Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Crashes 5 Mins. After First Boot-up Of Day


  • Please log in to reply
27 replies to this topic

#1 Futurelife

Futurelife

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 03 November 2005 - 05:30 AM

Hi,

This problem started in mid September 2005.
Every day, about 5 minutes after I first switch on my PC it either freezes or brings up a blue error screen, and I can't do anything except press the reset switch. After this one of 3 things will happen:
1. Most often Scandisk will run & Windows will boot up and there will be no more problems for the rest of the day
2. Very occassionally, Scandisk freezes at about 22 - 23% complete & I have to press reset again.
3. Very occassionally, I just get to the "64Mb memory" part of the bootup and nothing else happens.

The error message that sometimes comes up is:

"A fatal exception 0E has occured at 0028:C0007FC8 in VXD VMM(01) + 00006FC8"
(I'm not sure if it has the same numbers each time. One time it said:
"A fatal exception 0E has occured at 0028:C01466B2"

I've checked the fans and cleaned the dust out of the PC.
I installed completely new memory on 22 October - 512Mb PC2100.

The PC has:
AMD Athlon 1.3GHz
512Mb PC2100 RAM
Windows 98SE
AVG Free Edition 7.1.362
Maxtor 80Gb HDD partitioned into C: (59.9Gb) and D: (16.3Gb) and Maxtor 120Gb (E:)

I ran Hijack This this morning, once before the crash and once after the crash. The logs are below.

Log 1 (before crash):
Logfile of HijackThis v1.99.1
Scan saved at 12:35:48, on 5/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\DESKMENU.EXE
C:\WINDOWS\FLEXICD.EXE
C:\WINDOWS\CALENDAR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\WAVESTUDIO\CTWAVE32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.3.68/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CyberMedia Agent] "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
O4 - HKLM\..\Run: [gqjrjflg] c:\windows\system\gqjrjflg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Deskmenu.lnk = C:\WINDOWS\DESKMENU.EXE
O4 - Startup: FlexiCD.lnk = C:\WINDOWS\FLEXICD.EXE
O4 - Startup: FLD2005.CAL.lnk = C:\My Documents\Work\Future Life Design\Administration\FLD2005.CAL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {00000000-0000-0000-0000-d4c4b96b0d97} -
O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} -
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} -
O16 - DPF: {37B630E3-3FED-4F4A-B8BE-46AB443C51A9} (Finctl Control) - http://dialers.topcashdialer.com/u0001/setup.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...484/mcfscan.cab
O21 - SSODL: DKtvJNYhwC - {2E6713DA-84CD-B970-AA71-FCD460C98CBF} - C:\WINDOWS\SYSTEM\AZL.DLL
____________________________________________________
Log 2 (after crash):
Logfile of HijackThis v1.99.1
Scan saved at 09:47:39, on 03/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\DESKMENU.EXE
C:\WINDOWS\FLEXICD.EXE
C:\WINDOWS\CALENDAR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.3.68/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CyberMedia Agent] "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Deskmenu.lnk = C:\WINDOWS\DESKMENU.EXE
O4 - Startup: FlexiCD.lnk = C:\WINDOWS\FLEXICD.EXE
O4 - Startup: FLD2005.CAL.lnk = C:\My Documents\Work\Future Life Design\Administration\FLD2005.CAL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {00000000-0000-0000-0000-d4c4b96b0d97} -
O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} -
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...484/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...bridge-c356.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O21 - SSODL: DKtvJNYhwC - {2E6713DA-84CD-B970-AA71-FCD460C98CBF} - C:\WINDOWS\SYSTEM\AZL.DLL (file missing)


(I noticed a few spyware/trojan type things in there that maybe shouldn't be (Funwebproducts, topcashdialer, etc.), but I haven't taken any action yet.)

Thanks for any help!

Mark

BC AdBot (Login to Remove)

 


#2 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:06 AM

Posted 03 November 2005 - 11:08 AM

Welcome to the forum.

