECLUSE The Windows Security Center Service has started.
11/12/2006 17:14:05 AVGEMS Information None 1 N/A RECLUSE Service started
11/12/2006 17:14:05 RegSrvc Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 17:14:05 OwnershipProtocol Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( OwnershipProtocol ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 17:14:04 Avg7UpdSvc Information None 1 N/A RECLUSE Service started
11/12/2006 17:13:57 EvtEng Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 17:04:54 SecurityCenter Information None 1800 N/A RECLUSE The Windows Security Center Service has started.
11/12/2006 17:04:51 AVGEMS Information None 1 N/A RECLUSE Service started
11/12/2006 17:04:50 RegSrvc Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 17:04:50 OwnershipProtocol Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( OwnershipProtocol ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 17:04:49 Avg7UpdSvc Information None 1 N/A RECLUSE Service started
11/12/2006 17:04:46 EAPOL Information None 2002 N/A RECLUSE EAPOL service was stopped successfully
11/12/2006 17:04:46 EAPOL Information None 2003 N/A RECLUSE EAPOL service is running
11/12/2006 17:04:36 EvtEng Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 16:41:27 EAPOL Information None 2002 N/A RECLUSE EAPOL service was stopped successfully
11/12/2006 16:41:27 EAPOL Information None 2003 N/A RECLUSE EAPOL service is running
11/12/2006 16:41:20 SecurityCenter Information None 1800 N/A RECLUSE The Windows Security Center Service has started.
11/12/2006 16:41:19 AVGEMS Information None 1 N/A RECLUSE Service started
11/12/2006 16:41:19 RegSrvc Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 16:41:19 OwnershipProtocol Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( OwnershipProtocol ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 16:41:18 Avg7UpdSvc Information None 1 N/A RECLUSE Service started
11/12/2006 16:41:10 EvtEng Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 14:42:25 EAPOL Information None 2002 N/A RECLUSE EAPOL service was stopped successfully
11/12/2006 14:42:25 EAPOL Information None 2003 N/A RECLUSE EAPOL service is running
11/12/2006 14:42:23 SecurityCenter Information None 1800 N/A RECLUSE The Windows Security Center Service has started.
11/12/2006 14:42:22 AVGEMS Information None 1 N/A RECLUSE Service started
11/12/2006 14:42:21 RegSrvc Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 14:42:21 OwnershipProtocol Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( OwnershipProtocol ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 14:42:20 Avg7UpdSvc Information None 1 N/A RECLUSE Service started
11/12/2006 14:42:12 EvtEng Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 05:29:28 SecurityCenter Information None 1800 N/A RECLUSE The Windows Security Center Service has started.
11/12/2006 05:29:28 EAPOL Information None 2002 N/A RECLUSE EAPOL service was stopped successfully
11/12/2006 05:29:28 EAPOL Information None 2003 N/A RECLUSE EAPOL service is running
11/12/2006 05:29:27 AVGEMS Information None 1 N/A RECLUSE Service started
11/12/2006 05:29:26 RegSrvc Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 05:29:26 OwnershipProtocol Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( OwnershipProtocol ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
11/12/2006 05:29:25 Avg7UpdSvc Information None 1 N/A RECLUSE Service started
11/12/2006 05:29:17 EvtEng Information None 0 N/A RECLUSE The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.



