Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Left Over Program Bits And Unknowns And Assorted Error Messages


  • This topic is locked This topic is locked
34 replies to this topic

#1 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:31 PM

Posted 24 July 2006 - 05:59 AM

To save space, I'm going to paste in links to my previous posts when appropriate. After the discusssion, I will paste in the HiJack This Log, and excerpts from The Ultimate TroubleShooter Services List since HiJack does not show the KAVMonitor service followed by more discussion and error messages.

Link to first topic with original error messages and the suggestion to post a HiJack This Log: http://www.bleepingcomputer.com/forums/t/58739/error-messages;-klif-driver-and-kav-are-they-only-for-kaspersky/
--------
When I posted the first topic, I had Symantec Anti-Virus. Since I needed a Firewall, and because I did not have much more time to keep Symantec having graduated from the university, I uninstalled Symantec and Installed ZoneAlarm. Note: I scanned the system with current Symantec before uninstalling, and it found nothing. In order to get rid of Symantec entirely, I ran the uninstall tools discussed here: http://www.bleepingcomputer.com/forums/t/34671/how-to-remove-your-norton-products/ I ran them twice online and once manually. I used Search to find all the Symantec folders and deleted them. I then used Registry Mechanic to get rid of any other remaining Symantec entries.

I searched the registry on a number of occassions. I found a few entries from SunBelt Counterspy, and Kaspersky - whose engines Cyberscrub Antivirus uses - as well and I deleted only these entries as these were uninstalled and deleted programs. I also hoped this might possibly get rid of the KAV. It didn't. I left everything else alone. Mechanic says I have over 500 bad registry values. I have disabled the Kavmonitorservice in the services area. I am unable to get rid of it. There are registry values for it as well as for AVG7, another program I uninstalled and deleted. I deleted what registry values related to these program that I could find in Regedit. Both AVG7 and CyberScrub Antivirus I thought I had completely shut down before uninstalling through Add/Remove Programs. I also used search to find any and all folders that I could think of relating to these programs. These folders are completely gone - erased beyond recovery.

The registry values for AVG7 and KAVMONITORSERVICE have the following path in regedit: HKEY_Local_Machine → system → enum → Root → LegacyAVG7CORE

Replace AVG7CORE with AVG7RSW, with AVG7RSXP, with AVGNTDW, with AVGTDI, with KAVMONITORSERVICE To phrase another way, the values are the same excepting for the specific program identification right after Legacy

All these are folders with further keys or subkeys inside. I am unable to delete any of these.

I ran ZoneAlarm which found nothing - either virus or spyware. The virus scan log, however, states that several files were unscanable; several because they are in use and several because of Error E004000Fh . I have no clue what this error means. ZoneAlarm was singularly unhelpful when I asked them. ZoneAlarm also has an error for the BootSector saying it could not find the drive specified. Whether this relates to the deleted Klif device or something else, I don't know.

AdAware and Spybot found nothing. I ran McAfee Stinger - it found nothing. I ran Blacklight RootKit - it found nothing. Windows are current. I ran all the antivirus and antispyware programs several times both in safe mode and in normal mode. I also ran PalSolutions Registry Cleaner - I do this on a fairly regular basis. I ran Chkdsk several times. I defragmented the drive. It may perhaps be significant that there is a fragment in the Pagefile that it can't defragment: I've seen this several times. There are also three fragments in the Masterfile, which I have also seen several times so apparently these cannot be fixed. I ran SFC /scannow. There are a few error messages. Note that they are in pairs. The second one states the failure of correction that the first one states:

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64020
Date: 7/24/2006
Time: 4:33:46 AM
User: N/A
Computer: *Removed*
Description:
Windows File Protection scan found that the system file c:\windows\system32\oembios.bin has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------
Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64004
Date: 7/24/2006
Time: 4:33:49 AM
User: N/A
Computer: *Removed*
Description:
The protected system file c:\windows\system32\oembios.bin could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject.
].

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------
Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64020
Date: 7/24/2006
Time: 4:33:49 AM
User: N/A
Computer: *Removed*
Description:
Windows File Protection scan found that the system file c:\windows\system32\oembios.dat has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------
Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64004
Date: 7/24/2006
Time: 4:33:50 AM
User: N/A
Computer: *Removed*
Description:
The protected system file c:\windows\system32\oembios.dat could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject.
].