Scan with Hijack This and put a checkmark next to the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.3.68/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O4 - HKLM\..\Run: [gqjrjflg] c:\windows\system\gqjrjflg.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {00000000-0000-0000-0000-d4c4b96b0d97} -
O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} -
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} -
O16 - DPF: {37B630E3-3FED-4F4A-B8BE-46AB443C51A9} (Finctl Control) - http://dialers.topcashdialer.com/u0001/setup.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...bridge-c356.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
:\WINDOWS\SYSTEM\AZL.DLL
O21 - SSODL: DKtvJNYhwC - {2E6713DA-84CD-B970-AA71-FCD460C98CBF} - C

Close all windows and browsers and click "fix checked"

Next, download CleanUp 4.0 . Install and run it. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

When Spy Sweeper has updated, reboot to safe mode.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Open Spy Sweeper and click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove to remove any items found. Save the log.

Exit Spy Sweeper.

Reboot to normal mode and post the results from Spy Sweeper along with a new Hijack This log

#3 Futurelife

Futurelife
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 14 November 2005 - 04:00 PM

Hi,
I took the actions you suggested.
The "Delete Prefetch files" option in CleanUp! was greyed out, so I couldn't do that bit, and some of the items you listed in HijackThis were no longer there. Spysweeper found nothing.
I won't know if the computer's fixed until I boot up after a long shutdown.
Meanwhile, I have another problem (sorry - I should probably post this as a new topic)
My Internet Explorer seems to have been hijacked so that when I click on a search result in Google I'm redirected to either a porn page or an anti-spyware advert page. It only seems to happen the first time I click on a link. If I go back & click again I get the correct page. I've tried many online virus scanners and also Ad-Aware SE Personal, SpySweeper, Spybot S&D and CleanUp! but it's still happening. A Hijack This log is below:

Logfile of HijackThis v1.99.1
Scan saved at 08:49:41, on 14/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\DESKMENU.EXE
C:\WINDOWS\FLEXICD.EXE
C:\WINDOWS\CALENDAR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\EDITPAD\EDITPAD.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CyberMedia Agent] "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Deskmenu.lnk = C:\WINDOWS\DESKMENU.EXE
O4 - Startup: FlexiCD.lnk = C:\WINDOWS\FLEXICD.EXE
O4 - Startup: FLD2005.CAL.lnk = C:\My Documents\Work\Future Life Design\Administration\FLD2005.CAL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...484/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.26,85.255.112.120

__________________________________________________

OK - it's now much later, and I've rebooted the PC. I tried opening "My Computer" and immediately the PC crashed with a blue screen message: "A fatal exception 0D has occured at 167F:014F75B6...", after which, when I pressed any key, the screen went blank with a little strip of blue pixels along the top, and I had to press reset & go through Scandisk.

As to the other problem, which may or may not be related, I found that my Favorites folder had been hijacked and contained many links to pornography, dating, viagra, gambling and spyware-removal sites. I checked out the properties of each link to find the URLs. They are as follows:

http://www.buy-find.info
http://www.adultgambling.org
http://www.bleepesonline.net
http://girls4rent.net
http://usefullsoft.net
http://easy-pharmacy.info
http://busysearch.net
http://www.livegabmling.com
http://adultsgames.net
http://easyantispy.com
http://www.spybotremover.net
http://winprotect.net
http://funny-girls.com
http://dating-galaxy.info
http://easyspyware.com

I've removed these from the favorites folder and added the URLs to the Restricted Sites list in IE.
Any idea where they have come from?

Thanks for your help,
Mark

Edited by Futurelife, 15 November 2005 - 03:41 AM.


#4 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:06 AM

Posted 14 November 2005 - 05:01 PM

Could you post the results from SpySweeper?

#5 Futurelife

Futurelife
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 15 November 2005 - 03:43 AM

Could you post the results from SpySweeper?


Spysweeper found nothing.
I edited my previous post with some more information - see above.
Thanks

#6 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:06 AM

Posted 15 November 2005 - 07:47 AM

Those links being added to your favorites is usually caused by malware. I'd still like to see a full report from Spy Sweeper and another Hijack This log.

#7 Futurelife

Futurelife
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 15 November 2005 - 11:34 AM

Those links being added to your favorites is usually caused by malware. I'd still like to see a full report from Spy Sweeper and another Hijack This log.