Security Section



12/12/2006 23:16:13 Service Control Manager Information None 7036 N/A RECLUSE The Windows Installer service entered the stopped state.
12/12/2006 23:06:06 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM RECLUSE The Windows Installer service was successfully sent a start control.
12/12/2006 23:06:06 Service Control Manager Information None 7036 N/A RECLUSE The Windows Installer service entered the running state.
12/12/2006 22:56:29 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:56:21 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:50:02 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:49:54 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:49:45 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:45:23 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:45:15 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:45:05 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:44:56 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:23:42 Tcpip Warning None 4226 N/A RECLUSE TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
12/12/2006 22:19:57 Service Control Manager Error None 7034 N/A RECLUSE The ULJV service terminated unexpectedly. It has done this 1 time(s).
12/12/2006 22:12:33 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:10:39 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:09:08 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:08:59 Disk Error None 7 N/A RECLUSE The device, \Device\Harddisk0\D, has a bad block.
12/12/2006 22:01:40 Service Control Manager Information None 7035 RECLUSE\Theo P RECLUSE The ULJV service was successfully sent a start control.
12/12/2006 22:01:40 Service Control Manager Information None 7036 N/A RECLUSE The ULJV service entered the running state.
12/12/2006 21:56:20 Tcpip Warning None 4226 N/A RECLUSE TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
12/12/2006 21:46:46 Tcpip Information None 4201 N/A RECLUSE The system detected that network adapter \DEVICE\TCPIP_{96D0FF8E-89E9-4D27-A611-ADFAED013CEA} was connected to the network, and has initiated normal operation over the network adapter.
12/12/2006 21:42:38 Tcpip Warning None 4226 N/A RECLUSE TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
12/12/2006 21:42:22 Service Control Manager Information None 7036 N/A RECLUSE The IMAPI CD-Burning COM Service service entered the stopped state.
12/12/2006 21:42:16 Tcpip Information None 4201 N/A RECLUSE The system detected that network adapter \DEVICE\TCPIP_{96D0FF8E-89E9-4D27-A611-ADFAED013CEA} was connected to the network, and has initiated normal operation over the network adapter.
12/12/2006 21:42:14 Service Control Manager Information None 7036 N/A RECLUSE The IMAPI CD-Burning COM Service service entered the running state.
12/12/2006 21:42:14 Service Control Manager Information None 7036 N/A RECLUSE The SSDP Discovery Service service entered the running state.
12/12/2006 21:42:14 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM RECLUSE The IMAPI CD-Burning COM Service service was successfully sent a start control.
12/12/2006 21:42:14 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM RECLUSE The SSDP Discovery Service service was successfully sent a start control.
12/12/2006 21:42:13 Service Control Manager Information None 7035 RECLUSE\Theo P RECLUSE The SIS PORT Driver service was successfully sent a start control.
12/12/2006 21:42:09 Service Control Manager Information None 7036 N/A RECLUSE The Remote Access Connection Manager service entered the running state.
12/12/2006 21:42:09 Service Control Manager Information None 7036 N/A RECLUSE The Application Layer Gateway Service service entered the running state.
12/12/2006 21:42:09 Service Control Manager Information None 7036 N/A RECLUSE The Network Location Awareness (NLA) service entered the running state.
12/12/2006 21:42:09 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM RECLUSE The Network Location Awareness (NLA) service was successfully sent a start control.
12/12/2006 21:42:09 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM RECLUSE The Remote Access Connection Manager service was successfully sent a start control.
12/12/2006 21:42:09 Service Control Manager Information None 7036 N/A RECLUSE The Telephony service entered the running state.
12/12/2006 21:42:09 Service Control Manager Information None 7036 N/A RECLUSE The Wireless Zero Configuration service entered the stopped state.
12/12/2006 21:42:09 Service Control Manager Information None 7036 N/A RECLUSE The Fast User Switching Compatibility service entered the running state.
12/12/2006 21:42:09 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM RECLUSE The Fast User Switching Compatibility service was successfully sent a start control.
12/12/2006 21:42:09 Service Control Manager Information None 7036 N/A RECLUSE The Terminal Services service entered the running state.
12/12/2006 21:42:09 Service Control Manager Information None 7035 RECLUSE\Theo P RECLUSE The Wireless Zero Configuration service was successfully sent a stop control.
12/12/2006 21:41:57 EventLog Information None 6005 N/A RECLUSE The Event log service was started.
12/12/2006 21:41:57 EventLog Information None 6009 N/A RECLUSE Microsoft (R) Windows (R) 5.01. 2600 Service Pack 2 Uniprocessor Free.
12/12/2006 00:22:07 EventLog Information None 6006 N/A RECLUSE The Event log service was stopped.
12/12/2006 00:20:50 Tcpip Information None 4202 N/A RECLUSE The system detected that network adapter \DEVICE\TCPIP_{96D0FF8E-89E9-4D27-A611-ADFAED013CEA} was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.
12/12/2006 00:16:18 Tcpip Warning None 4226 N/A RECLUSE TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
12/12/2006 00:16:02 Service Control Manager Information None 7036 N/A RECLUSE The IMAPI CD-Burning COM Service service entered the stopped state.
12/12/2006 00:15:57 Tcpip Information None 4201 N/A RECLUSE The system detected that network adapter \DEVICE\TCPIP_{96D0FF8E-89E9-4D27-A611-ADFAED013CEA} was connected to the network, and has initiated normal operation over the network adapter.
12/12/2006 00:15:54 Service Control Manager Information None 7036 N/A RECLUSE The IMAPI CD-Burning COM Service service entered the running state.
12/12/2006 00:15:54 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM RECLUSE The IMAPI CD-Burning COM Service service was successfully sent a start control.
12/12/2006 00:15:52 Service Control Manager Information None 7036 N/A RECLUSE The SSDP Discovery Service service entered the running state.
12/12/2006 00:15:51 Service Control Manager Information None 7036 N/A RECLUSE The Remote Access Connection Manager service entered the running state.
12/12/2006 00:15:51 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM RECLUSE The SSDP Discovery Service service was successfully sent a start control.
12/12/2006 00:15:51 Service Control Manager Information None 7035 RECLUSE\Theo P RECLUSE The SIS PORT Driver service was successfully sent a start control.