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------
Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64020
Date: 7/24/2006
Time: 4:33:50 AM
User: N/A
Computer: *Removed*
Description:
Windows File Protection scan found that the system file c:\windows\system32\oembios.sig has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64004
Date: 7/24/2006
Time: 4:33:50 AM
User: N/A
Computer: *Removed*
Description:
The protected system file c:\windows\system32\oembios.sig could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject.
].

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
I also installed The UltimateTroubleShooter and not only saw the KAV... but a few other unrecognized services as well. I later spotted them in the Services panel. See this topic for description and names. http://www.bleepingcomputer.com/forums/t/59773/computer-management-shows-unknown-services/
---------------
---------------
HighJack This log

Logfile of HijackThis v1.99.1
Scan saved at 5:10:47 AM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\AnswersThatWork\Troubleshooter\UltimateTroubleshooter.exe
C:\Program Files\AnswersThatWork\Troubleshooter\UltimateTroubleshooter.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iub.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.iub.edu
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Nwcdbh02ist - NVIDIA Corporation - (no file)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Snapisess - Analog Devices, Inc. - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
---------------
Excerpts from TroubleShooter

Stopped I804driwi I804driwi C:\WINDOWS\System32\drivers\HPN.SYS

Stopped KAVMonitorService KAV Monitor Service Disabled
"C:\Program Files\CyberScrub AntiVirus\AvpM.exe" /service

Stopped Snapisess Snapisess Manual [there is no other info. for this]

Stopped Udfstapteet Udfstapteet Manual [ditto]

Stopped Nwcdbh02ist Nwcdbh02ist Manual [ditto]
----------------------
If you would like me to post the entire TroubleShooter Service list, let me know. I have saved the file from this date and time.

I don't really think I have malware or viruses, I think rather that I have leftover program bits, and one program that was never really there. I have an ethernet card apparently for LAN, I didn't know that's what it was at the time - I thought if Broadband ever came out here I could use that ethernet card to connect to the University system. Also, I have a log in account. I should maybe let you know that I had two user accounts on the computer, one for me and one for Dad. These were also login accounts. He never used his. I used his once to troubleshoot. I used my user account fairly regularly until I got software that wouldn't work there. I have since deleted both user accounts.

There are two other error messages I regularly find.

Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 7/24/2006
Time: 4:44:14 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: *Removed*
Description:
IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------
I think that this is a result of that ethernet card. I have disabled the LAN since I don't have one. It may also be due to the fact that I manually log in to the internet. Consequently, if I am not connected it wouldn't be detected, am I right?
----------
The other error messages come tend to come in a pair:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 7/24/2006
Time: 3:32:46 AM
User: NT AUTHORITY\SYSTEM
Computer: *Removed*
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: *Removed*
Source Workstation: *Removed*
Error Code: 0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/24/2006
Time: 3:32:48 AM
User: NT AUTHORITY\SYSTEM
Computer: *Removed*
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: *Removed*
Domain: *Removed*
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: *Removed*

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------
Let me know if there is any other information you need to help solve the problem or problems.

Thank you,
Orange Blossom
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:31 PM

Posted 03 August 2006 - 12:09 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:31 PM

Posted 05 August 2006 - 04:08 PM

Grinler:

Thank you for the reply. I know how busy you folks are. I would have replied sooner, but I've been busy tutoring and also needed to wait for various scans to complete. The online scans took REALLY long over my dial-up. Since my initial post, there are some new issues as well as most of the old. I have composed most of this in notepad to avoid being online. I have addressed old issues first, then have listed scan results. Some virus and spyware infections were found. Not all were quarantined. I have included reports or relevant report sections. The HiJack this log is at the bottom of the post if it will fit. If not, I will put it in the next post.

Computer OS Windows XP SP2 Home Edition

I managed to get rid of Kavmonitor service in the Services list, I think when I deleted a Personal Anti-Virus folder I found in the registry, when I was working to delete a different key, after making sure it was NOT ZoneAlarm. There are still several keys in the registry with KAVMonitor Service, as well as the other keys mentioned in the first post.