Hi Viccy,

I ran Spysweeper again and saved the log:

|··· Tuesday, 15 November 2005 04:11 PM ···|
04:11 PM Sweeping memory for active software.
04:11 PM Memory sweep has completed.
04:12 PM Registry sweep completed.
04:12 PM Full sweep on all local drives initiated.
04:12 PM Now sweeping drive C:
04:21 PM Now sweeping drive D:
04:27 PM Now sweeping drive E:
04:29 PM Full Sweep has completed. Elapsed time 0 hours, 17 minutes, 57 seconds.
Files swept: 131,212
Software Located: 0

I ran HijackThis again. Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 04:32:49, on 15/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\DESKMENU.EXE
C:\WINDOWS\FLEXICD.EXE
C:\WINDOWS\CALENDAR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\EDITPAD\EDITPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CyberMedia Agent] "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Deskmenu.lnk = C:\WINDOWS\DESKMENU.EXE
O4 - Startup: FlexiCD.lnk = C:\WINDOWS\FLEXICD.EXE
O4 - Startup: FLD2005.CAL.lnk = C:\My Documents\Work\Future Life Design\Administration\FLD2005.CAL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...484/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.26,85.255.112.120

Thanks for helping me.
Mark

#8 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:06 AM

Posted 15 November 2005 - 01:16 PM

Please download the free MWAV antivirus tool from
here.
Save it to the desktop and run it. Follow the prompts to scan your system for viruses. Then please post for me the log of infected files from the BOTTOM panel of the scan window.

#9 Futurelife

Futurelife
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 15 November 2005 - 07:05 PM

Please download the free MWAV antivirus tool from
here.
Save it to the desktop and run it. Follow the prompts to scan your system for viruses. Then please post for me the log of infected files from the BOTTOM panel of the scan window.


Hi Viccy,

The MWAV scan appeared to find a lot of stuff. The log is below:

Object "funweb Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ebates moneymaker Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ebates moneymaker Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "mywebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "funweb Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "abetterinternet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "coolwebsearch parasite variant Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "precisionpop Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "windupdate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "purityscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "editpad Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "purityscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "broadcastpc Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "broadcastpc Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "broadcastpc Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "broadcastpc Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "broadcastpc Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "broadcastpc Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "broadcastpc Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "broadcastpc Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "broadcastpc Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\finctl.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1014.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\SYSTEM\ia.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1015.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\sporder.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\finctl.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\ia.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1015.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\JotPlus.exe" refers to invalid object "C:\Program Files\Jot+ Notes". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\PowerDVD" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\AppFile.exe" refers to invalid object "C:\Program Files\Smart Panel\AppFile.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Copy.exe" refers to invalid object "C:\Program Files\Smart Panel\Copy.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Applet.exe" refers to invalid object "C:\Program Files\Smart Panel\Applet.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\McAfee\McAfee VirusScan\Activity Log\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Network Associates\VirusScan Engine\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Network Associates\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Config.Msi\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\msoc.dll" refers to invalid object "C:\Program Files\Microsoft Office\Office". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{79eac9c3-baf9-11ce-8c82-00aa004ba90b}" refers to invalid object "C:\WINDOWS\SYSTEM\hlinkprx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "c:\windows\SYSTEM\disktool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C6666B26-92FC-4164-BADD-8829E7AA7EC7}" refers to invalid object "C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31898-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31897-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9C027CF-DF75-4D2C-B763-AC1CA31C4AF8}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamiui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{002B9E07-2E10-438F-AF1E-40E6A96F1EE4}" refers to invalid object "C:\WINDOWS\SYSTEM\NVWDMCPL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5B585806-BE5F-445E-8DF0-82D5E5A44E79}" refers to invalid object "C:\WINDOWS\SYSTEM\NVWDMCPL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B1B9B65E-493A-4462-90A0-B2D8D2078A34}" refers to invalid object "C:\WINDOWS\SYSTEM\NVWDMCPL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9E68103F-DC25-4D14-9E49-482025D86375}" refers to invalid object "C:\WINDOWS\SYSTEM\NVWDMCPL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3137E771-D81D-47A5-B7E5-3206EED1053A}" refers to invalid object "C:\WINDOWS\SYSTEM\NVWDMCPL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1F88FF94-5BED-4EE8-A9A4-BC64Traces of "Sobig.e" found and cleaned !!!

What do you make of it?
Thanks,

Mark

Edited by Futurelife, 15 November 2005 - 07:06 PM.


#10 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:06 AM

Posted 15 November 2005 - 08:06 PM

Hmmm, Interesting.

Scan with Hijack This and put a checkmark next to the following entry:
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

Please run full scans with Ad-Aware SE and Spybot-S&D as follows:
(If you already have Ad-Aware SE 1.06 and Spybot 1.4 installed, you can skip the installation steps. If you don't, please uninstall your old versions and install the new ones from the links below.)

