Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups - Slow And Freezes


  • Please log in to reply
2 replies to this topic

#1 happy gecko

happy gecko

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 31 July 2006 - 01:07 PM

I am trying to clean a Windows 2K system that is infected with viruses and malware. I have run AdAware and CounterSpy, F-Protect and TrendMicro Housecall and they have removed many malware items, but the malware keep returning after a few days. I am also getting errors like "Winlogon.exe has generated an error and will close... " or "Explorer.exe has generated and error and will be closed". The system has two user accounts. The 'administrator' account works fine, but the 'working' account willl bring up the 'Winlogon.exe or Explorer.exe will close...' errors. This means that whenever I try to access anything using explorer.exe such as Windows Explorer or Run the Windows Explorer application shuts down. Very frustrating!!!

This is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:59:15 AM, on 7/31/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\TapeWare\TWWINSDR.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\OPTO\OPTOWIN.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Tmp\HJT\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eyefinity.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - Startup: OPTO Windows Controller.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\OPTO\OPTO.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71A034AF-1646-4649-BB49-9425A8813723}: NameServer = 68.87.69.146,68.87.85.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{71A034AF-1646-4649-BB49-9425A8813723}: NameServer = 68.87.69.146,68.87.85.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{71A034AF-1646-4649-BB49-9425A8813723}: NameServer = 68.87.69.146,68.87.85.98
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: TapeWare - Unknown owner - C:\Program Files\TapeWare\TWWINSDR.EXE

Any help is appreciated :thumbsup:

BC AdBot (Login to Remove)

 


#2 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 09 August 2006 - 02:20 AM

Hi happy gecko,

This is the HJT log

Update Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 5.0 Update 7' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.
What is this program?

O4 - Startup: OPTO Windows Controller.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\OPTO\OPTO.EXE

If you really use it, can you reinstall it to a normal location. The location as it is will be deleted once you run someform of cleaning software.

Can you post some sort of log from any of the programs you ran? This way I can see what is found. The log looks clean apart from the unknown entry I asked about earlier.
Posted Image

#3 happy gecko

happy gecko
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 28 August 2006 - 07:24 PM

Hi Bobbi,

I fixed the Java as you suggested. The OPTO program is a clinet managment and billing prpgram for an Optometrist/Optician's office. I am working with that program's support people to resolve the TEMP location problem. I ran Kaspersky Anti-Virus and it did a better job of removing viruses/malware than the user installed F-Protect. The system seems to much happier now. One problem was that the workstations did not have rights to install Windows updates, something no one was aware of - for two years.

Thanks :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users