Pagefile problem mentioned in first post

I had tried to get rid of the page file fragment by following directions in the Tweaking Companion by Koroush Ghazi.
I went into Safe Mode, changed Page file size to 0, rebooted back to Safe Mode and let the system automatically set page file. Rebooted, defragged, still a page file fragment.
Next trial: I went into Safe Mode, changed Page file to 0, rebooted back to Safe Mode, defragged, then set the page file to 2560 MB as suggested. Doing a defrag. analysis still showed 1 pagefile fragment.
Since then, another pagefile fragment has formed. I now have 2 page file fragments, and I still have 3 master file fragments.

Today's report after defragmenting below:

Volume (C:)
Volume size = 74.46 GB
Cluster size = 4 KB
Used space = 13.51 GB
Free space = 60.95 GB
Percent free space = 81 %

Volume fragmentation
Total fragmentation = 8 %
File fragmentation = 16 %
Free space fragmentation = 0 %

File fragmentation
Total files = 59,551
Average file size = 283 KB
Total fragmented files = 0
Total excess fragments = 0
Average fragments per file = 0.99

Pagefile fragmentation
Pagefile size = 2.50 GB
Total fragments = 2

Folder fragmentation
Total folders = 4,611
Fragmented folders = 1
Excess folder fragments = 0

Master File Table (MFT) fragmentation
Total MFT size = 82 MB
MFT record count = 64,356
Percent MFT in use = 76 %
Total MFT fragments = 3

--------------------------------------------------------------------------------
Fragments File Size Files that cannot be defragmented
None
--------------------------------
Orphan services

The following are file-less services listed in Computer Management Services and in Trouble Shooter service list. I've set these to manual as I have observed that disabled services do not make it into the HiJack This log. Still, not all appear there.

Nwcdbh02ist Manual Local Sytem
Udfstapteet Manual Local System
Snapisess Manual Local System

This last one I think is a result of something I tried to do. I have consistently received the following error message in the Security Event Logs
---------------
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 8/5/2006
Time: 9:54:09 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: *Removed*
Description:
IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------------------
I tried to run said service, but the system could not find the associated files.

The following service appears to be following an incorrect path. This is from Ultimate TroubleShooter:
Status State Name Display Name Start Mode Path and Arguments

Unknown Stopped I804driwi I804driwi Manual C:\WINDOWS\System32\drivers\HPN.SYS
---------------------------------
Scanning results and mode

All anti-spyware, Anti-virus, Spyware blocking, windows systems up-to-date
Spy-bot Normal mode Clean
Ad-Aware Normal Mode Clean
House Call Anti-Virus: Had to activate Java in IE browser, permit several Mime codes in order to begin. Deactivated ZA Anti-virus. All three actions made me very nervous. Early into scan, data transfer errors, retried at least 10 times, finally hit cancel which aborted the scan. Clean as far as it went.
--------------
Panda AntiVirus. (It took me about 10 tries to get it to work).

During the Panda AntiVirus Free On-Line Scan, ZoneAlarm Automatically blocked the following. I'm not sure if Panda was trying to do this or if it was IE itself. The following is from ZoneAlarm logs

OSFW 2006/08/04 13:10:52 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\expert.dll
OSFW 2006/08/04 13:11:00 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\multiscan.exe
OSFW 2006/08/04 13:11:00 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\repair\vsdb.dll
OSFW 2006/08/04 13:11:00 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\repair\vsinit.dll
OSFW 2006/08/04 13:11:00 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\repair\vsmon.exe
OSFW 2006/08/04 13:11:00 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\repair\vsruledb.dll
OSFW 2006/08/04 13:11:00 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\repair\vsutil.dll
OSFW 2006/08/04 13:11:00 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\scan.zmx
OSFW 2006/08/04 13:11:00 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\zatutor.exe
OSFW 2006/08/04 13:11:00 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\zauninst.exe
OSFW 2006/08/04 13:11:02 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC ZLDIR\zonealarm.exe
OSFW 2006/08/04 13:29:02 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINDIR\Internet Logs\BACKUP.RDB
OSFW 2006/08/04 13:29:04 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINDIR\Internet Logs\ZALog.txt