Full Ad-Aware Scan
Please download Ad-Aware SE from here:
http://www.majorgeeks.com/download506.html
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.
Installing VX2 Cleaner 2.0 - Ad-Aware Plug-in
Close Ad-Aware, if it is currently open.
Download the VX2 Cleaner 2.0 Plug-in here <http://updates.ls-servers.com/vx2cleaner_inst.exe>.
After installing, restart Ad-Aware before running the VX2 Cleaner.
Using VX2 Cleaner 2.0
NOTE: If you have earlier attempted to run Ad-Aware to remove VX2, you may need to run the VX2 Cleaner several times to remove possible VX2 remains.
If you have already attempted to remove VX2 with Ad-Aware, do the following:
Before running the VX2 Cleaner, make sure other anti-virus or anti-spyware applications are closed.
Run the VX2 Cleaner. If you computer is infected with VX2, a dialog box with text such as “New VX2 variant found” or “VX2 variant 1 found” will appear.
Press "Clean" and a dialog box with text “The first phase completed. Please reboot and perform a Smart Scan" will appear. After saving your work, reboot your system manually.
Repeat this until the VX2 Cleaner reports "System clean". Press "Close” to exit.
Run Ad-Aware one more time and scan your computer to make sure VX2 has been found and removed.


Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.


Spybot Full Scan
Next, please download Spybot-S&D from here:
http://www.majorgeeks.com/download.php?det=2471
Install Spybot-S&D and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D, and then run it again. Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems". Then please restart your computer again

#11 Futurelife

Futurelife
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 16 November 2005 - 10:51 AM

Hmmm, Interesting.

Scan with Hijack This and put a checkmark next to the following entry:
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

Please run full scans with Ad-Aware SE and Spybot-S&D as follows:
(If you already have Ad-Aware SE 1.06 and Spybot 1.4 installed, you can skip the installation steps. If you don't, please uninstall your old versions and install the new ones from the links below.)

Full Ad-Aware Scan
Please download Ad-Aware SE from here:
http://www.majorgeeks.com/download506.html
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.
Installing VX2 Cleaner 2.0 - Ad-Aware Plug-in
Close Ad-Aware, if it is currently open.
Download the VX2 Cleaner 2.0 Plug-in here <http://updates.ls-servers.com/vx2cleaner_inst.exe>.
After installing, restart Ad-Aware before running the VX2 Cleaner.
Using VX2 Cleaner 2.0
NOTE: If you have earlier attempted to run Ad-Aware to remove VX2, you may need to run the VX2 Cleaner several times to remove possible VX2 remains.
If you have already attempted to remove VX2 with Ad-Aware, do the following:
Before running the VX2 Cleaner, make sure other anti-virus or anti-spyware applications are closed.
Run the VX2 Cleaner. If you computer is infected with VX2, a dialog box with text such as “New VX2 variant found” or “VX2 variant 1 found” will appear.
Press "Clean" and a dialog box with text “The first phase completed. Please reboot and perform a Smart Scan" will appear. After saving your work, reboot your system manually.
Repeat this until the VX2 Cleaner reports "System clean". Press "Close” to exit.
Run Ad-Aware one more time and scan your computer to make sure VX2 has been found and removed.


Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.


Spybot Full Scan
Next, please download Spybot-S&D from here:
http://www.majorgeeks.com/download.php?det=2471
Install Spybot-S&D and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D, and then run it again. Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems". Then please restart your computer again


Hi Viccy,
OK - I did everything you suggested, except for one thing: In the "Cleaning Engine" option of Ad-Aware the "During removal, unload explorer and IE if necessary" was greyed out and couldn't be activated.
The Ad-Aware scan found nothing critical. The log is below.
I ran VX Cleaner 3 times in succession and each time it reported the system as clean.

Spybot SD found the following and fixed them all:
- Abetterinternet
- Alexa Related
- CoolWWWSearch.WinProc32
- FunWebProducts
- MyWay.MyWebSearch
- MyWebSearch
- NoAdware
- Windows AdTools

After I rebooted I tried a Google search and the same problem is still there - I typed in "wolves" (the first word I thought of) and clicked on a search result "International Wolf Center Home" which should have taken me to www.wolf.org/ but instead I was redirected to a ScrewFix site (not a sex site, but a builder's merchant!). I just tried the same search again and this time was redirected to DealTime.com
I ran Spybot again and all it found was a Doubleclick cookie, which it fixed.