tcpip has come up alot and i havent used by cdrom burning facility for months??????????
 

·
Registered
Joined
·
21 Posts
here's what the rootkitrevealer found. Don't understand any of it.



HKU\.DEFAULT\Control Panel\International 08/12/2006 05:59 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-21-1801674531-1409082233-725345543-1003\Control Panel\International 11/12/2006 06:25 0 bytes Security mismatch.
HKU\S-1-5-21-1801674531-1409082233-725345543-1003\Control Panel\International\Geo 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-21-1801674531-1409082233-725345543-1003\Software\Microsoft\Command Processor 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 08/12/2006 05:59 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 29/10/2005 00:10 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 29/10/2005 00:10 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor 08/12/2006 05:59 0 bytes Security mismatch.
C:\Documents and Settings\Theo P\Local Settings\Application Data\Microsoft\Messenger\<email_removed>@hotmail.com\SharingMetadata\<email_removed>@hotmail.com\DFSR\Staging\CS{753D2A73-13F9-2DFA-7A8E-ADF7311564FD}\01\10-{753D2A73-13F9-2DFA-7A8E-ADF7311564FD}-v1-{BD 22/11/2006 21:00 8 bytes Hidden from Windows API.
C:\System Volume Information\_restore{55F1C85C-1BA2-495B-865D-DF49EEE70C6B}\RP244\A0127775.RDB 13/12/2006 07:05 1.25 MB Hidden from Windows API.
C:\System Volume Information\_restore{55F1C85C-1BA2-495B-865D-DF49EEE70C6B}\RP244\A0127776.RDB 13/12/2006 07:09 1.26 MB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 13/12/2006 07:05 64.00 KB Visible in Windows API, but not in MFT or directory index.
 

·
TSF Team Emeritus , Microsoft Visiting Expert
Joined
·
3,258 Posts
Hi again


I'm running a little late on a few time-sensitive projects (I've been jumping on and off the forum while working on them), so I'll have to save the lengthier "how to" for tomorrow.

Here's the short version: I'd have a hard time trusting the system to be clean with so many files damaged, infections found and removed, and shady items found by Rootkit Revealer. If you are willing to go the "nuke & pave" route, that's what I'd suggest. I've started to write a "sticky" article on "best practices" for that sort of thing, but I've been too busy to finish it. Basically there are a few routes to take 1) Recovery/restore disk set - using the "Full Recovery" = which completely repartitions, reformats, and restores a disk image of the hard drives original state 2) Manual clean & reinstall, using a bootable write-protected floppy/CD to scan the Bios & a bootable write-protected floppy/CD to erase the hard drive (zero-write), then clean install XP 3) Manual extreme-clean & reinstall, using a bootable write-protected floppy/CD to flash the Bios, then a bootable write-protected floppy/CD to zero-write the hard drive, followed by a clean install of XP. All methods include thoroughly scanning any backed up data that is to be restored BEFORE even thinking about putting it back into the freshly cleaned system. An additional procedure involves having up-to-date antivirus definitions & Windows Updates downloaded beforehand & burned onto a CD = so that the new installation isn't put at risk going on the Internet in a vulnerable condition. All the methods must also be done completely disconnected from any networks [everything must be downloaded beforehand].