OSFW 2006/08/04 13:37:10 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\vetntmsg.dll
OSFW 2006/08/04 13:37:22 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\adcom.dll
OSFW 2006/08/04 13:37:22 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\cerbprovider.pvx
OSFW 2006/08/04 13:37:24 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\featuremap.dll
OSFW 2006/08/04 13:37:24 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\isafeinstall.dll
OSFW 2006/08/04 13:37:24 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\isafeproduct.dll
OSFW 2006/08/04 13:37:24 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\lib\zlsvc.zip.dll
OSFW 2006/08/04 13:37:24 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\lib\zpy.zip.dll
OSFW 2006/08/04 13:37:24 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\osfwrules.xml
OSFW 2006/08/04 13:37:24 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\plugins\rpc_server\manifest.xml
OSFW 2006/08/04 13:37:24 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\plugins\vsmon_plugin\manifest.xml
OSFW 2006/08/04 13:37:26 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\spyware.dat
OSFW 2006/08/04 13:37:26 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\streamapi\httpblocker\manifest.xml
OSFW 2006/08/04 13:37:26 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\streamapi\imslsp\manifest.xml
OSFW 2006/08/04 13:37:26 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\streamapi.config.xml
OSFW 2006/08/04 13:37:26 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\updating.dll
OSFW 2006/08/04 13:37:26 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\updclient.exe
OSFW 2006/08/04 13:37:26 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\vsmon.config.xml
OSFW 2006/08/04 13:37:28 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\zlasdbup.dat
OSFW 2006/08/04 13:37:28 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\zlqrtdb.dat
OSFW 2006/08/04 13:37:28 -4:00 GMT BLOCKED Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINSYSDIR\ZoneLabs\ZoneAlarm.xml

Additionally, I received an alert that IE was trying to file write a Windows Driver: I was given the choice of what to do, and I blocked it.

OSFW 2006/08/04 13:34:02 -4:00 GMT UNKNOWN(0) Internet Explorer C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe FILE WRITE SRC WINDRVDIR\ETC\hosts

In addition, Panda found and deleted some virus files, and found - but did nothing - with a piece of spyware. Here is the log:

Incident Status Location

Spyware:spyware/web3000 Not disinfected c:\windows\hh.ico
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Removed\Application Data\Mozilla\Profiles\default\zh8b6mnt.slt\ImapMail\imap4.indiana.edu\INBOX[~0001726.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Removed\Application Data\Mozilla\Profiles\default\zh8b6mnt.slt\ImapMail\imap4.indiana.edu\INBOX[~0002207.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Removed\Application Data\Mozilla\Profiles\default\zh8b6mnt.slt\ImapMail\imap4.indiana.edu\INBOX[~0002270.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Removed\Application Data\Thunderbird\Profiles\hpd1cunw.default\ImapMail\imap4.indiana.edu\INBOX[~0001726.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Removed\Application Data\Thunderbird\Profiles\hpd1cunw.default\ImapMail\imap4.indiana.edu\INBOX[~0002207.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Removed\Application Data\Thunderbird\Profiles\hpd1cunw.default\ImapMail\imap4.indiana.edu\INBOX[~0002270.~]

Speaking of FileWrites to ZoneAlarm, for the past few days, every time I start up, Explorer tries to FileWrite ZA

OSFW 2006/08/05 09:58:56 -4:00 GMT BLOCKED Windows Explorer C:\WINDOWS\explorer.exe FILE WRITE SRC ZLDIR\zlclient.exe
OSFW 2006/08/05 09:58:56 -4:00 GMT BLOCKED Windows Explorer C:\WINDOWS\explorer.exe FILE WRITE SRC ZLDIR\zlclient.exe

I then ran the Bit Defender online scan. It found nothing.

I then switched to Safe Mode:
Ran Edwido AntiSpyware which found and quarantined a worm. Log below:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:59:58 AM 8/5/2006

+ Scan result:

C:\I386\REG.EXE -> Worm.Randon : Cleaned with backup (quarantined).

::Report end

Ran ZoneAlarm Anti-Virus next:

Note: last complete ZoneAlarm Scans before Today/last night was on July 31, 2006. At that time, it found nothing.
ZA Anti-Virus found nothing. Could not scan or treat several areas; some because files were in use. Others received an error code I don't understand. I have seen this error code numerous times. Tech. help at ZA has not explained the meaning of this code. Sample entries:

AV/treatment 2006/08/05 01:32:28 -4:00 GMT C:\Program Files\OpenOffice.org 2.0\program\python-core-2.3.4\lib\test\testtar.tar>0-REGTYPE-VEEEERY_LONG_NAME________________________________________________________________________ Scan Failed Manual [Specific error code: E004000Bh]
There is one other entry with the same error code, also related to OpenOffice. I just installed OpenOffice 2-3 days ago. Below is the other error code.