Thanks again for your help.

AD-AWARE LOG:
Ad-Aware SE Build 1.06r1
Logfile Created on:16 November 2005 02:51:40 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R75 15.11.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):28 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R75 15.11.2005
Internal build : 87
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE
PERSONAL\defs.ref
File size : 546018 Bytes
Total size : 1639939 Bytes
Signature data size : 1606071 Bytes
Reference data size : 33356 Bytes
Signatures total : 45707
CSI Fingerprints total : 1103
CSI data size : 31460 Bytes
Target categories : 15
Target families : 782


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:78 %
Total physical memory:523220 kb
Available physical memory:341240 kb
Total page file size:1573928 kb
Available on page file:1459772 kb
Total virtual memory:2093056 kb
Available virtual memory:2041280 kb
OS:Microsoft Windows 98 SE

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


16-11-05 02:51:40 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4293894761
Threads : 13
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4292895245
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4292898813
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:4 [KB891711.EXE]
ModuleName : c:\windows\SYSTEM\KB891711\KB891711.EXE
Command Line : n/a
ProcessID : 4292877909
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows KB891711 component
InternalName : KB891711
LegalCopyright : Copyright © Microsoft Corp. 1991-2005
OriginalFilename : KB891711.EXE

#:5 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4292877677
Threads : 1
Priority : Normal
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : mmtask.tsk

#:6 [EXPLORER.EXE]
ModuleName : C:\WINDOWS\EXPLORER.EXE
Command Line : C:\WINDOWS\Explorer.exe
ProcessID : 4292921857
Threads : 16
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:7 [SYSTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\SysTray.Exe"
ProcessID : 4292987753
Threads : 2
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : SYSTRAY.EXE

#:8 [CMAGENT.EXE]
ModuleName : C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
Command Line : "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
ProcessID : 4292973065
Threads : 1
Priority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.1.0
ProductName : CyberMedia Agent
CompanyName : CyberMedia, Inc.
FileDescription : CyberMedia Agent
InternalName : CMAgent
LegalCopyright : Copyright © 1997-1998 CyberMedia, Inc.
OriginalFilename : CMAgent.exe

#:9 [AVGCC.EXE]
ModuleName : C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
Command Line : "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE" /STARTUP
ProcessID : 4292976605
Threads : 5
Priority : Normal
FileVersion : 7,1,0,355
ProductVersion : 7.1.0.355
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:10 [EVNTSVC.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
Command Line : "C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" -osboot
ProcessID : 4293001525
Threads : 2
Priority : Normal
FileVersion : 0.1.0.880
ProductVersion : 0.1.0.880
ProductName : RealOne Player (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2002
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : evntsvc.EXE

#:11 [AVGAMSVR.EXE]
ModuleName : C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
Command Line : "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE"
ProcessID : 4293007469
Threads : 4
Priority : Normal
FileVersion : 7,1,0,357
ProductVersion : 7.1.0.357
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:12 [AVGEMC.EXE]
ModuleName : C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
Command Line : "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE"
ProcessID : 4293012885
Threads : 7
Priority : Normal
FileVersion : 7,1,0,362
ProductVersion : 7.1.0.362
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:13 [SPYSWEEPER.EXE]
ModuleName : C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
Command Line : "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
ProcessID : 4293039761
Threads : 1
Priority : Normal
FileVersion : 2.6.1.45
ProductVersion : 1.0.0.0
ProductName : Spy Sweeper
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
LegalCopyright : Copyright © 2001-2003 Webroot Software, Inc.

