Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please advise~


  • This topic is locked This topic is locked
5 replies to this topic

#1 cyberfilly

cyberfilly

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 24 November 2004 - 07:03 PM

ok Firstly a huge THANKS to all!
I have spent the last few days reading so many threads and actually learned a fair bit! (went cross-eyed too lol) I managed to fix some stuff (windows adtools for 1) but there are still a few "bugz" left
I keep getting errors like, "The instruction at "0x73dd1c9d" referenced memory at "0xoooooo38" the memory could not be read click ok to terminate"
when logging on to my windows I have to do the following steps. #1 power button #2 enter #3 alt/cntrl/delete having to repeat these steps until my windows will load? also I get an alert from avast that there is a virus even after I get the "all clear" from trend micro/mcafee and avast scanning? now all this started AFTER I had the SP#2 installed which I uninstalled and even tried to do a full recovery of windows? (reinstall)
What I would love to have as a end result is my com back to the pre sp2 state,
all help is appreacated!

Logfile of HijackThis v1.98.2
Scan saved at 4:00:25 PM, on 11/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\HJT\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
Posted Image Posted Image

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:01 AM

Posted 25 November 2004 - 02:41 PM

Happy Thanksgiving, Cyberfilly. I will check your log, and after some reviewing, post recommendations. We're kinda busy, so please be patient. Glad you're finding information here, a lot of people contribute and it sure helps. Your log shows you have SP1 now, so I guess you did uninstall SP2. Did you reload the OS? I ask, because I think see an infection, and you can get these right after reloading if no firewall is in place... even in just a few minutes online. It may be less a problem with the SP2, more with malware. We'll study it. :thumbsup:

Edited by phawgg, 25 November 2004 - 03:11 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#3 cyberfilly

cyberfilly
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 25 November 2004 - 03:45 PM

Its appreacated phawgg, and no worries I have TONS of patience,
to answer your questions YES I uninstalled the sp#2 I had nothing but conflicts with it (opps there went the patience) and got severely frustrated, :thumbsup:
I tried a few times to reload the OS using my recover/restore option I dont know if it makes a difference but my reinstall *disk* is NOT a disk in the usual manner its a partitioned drive in my com , I did not reconnect until I had my Freedom up but that most likely wasn't enough, why would all the scans come up clean(both on-line and resident) and the infection still be present?
anyway I'm off to do more reading! and
HAPPY TURKEY DAY to all as well! :flowers:

Edited by cyberfilly, 25 November 2004 - 03:46 PM.

Posted Image Posted Image

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:01 AM

Posted 26 November 2004 - 05:30 AM

Well, cyberfilly, you have a clean log. :trumpet: After carefully checking each entry I found no evidence of malware. The symptoms you are experiencing must therefore be the result of conflicts between the programs & their starting/running characteristics as installed on your OS. :flowers: May I suggest a new post in, for lack of any better place to discuss it, Software and Hardware - Forum - All other Applications. I would normally post further recommendations to use that might enable you to keep your PC free of malware. An example would be here, page 2 "clean log" post. In this case, however, I've listed the questions/situation you've outlined so you might review it and post accordingly. You might copy/paste them to a notepad, edit it and after some consideration, use the info to make a post others might be able to help you with, since this forum is primarily for malware related problems. Thanks.
  • why would all the scans come up clean (both on-line and resident?) You now have the answer to that.
  • I uninstalled the sp#2 (now using sp1) I had nothing but conflicts with it (of what kind?)
  • I've tried a few times to reload the OS using my recover/restore option
  • The recover/restore option is a partitioned drive in my brand - model no. computer
  • I did not reconnect (online?) until I had my Freedom up (an application running?)
  • but that most likely wasn't enough (to have caused a particular describe it problem).
  • Exact error codes can be researched, either entered as a google search or directly to Microsoft Help & Support Center.
  • "The instruction at "0x73dd1c9d" referenced memory at "0xoooooo38" the memory could not be read click ok to terminate"
  • To logon requires #1 power button #2 enter (do you mean start?) #3 alt/cntrl/delete, sometimes more than once. (result being what if it doesn't work the first time?)
  • I get an alert from avast that there is a virus (exact alert message, please)
  • I get the "all clear" from trend micro/mcafee and avast scanning (but) resident app alerts...online scans do not? (Y) - (N)
BTW I personally use winXP SP2. I am not familiar with the operation of these programs (listed below from your log) to an extent that I can authoritatively understand how they might coexist working together. From a log malware analysis standpoint, "its all good".

Intuitively, however, I feel that many are probably unnecessarily starting at startup & running constantly, when they could just as easily be started only if/when actually required to run. Also, many of the HP programs running simultaneously for reasons I am not certain of, may be duplicating the roles of the anti-virus resident program or individual components of other apps like anti-popup features or even, to some extent, keyboard/display/periperal features.

Hewlett-Packard apps running: (I've included what info I can about them in some cases)
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (listed twice is kinda unusual I think)
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Zero Knowledge\Freedom\pkR.dll (popup killer)
C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe (Found in the /hp/bin directory on a HP PC?)
C:\WINDOWS\system32\ps2.exe (Multimedia Keyboard companion on HP computers. If this is prevented from starting, then some keyboard functionality will be lost...Some you use?)
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\HP\EXPLOREBAR\HPTOOLKT.DLL ( HP Explore Toolbar )
c:\hp\bin\BlockTracker.exe
C:\hp\bin\autotbar.exe
C:\WINDOWS\SMINST\RECGUARD.EXE (HP officejet D145 multi-function printer program)
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
(belongs to the Hewlett Packard Center and gives the user access to offers and recommendations from HP. This is a non-essential process. Disabling or enabling this is down to user preference)


and additional Hewlett-Packard:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/

with the Avast!
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

and a couple others
HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
(This is a DLL to enable multiple display monitors on a single computer. It can be a cause of numerous problems on some computers)
C:\WINDOWS\System32\hkcmd.exe
(Installed by the Intel 810 and 815 chipset graphic drivers. If you want the Ctrl+Alt+F12 or similar keypresses to access Intel's customised graphics properties, you need it, otherwise not. Can be disabled via Control Panel -> Display Properties)
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
StorageGuard from Veritas. Free utility that integrates with Backup MyPC (formerly Backup Exec Desktop), Simple Backup and MS Backup. Provides system tray access and background monitoring - warning you of files that haven't recently been backed up. Required unless you backup manually on a regular basis or have scheduled backups


Your TONS of patience will serve you well :thumbsup: studying the information that applys to all users and that which may be specific to yours alone. Take some time. My bottomline is that the SP2 is needed to stay current. If it doesn't install, then your operating system is doing things that may not be right, like running programs that either need updates themselves or should be replaced with ones that do work with a fully updated system. The updates do not end, since vulnerabilities continue to be exposed and are dealt with on an ongoing basis.
patiently patrolling, plenty of persisant pests n' problems ...

#5 cyberfilly

cyberfilly
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 26 November 2004 - 12:06 PM

Posted Image



THANK YOU!!


Posted Image
Posted Image Posted Image

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:01 AM

Posted 31 December 2004 - 07:07 PM

Closed. The topics in this thread appear to have been resolved.

If referring to this thread you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.

You may also contact a HJT Team Member, and reference the link location address. Happy New Year. :thumbsup: :flowers:
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users