AV/treatment 2006/08/05 01:54:30 -4:00 GMT C:\Documents and Settings\Removed\NTUSER.DAT Scan Failed Manual [Specific Error Code: E004000Fh]
There are several of these, all of them related to Ad-Aware files.

One other Scan failure:
AV/treatment 2006/08/05 01:04:02 -4:00 GMT d:\ Scan Failed Manual [Boot Sector: The system cannot find the drive specified]
---------
Ran ZoneAlarm Anti-Spyware next. Note: On July 31, 2006, it also found nothing.

ASW 2006/08/05 03:16:52 -4:00 GMT Backdoor.Win32.mIRC.based Trojan Manual [Action: found]

I don't think it quarantined it, and I can't find it using Search. Not sure if the key below is related or not. In the logs, it is right below the above entry:

RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha

It also quarantined a screen logger:

2006/08/05 Screen logger [unnamed] quarantined

There is no additional information associated with this entry.
-------------
I ran Avert Stinger in Safe mode as well: Had it check everything. Found nothing.

Ran Spybot and Ad-Aware in Safe Mode: they found nothing.
--------------
Rebooted back to normal mode and ran Blacklight RootKit remover: It found nothing; Edit: however, on re-reading the Blacklight RootKit Remover tutorial, I may not have done it right.

This is when I did the Defrag analysis, and it said I needed to defrag. and it shows two pagefile fragments when finished. Report near beginning of post.
--------------
When I start up, I get the following error messages in the security event log: one pair if booting into Safe Mode, two pairs if booting into Normal Mode. Is this because I have it set up so that I have to log in?

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 8/5/2006
Time: 12:03:52 AM
User: NT AUTHORITY\SYSTEM
Computer:
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: [My real name here]
Source Workstation: [My computer ID]
Error Code: 0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 8/5/2006
Time: 12:03:52 AM
User: NT AUTHORITY\SYSTEM
Computer: [My computer ID]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: [My real name here]
Domain: [My computer ID]
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: [My computer ID]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
I don't know if the following has any relevance, but I found three files in the prefetch folder that were not prefetch files. I have deleted them from the folder, but I do not know what programs they were associated with. They have not reappeared in that folder.

EXAEBWTAGS.ITGSCIFXDDFO.RR

JOKTHRRL.GDKIBNJKDGKT.ST

HTFREIGOUGJHSQ.WTESGAFHDXWO.GG
------------------------------
I closed down everything except security systems and ran HiJack this. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 4:25:04 PM, on 8/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iub.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.iub.edu
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Nwcdbh02ist - NVIDIA Corporation - (no file)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Snapisess - Analog Devices, Inc. - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
-----------
Orange Blossom

p.s. I will not make any other changes, installs or removes other than updating present programs unless otherwise directed while this topic is open so as not to confuse matters.

Edited by Grinler, 11 August 2006 - 09:49 AM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:31 PM

Posted 06 August 2006 - 09:38 PM

Orange,

A lot of stuff here most of which really does not belong in this forum, but I will try to help you as much as a I can. Just delete this file manually:

c:\windows\hh.ico

You should have no problem doing so.

Now to get rid of these two services do the following:

O23 - Service: Nwcdbh02ist - NVIDIA Corporation - (no file)
O23 - Service: Snapisess - Analog Devices, Inc. - (no file)

Click on start, then run, and copy and paste the bold text into the open field. Then press the ok button.

sc delete Snapisess

Do the same thing again but this time copy the following text instead:

sc delete Nwcdbh02ist

Again do the same for the next text:

sc delete Udfstapteet

That should get rid of the three orphan services.

For the legacy services, you need to change the permissions on the legacy keys and set everyone to full ownership. You will then be able to delete them.

Lets do this stuff first and then tackle the rest later. Also post a new hjt log after

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:31 PM

Posted 07 August 2006 - 03:22 AM

Orphan services deleted :thumbsup:

hh.ico found doing search: identified as an icon: deleted.