#:14 [DESKMENU.EXE]
ModuleName : C:\WINDOWS\DESKMENU.EXE
Command Line : "C:\WINDOWS\DESKMENU.EXE"
ProcessID : 4293020009
Threads : 1
Priority : Normal


#:15 [FLEXICD.EXE]
ModuleName : C:\WINDOWS\FLEXICD.EXE
Command Line : "C:\WINDOWS\FLEXICD.EXE" /resume
ProcessID : 4293053077
Threads : 1
Priority : Normal
FileVersion : 4, 3, 0, 0
ProductVersion : 4.3
ProductName : Microsoft® Windows™ Operating System
CompanyName : Microsoft Corporation
FileDescription : FlexiCD
InternalName : QuickCD
LegalCopyright : Copyright © Microsoft Corp. 1995
OriginalFilename : QuickCD.exe
Comments : Tray notification for music CDs

#:16 [CALENDAR.EXE]
ModuleName : C:\WINDOWS\CALENDAR.EXE
Command Line : n/a
ProcessID : 4293059677
Threads : 1
Priority : Normal
FileVersion : 3.10
ProductVersion : 3.10
ProductName : Microsoft® Windows™ Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Calendar application file
InternalName : Calendar
LegalCopyright : Copyright © Microsoft Corp. 1991-1992
OriginalFilename : CALENDAR.EXE

#:17 [WMIEXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WMIEXE.EXE
Command Line : WmiExe 52
ProcessID : 4293036001
Threads : 3
Priority : Normal
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : wmiexe.exe

#:18 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 4293197313
Threads : 3
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:19 [SPOOL32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOL32.EXE
Command Line : C:\WINDOWS\SYSTEM\spool32.exe
ProcessID : 4293213409
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : .DEFAULT\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : .DEFAULT\software\creative tech\creative wavestudio\recent file list
Description : list of recently used files in creative wavestudio


MRU List Object Recognized!
Location: : .DEFAULT\software\creative tech\creative wavestudio\settings
Description : list of recently used directories in creative wavestudio


MRU List Object Recognized!
Location: : .DEFAULT\software\creative tech\creative wavestudio\settings
Description : last file open in creative wavestudio


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\recenturllist
Description : list of recently used web addresses in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\settings
Description : last save as directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\8.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\8.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\8.0\excel\recent file list
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : software\microsoft\office\8.0\publisher\recent file list
Description : list of recent files used by microsoft publisher


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : .DEFAULT\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : .DEFAULT\software\nvidia corporation\global\nview\windowmanagement
Description : nvidia nview cached application window positions


MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28

02:59:50 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:08:10.100
Objects scanned:178908
Objects identified:0
Objects ignored:0
New critical objects:0

______________________________________
More notes added, 7:15pm

I've booted up the PC after a long shut down.
The PC still has the same 2 problems - crash about 5 minutes after first boot-up, and redirected websites from searches. The redirections are a bit cleverer now; they redirect to pages that have some connection with the ones I should be going to - example, if I type in "dogs" and click a search result link then I'm taken to a site selling pet insurance.
Another thing that I've just noticed is that when I press CTRL-ALT-DEL to get a list of current running programs, Explorer doesn't appear. Is this significant?

Cheers,
Mark

Edited by Futurelife, 16 November 2005 - 02:19 PM.


#12 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:06 AM

Posted 16 November 2005 - 04:39 PM

Download and save blacklight to your desktop. Doubleclick blbeta.exe, accept
the agreement, leave [X]scan through Windows Explorer checked, click scan >
next.

http://www.f-secure.com/blacklight/try.shtml

You'll see a list of all the items it found. There will also be a log on
your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents
numbers) The application finds both bad files and legitimate files such as "wbemtest.
exe", so don't choose the rename option yet! Copy and paste the log it
generated in your next reply.

Post another hijack this and the blacklight log!

#13 Futurelife

Futurelife
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 16 November 2005 - 05:21 PM

Download and save blacklight to your desktop. Doubleclick blbeta.exe, accept
the agreement, leave [X]scan through Windows Explorer checked, click scan >
next.

http://www.f-secure.com/blacklight/try.shtml

You'll see a list of all the items it found. There will also be a log on
your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents
numbers) The application finds both bad files and legitimate files such as "wbemtest.
exe", so don't choose the rename option yet! Copy and paste the log it
generated in your next reply.

Post another hijack this and the blacklight log!


Hi Viccy,
Sorry, that didn't work.
When I click blbeta.exe I get an error message "Not enough memory to run this program..." and then another error message "A required .DLL file, USERENV.DLL, was not found".
Should I try it in Safe Mode?

Mark

#14 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:06 AM

Posted 16 November 2005 - 05:24 PM

Sorry, my mistake. I forgot blacklight won't work on W98 SE.

#15 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:05:06 AM

Posted 16 November 2005 - 05:27 PM

Give me a minute and I will come up with an alternative program to run.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users