You mentioned you have an XP CD - is it a full retail version? Or an OEM? And do you have a Recovery/Restore CD/DVD set?

Let me know what questions all this brings up, if any.
________________

In the meantime, though: a few answers -
-- Dr. Watson is built into Windows XP. It can be repaired.
-- CCleaner won't need your Windows XP CD [It is, in fact a tiny little program, that is like an ant: incredibly powerful for its size!] Give it a shot - it can't hurt.
-- If I had to guess, you may have had a keylogger hiding behind your rootkit: if you do any online banking from that PC, it'd be a good time to call the bank to make sure no unauthorized activity has occured, and to change your PIN #s and passwords ASAP.
-- If you don't do anything financial from your PC, you have the option of trying a quick clean-up & try the quick-fix of CCleaner and the "scannow" to replace system files - but you may have to try several anti-rootkit tools before any have much luck finding and destroying the visitors (there could be more than one).

Hard to believe that this is my short answer, huh :)

I'll check back sometime tomorrow to see how you're doing. Lot's of techs are around here, though, so don't be surprised if they drop in and come up with some good advice in the meantime.

Best of luck
. . . Gary
 

·
Registered
Joined
·
21 Posts
Discussion Starter · #6 ·
right, i think i've figured it out. after running ccleaner and fixing a large number of things my computer seems to have had a new lease of life. everything is opening instantly and applications are running faster. i then ran three spyware scanners and all good. i then ran avg avtivirus again and it blacks out on the same folder everytime, which is my footballmanager2006 game, so i decided to try and uninstall that and during the uninstallation process the screen blacks out again. so i'm guessing if i can get the game out it should be ok, is there another way of uninstalling the file other than using its exe file or the add/remove options?
 

·
Banned
Joined
·
2,148 Posts
so i tried rootkitrevealer, it found 12
Rootkit Revealer is not a program to be used by everyday Users. If you go to the RR web-site forums and read a bit, you will find that many of the RR hits are legitmate. RR does not find malware, it finds indicators that MAY be malware. Once RR has "hit" on something, the next step is to determine if it was legitimate or not.

I don't think TetonBob would have cleared you from Securities if there was a chance of malware on-board.

I agree uninstalling the football game is the logical thing to try. I assume since you ask it will not uninstall via it's uninstaller or Add/Remove.

The short answer is yes, you can remove it other ways the problem is that a manual uninstallation takes significant time. The first thing to do is Google search for manual uninstallation methods and hopefully you can find directions on how to do it, with particular need for the registration entries that need to be deleted.

If you can't find that, then you will have to learn while doing the risky business of doing what I call a "blind" manual uninstallations, which means searching throught the Registry for text unique to this game and deleting those Reg Keys that are part of it. The danger is deleting the wrong key and risk completely detonating your system.

I am suspicious of this game, TBH. Is this a legit game, or something downloaded via P2P ? If it's the second case, this could very well explain the Rootkit Revealer hits and all your other problems.

Also, I have noticed that AVG occasionally "craps out" for reason I do not know, but uninstalling & reinstalling it will fix the problem.
 

·
TSF Team Emeritus , Microsoft Visiting Expert
Joined
·
3,258 Posts
Hi again

I'd feel more comfortable if the Rootkit Revealer logs had some known quantities like the Sony rootkit (not-so-bad, so long as it wasn't co-opted by a worm) or the Norton System Works psuedo-rootkit (completely harmless, actually - it was a short-lived strategy that was since stopped = a Live Update removes it -- I believe it had to do with the Norton Protected ReCycle Bin). But the logs posted above have email addresses to send things to. Do you know the addresses included in the RR log? ... I've never seen a restore point in a Rootkit Revealer log before, either. If it's unlikely that you'll be using System Restore any time soon - you might want to turn that off, reboot, & see if those entries disappear from the log.