"For the legacy services, you need to change the permissions on the legacy keys and set everyone to full ownership. You will then be able to delete them."

How?

New HiJack This Log created while everything but security was closed.

Logfile of HijackThis v1.99.1
Scan saved at 5:00:07 AM, on 8/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iub.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.iub.edu
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

"A lot of stuff here most of which really does not belong in this forum"
Sorry: Not sure what's related to what and didn't want to omit something important. If you could direct me to the right forum for what doesn't belong here, I'd appreciate it.

Orange Blossom

Edited by Orange Blossom, 07 August 2006 - 04:07 AM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:31 PM

Posted 07 August 2006 - 08:57 AM

The log looks clean now.

"For the legacy services, you need to change the permissions on the legacy keys and set everyone to full ownership. You will then be able to delete them."

How?


Sorry should have told you this. Highlight the key..for example navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVG7CORE and select the LEGACY_AVG7CORE key so its highlighted. Click on the Edit menu and select permissions.

Click on the everyone group so its highlighted and then click on the Allow checkbox for Full Control. Press apply and then ok and you should now be able to delete these keys.

Tell me hoiw this goes and then we will try the other issues.

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:31 PM

Posted 07 August 2006 - 01:33 PM

Thanks Grinler,

The permissions change worked and I was able to delete those keys.

I only deleted those keys that I was 100% certain were from my uninstalled and deleted software.

Orange Blossom :thumbsup:

p.s. Um, I just noticed that my very first post at the top in this topic has my computer I.D. and real name listed a few times in the error messages, a big oops on my part. Could you edit those out please? Thanks.

Edited by Orange Blossom, 08 August 2006 - 12:50 AM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:31 PM

Posted 09 August 2006 - 08:23 AM

I removed your name. Now lets tackle each problem one at a time. So that I dont have to read your very detailed info again :thumbsup:, what problem/concern would you like to tackle next.

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:31 PM

Posted 09 August 2006 - 05:53 PM

I think the most important are the files that Scannow cannot fix. I just updated Windows last night, so do you want me to do a new scannow and see if it is still an issue?

Orange Blossom

p.s. Um, Did you check the post from July 24, the original post on this topic? For some reason, I still see my name and computer I.D.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:31 PM

Posted 10 August 2006 - 01:29 PM

This is a dell computer right? From my research it appears that other dell computer owners are getting the same message from scannow and its probably because Dell did not put a signature on the file expecting noone to notice it. They can be safely ignored.

Fixed the id btw..let me know if you see it somewhere else and I will remove it.

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:31 PM

Posted 10 August 2006 - 02:51 PM

Yes, it is a Dell Dimension 2400.

I thought those scannow messages might have something to do with the ISPEC services not finding all the network interfaces (error message in the July 24 and Aug. 5 posts), but apparently not.

Other than the ISPEC services issue (Shall we tackle that one next?), I think the only other thing that I want to bother with in this forum is Windows Explorer trying to file write ZoneAlarm when I start up.

The other filewrites I think Panda OnLine is responsible for as it only occurs during scanning with Panda OnLine: probably a program conflict.

The pagefile and masterfile fragment issues I'll deal with by experimenting with different defragmenters.

The logon error issue I think belongs in a different form, maybe Windows XP? I can start a new topic there.

Thanks for removing the ID stuff. I think you got them all :thumbsup: Edit: I just saw a comp. ID in the Aug. 5 post in the error message about the ISpec service.

Orange Blossom :flowers:

Edited by Orange Blossom, 10 August 2006 - 02:55 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:31 PM

Posted 15 August 2006 - 04:49 PM

Ill be honest I did a lot of research on the IPSEC stuff and cant emualte the error or find more info on it. Not sure what it is.

As for the zone alarm errors...I am not sure. I think you may be better off asking them here:

http://forum.zonelabs.org/zonelabs

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:31 PM

Posted 15 August 2006 - 05:35 PM

Thanks for all your assistance and research. :thumbsup: I'll check out the ZoneAlarm forum you posted here and see what I can find out.

The one remaining question is the service that apparently is following the wrong path.

Quote from Aug. 5th post:

This is from Ultimate TroubleShooter:

Status State Name Display Name Start Mode Path and Arguments

Unknown Stopped I804driwi I804driwi Manual C:\WINDOWS\System32\drivers\HPN.SYS


I wonder if it is supposed to be the file discussed here.
-----------------
I wonder if I get that strange IPSEC error message because I have a BroadBand Ethernet card for LAN, but I don't have an ethernet connection or a LAN - just dial-up. I've disabled Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport and Broadcom 440x 10/100 Integrated Controller so I wouldn't have "Local Area Connection: A Computer is Unplugged" and "Failed to connect to Local Area Network" messages all the time. Might that be the cause?

-------------
It would appear that all infection related stuff is taken care as well as the left-over program bits. All my security scans are coming up clean, and other than the occasional hiccup which a restart solves, the attempted filewrites, and the mysterious error message, the computer works fine.

Orange Blossom :flowers:

Edited by Orange Blossom, 15 August 2006 - 05:39 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:31 PM

Posted 17 August 2006 - 08:21 PM

Might that be the cause?


Absoluitely...why not enable the adapter and see if the error goes away?

Also for the driver, why do you feel thats the wrong path? According to the startup entry its in the valid place:

http://www.bleepingcomputer.com/startups/hpn.sys-12736.htm

It does have a different name, but not sure if that matters. Do you have that type of control card on your machine? Also does the file exist?

Glad to hear about the security scans.

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:31 PM

Posted 17 August 2006 - 10:48 PM

Might that be the cause?

Absolutely...why not enable the adapter and see if the error goes away?

I'll enable the adapter before I shut down tonight, and post the results after I start back up tomorrow.

Also for the driver, why do you feel thats the wrong path? According to the startup entry it's in the valid place:

http://www.bleepingcomputer.com/startups/hpn.sys-12736.htm


(At the risk of too much detail again :thumbsup:, I've done some additional searching on the computer and have posted those results here in relation to i804driwi and hpn.sys in addition to my initial research).

I didn't think to look for hpn.sys on Bleeping Computer. I looked for the i804driwi, but couldn't find it in any of the BC databases. In Ultimate TroubleShooter, I followed the file to the containing folder, and I found a file with this name: i8042prt.sys in the driver folder, and the hpn.sys file is in the same folder.

So I searched for i804prt.sys in the databases thinking it might be the i804driwi. According to the BC file database, i8042prt.sys is responsible for communication of plug and play stuff including the mouse and the keyboard. Here is the location of that information: http://www.bleepingcomputer.com/filedb/i80...t.sys-1057.html, but you may have to manually search for the file anyway. (When I tried your link I got a "page could not be found on this server" message in my BC control panel. I had to search for the file afresh).

However, I couldn't find i804driwi in my driver's folder, that's partly why I'm suspicious of an incorrect path somewhere, and where is this i804driwi? A normal search on my computer doesn't find it, but it shows up in services under computer management with no description of what it does: set to manual and logs on as a local service. Currently stopped. I cannot find any information on it doing a google search. All I find is my own post :flowers:.

A registry search that I just conducted using the registry editor for I804driwi yields the following. There are subkeys under all of these.

HKLM/system/ControlSet001/Enum/Root/Legacy_I804DRIWI
HKLM/system/ControlSet001/Enum/Services/I804driwi (this one is located right under i804prt)

Repeat values replacing ControlSet001 with ControlSet003 and again with CurrentControlSet.

Also does the file exist?

I do have the hpn.sys file in the drivers folder as well, but it does not show up in my services list under computer management.

And a registry search for hpn.sys yields these registry paths:
HKLM/system/ControlSet001/Control/Nls/MUILanguages/RCV2/hpn.sys
Note: the l after the N in Nls may be an I, I can't tell.

In the next entry, registry editor search highlights Image Path in:
HKLM/system/ControlSet001/Enum/Services/I804driwi/ImagePath

Repeat values for ControlSet003 and CurrentControlSet

So, according to the registry search, hpn.sys is inside the I804driwi thingy in three places, but in three other places it has it's own path. Weird, I think, and it does not show up in any startup locations - so now I'm even more suspicious of a wrong path somewhere unless I'm misinterpreting what I'm seeing.

In MsConfig. I804driwi is identified under services as a Microsoft product.

Do you have that type of control card on your machine?

Uh - insufficient data, does not compute :huh: : How do I find out, and what am I looking for, and what is it?

Orange Blossom :huh:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users