Try pointing CCleaner at the offending game. It has an UnInstaller feature in it's "Advanced" settings. If that fails, and Add-Remove in Control Panel fails, you can try booting into Safe Mode, and deleting its program folders directly [don't send them to the Recycle Bin first - hold down the Shift and Delete keys at the same time to delete them directly]. Then run CCleaner again, I imagine it will have a fair amount of cleanup to do (again, run till "no issues found"). [CCleaner will know to remove the games Registry entries, since they will be "broken links" - once the program folders are no longer present on the drive]

Then run Rootkit Revealer again, and if the log is significantly different, we'll have a look.

That's it for now
. . . Gary

[& Howdy there, Mr. Girderman - good to see you. Thank for dropping in and helping out!]
___________
late edit: ... just noticed that one of the RR log items mentions an "international" registry key -- this key has been known to be involved in a trojan attack known as Troj/Small-SR (as named by the Sophos antivirus).
 

·
Registered
Joined
·
21 Posts
gigerman, the game itself is genuine and has been on my computer for nearly a year and never been a problem. maybe something infected it. i have however using oldgraygary's safe mode method deleted by hand, i then ran ccleaner and it got rid of all the links. i then ran avg antivirus again and it finally finished the job, so thats hopefully sorted. i then turned off system restore and rebooted. ran rootkit revealer and it gave me the following. the email address is that of a friend who was sending me a picture through messenger, i'll delete that file and see if that pops up. i also googled sophos but all i got was this spyware and virus remover links. how do i go about getting rid of the international results? do i download sophos?


HKU\.DEFAULT\Control Panel\International 08/12/2006 05:59 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-21-1801674531-1409082233-725345543-1003\Control Panel\International 11/12/2006 06:25 0 bytes Security mismatch.
HKU\S-1-5-21-1801674531-1409082233-725345543-1003\Control Panel\International\Geo 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-21-1801674531-1409082233-725345543-1003\Software\Microsoft\Command Processor 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 08/12/2006 05:59 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 29/10/2005 00:10 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 29/10/2005 00:10 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor 08/12/2006 05:59 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 17/12/2006 07:13 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 17/12/2006 07:13 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 17/12/2006 07:13 4 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Theo P\Local Settings\Application Data\Microsoft\Messenger hotmail.com\SharingMetadata\@hotmail.com\DFSR\Staging\CS{753D2A73-13F9-2DFA-7A8E-ADF7311564FD}\01\10-{753D2A73-13F9-2DFA-7A8E-ADF7311564FD}-v1-{BD 22/11/2006 21:00 8 bytes Hidden from Windows API.
 

·
Registered
Joined
·
21 Posts
Discussion Starter · #10 ·
deleted the files he sent me as they were just pics that i didnt need but it was still in the rootkit scan. i take it that shouldn't be there?
 

·
TSF Team Emeritus, Microsoft Support
Joined
·
15,478 Posts
Did you totally remove the footballmanager2006 game folder? I was going to suggest that if avg anti-virus blacks out on that same folder everytime it could be a simple solution as like renaming the folder using less characters. (preferrably 10 or less)
 

·
TSF Team Emeritus , Microsoft Visiting Expert
Joined
·
3,258 Posts
Hi again

Here's a link to Sophos' information on the trojan that is known to have activity associated with the International settings in the Registry --- http://www.sophos.com/virusinfo/analyses/trojsmallsr.html --- This might or might not be the case on your system, but you mentioned that you'd had malware attacks in the past, so the presence of these keys at all on the RR scan is worth exploring.

Tell you what, since there is a fair amount of difference in each of your posted logs, I think we can figure that the keys that are the same in all of your logs are more significant than those that come and go. Items in a RR scan that come and go are generally do to programs running while Rootkit Revealer is running. Try this:
1) Disconnect from all networks (unplug your ethernet wire, disable your wireless)
2) Close all open programs.
3) Shut down Zone Alarm, your AntiVirus, and all of your Antispyware tools(only do this when completely disconnected from networks!)
4) Shut down any Instant Messengers, Media Players, ISP connection software, email clients (Outlook, OE, etc.) running in your system tray.
5) Completely empty your ReCycle Bin.
6) Run CCleaner - use both it's Cleaning and Issues functions. Run the "Issues" function until it reports "no issues found".
7) Once CCleaner is completely finished, and you have no programs open, run Rootkit Revealer again.

Your RR log enties for HKLM\SECURITY\Policy\Secrets\SAC* and HKLM\SECURITY\Policy\Secrets\SAI* are fairly new to RR logs, and so far have been given the OK nod on the RR forums. The latest version of RR scans the HKU key, previous versions did not - and that key is reported for most computers.

Your RR log entry for HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed is also widely seen, as so far is considered harmless.

I am hoping that your previous RR entries for Instant Messengers & Email was simply due to having these programs running (even if only in the background). Make sure to exit from any Instant Messaging, and to shutdown your email client (your active email client would show up in your system tray) -- as noted above.

I'm also a bit more hopeful, now that we've seen more than just one of your RR logs -- the only suspicious items left are those in the HKU key, concerning the International values. And since scanning this key is fairly new to Rootkit Revealer (and since Rootkit Revealer is now a Microsoft product) perhaps they are false positives ---

---> OK, I decided to find out for sure from the Rootkit Revealer folks themselves, so I posted a thread over on their logs forum, & we'll see if they feel that the HKU entries are harmless or not. You can watch that thread from this link --- http://forum.sysinternals.com/forum_posts.asp?TID=9286&PN=1&TPN=1
____________________

The nice side of the trouble with the stubborn game, is that you can always reinstall it from it's CD (assuming it's the shrink-wrap variety).
____________________

You might be just about all done soon, & be back to just enjoying your holidays with your tuned up rig going Vrooooom!
. . . Gary
 

·
Registered
Joined
·
21 Posts
Discussion Starter · #13 ·
hi gary, right i have downloaded a trial version of sophos' antivirus to see what it comes up with regarding the international logs, won't let me run the scan just yet as it needs to authenticete me for the trial version. will try later. i also closed all programs i have running, and ran ccleaner again, it picked up a bit more and fixed it. should i be ticking the advanced boxed when i perform the cleaner? i have currently had it unchecked. here is the log from rootkitrevealer. the email sharing thing is still there even though i have no messenger or email client open ???

HKU\.DEFAULT\Control Panel\International 08/12/2006 05:59 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-21-1801674531-1409082233-725345543-1003\Control Panel\International 11/12/2006 06:25 0 bytes Security mismatch.
HKU\S-1-5-21-1801674531-1409082233-725345543-1003\Control Panel\International\Geo 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-21-1801674531-1409082233-725345543-1003\Software\Microsoft\Command Processor 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 08/12/2006 05:59 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 08/12/2006 05:59 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 29/10/2005 00:10 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 29/10/2005 00:10 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor 08/12/2006 05:59 0 bytes Security mismatch.
C:\Documents and Settings\Theo P\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{753D2A73-13F9-2DFA-7A8E-ADF7311564FD}\01\10-{753D2A73-13F9-2DFA-7A8E-ADF7311564FD}-v1-{BD 22/11/2006 21:00 8 bytes Hidden from Windows API.
 

·
Registered
Joined
·
21 Posts
Discussion Starter · #14 ·
also avg antivirus has come up with four changes to files system32\kernel32.dll, \user32.dll, \shell32.dll and \ntoskrnl.exe. What are these all about? Are they normal changes that have taken place due to the clean up process?
 

·
TSF Team Emeritus , Microsoft Visiting Expert
Joined
·
3,258 Posts
Hi again

Sorry I'm a little slow replying this week [we're up in the mountains, having some snowtime holiday fun] . . .

Your AVG scan sounds like it came out great: those files are changed as a normal part of Windows doing it's work. Had they been infected (rather than just changed), AVG would have let you know.

If you follow the link to the SysInternals/Rootkit Revealer forum -- the thread I started there for your Rootkit Revealer log has a reply on it. If you want, you can use their suggestion to modify the permission on the Registry keys in question. If the keys continue to cause suspicion, you could export the current suspicious keys/values to a USB flash drive, and then delete the suspicious keys [try RegEdit from Safe Mode - since these items are simply permission/mismatch entries, it seems like you should be able to see them]. [If you don't need the email entry anymore, you could see if it is visible in RegEdit in Safe Mode & try deleting it, too, from there.

Hope you're enjoying the holidays -
. . . Gary
 
1 - 15 of 15 Posts
Status
Not open for further replies.
Top