Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unkown Bug: Bsod Rebooting, 100% Usage On Line, And Bugs Found


  • Please log in to reply
79 replies to this topic

#1 CrisGer

CrisGer

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:40 PM

Posted 23 April 2007 - 03:33 PM

My System: My system is an AMD Athion 64bit 3400+ 2.6 ghz~ 2.5 GB RAM, 400 GB Pc3200 2 (512MB 1 Gigabyte Total Match Pairs Hard Drive, 2ZS Audigy Snd Card, Nvida 6600 GT AGP, running Win XP Pro SP2 Enermax True Power, Gigabyte K8nsXP-Professional Series Motherboard.

I use it for game design and testing and beta testing, and so i have over 350 GB of files that can't be easily moved or even copied due to a huge variety of technical in file prompts, and linkages and NDA's. And my DVD player has gotten affected by the Starforce restrictions placed by some game suite protectioon codes, so I am trying to save the system without a re install.

OK, got invaded, symptoms: =BSOD randomly, esp at start up, can get to run in safe mode and then in normal. ( I mistakenly thought this was part of the SmithFraud problem, I did get one return running Spybot, it said i had a SmithFraud item that was an infection and needed to be removed, and told me to reboot and it would be gone. It was still there after two scans and finally disappeared after the third scan, i wrote that name down, as I may have run Smithfraud long ago, at some other debugging, but dont remember for sure)...anyway, as PapaKid has explained to me, if i can boot up at all, then i dont have that bug. :flowers: )

Also, when i went online, i could only stay connected for me to use it for about 2 minutes, usage would grow and grow on the Program Manager until it would reach 100% and the modem lights were flashing but I could not stay on line myself. Trying to restore the internet connection with the phone company support for my DSL using a cmd DOS Screen via the Run area of the commands, we could not restore the IP address, the system would not allow me to do so.

I found several downloaders and suspected maybe a Keylogger worm but found no files or evidence so far.

When I ran SuperAntiVirus yesterday fhree times i found:

The first scan found 40 threats:

2 memory Items
34 infected files
4 Items in the Regisry

they were: (the number after each entry indicates how many instances of that bug at the end of the scan)

Trojan Downloader MSNETAX 4 of them
Trojan Spam-RUCrzy 3
Browser Hijacker Apro9pos Media/PeopleOnPage 4
Adware Tracking Cookies 11
Adware Acoona 1
Trojan Loksy Variant 12
Trojan Downloader-WinCom32/RootKit 1
Trojan Rootkit-Windev/H 1
Trojan Downloader-Gen/Snuke 3

It quarantied and removed them all.

I scaned a second time right away and found:

Adwar Acoona 1
Trojan Downloader MSNETAX 2
Trojan Spam-RUcrzy 2

they were in these locations:

C:/CPO2915.NLS

and I think in the restore point files:

C:/SYSTEM VOLUME INFORMATION\_RESTORE (54BFCF64-7301-4988.A46

I was worried that the scans were not getting everytihng so I scanned again and fouind:

Trojan Spam-RUCrzy 2 in this location:

C:/CP2227.NLS

then i uninstalled SuperAntiVirus becasue it would freeze up my system when I booted up, until it could connect online, and I dont want to go online unless I really have to. anyway, my system now wont connect online at all.

Trojan Spam-RUCrzy which keeps reappearing.


Ran the following anti virus:

AVG 7.5 6 times uninstalled eventually
Avast 4.7 5 times uninstalled
Spyware Guard (sorry about that, did not know better) unistalled
SpyBot, 5 times
Spyware Blaster (uninstalled)
AdAware SE 4 times
SuperantiVirus 4 times, returns listed below:
installed and uninstalled ZoneAlarm
used McFee Avert Stinger, April 2006 version
(I am a little afraid of what this scan did as after I finished it, and rebooted, my desktop color background was re set to default Windows Blue, which may mean it reset a lot of my windows settings?) I am afraid of that one. :thumbsup:
SimthFraud Fix
AVG Anti Root Kit, could not complete a scan with this, the system kept rebooting and would not allow me to run it.

each program caught different bugs and objects, i tried a tech who ran SpyDoctor and a Regisery fixer, but no help, still BSOD and excess internet usage after him.

I am trying another tech today as I lost abilty to log on internet at all, he says the connection through the DSL is live and he can ping but Windows i.e. the system card cant resolve to use the connection, I think he said the DNS, he said a bunch of windows config files were changed or turned off, maybe by one of the fixers
did that, McFee Avert asked if i wanted to clean the registry and i said Yes.

Anyway, here is the log from Hijack which i installed and ran the create log program.

I welcome any suggestions, so far, I think I got most of the buggies out, but i cant go on line so i dont know if the program or virus or worm that was usning my internet connection so extensively, maybe making my computer a slave , is still alive in there or not. I will post if the tech here has any luck, he said there wa s a50% chance he could save my system and software without re installing.

here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 11:40:08 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eSnips] "C:\Program Files\eSnips\ClientGW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Registry Repair Wizard Scheduler] "C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe" /startup
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (file missing)
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\xli.dll' missing
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe


i wish i knew more, and want to learn and am doing all i can at my end to help

Here is my oroginal description from my first posts:

OK< I go on line, and soon, after a minute of so, my internet access through IE does not work, yet my router is flashing a million miles a second, and something is using my compy but not me. Usage on the Program manager goes up to 100% and everything crawls.

I had a problem a week ago, Saturday, was surfing and then wham it was like i hit a wall, Something was wrong. I installed as much anti virus as I could until i found i could not run several at once. I tried Avast, AVG 7.5, SpyBot, a tech I hired to try to help who was mostly a waste, used SpyDoctoer, and he installed Zone somthing firewall, a Registry Fixer but did not run it in detailed mode, just did a scan, and called it a day.

Well, the symptoms of the problem were, BSOD shutting me down, which was actually an aspect of a variant of the SmithFraud permission refusal bug i think but BSOD none the less and then some failed attempts by the system to reboot, with having to go into Safe mode and finally in to full ops, this problem with teh internaet access, the modem going nuts but me not beaing able to get on, and a number of viruses and bugs. And my internet speed dropped to nothing, i could not stay on line and my compy usage went up to 100% with nothing showing in the Program manager.

I and the tech cleaned about maybe some 15 torjans, and other critical objects, over about three days. I am back where I started with no access to the net after about two mintues of being logged on. I have DSL from the phone company and the service here is spotty but I do have a good download and upload potential. But with the current problem I am having to use the office computer to post here, as I would not be able to at home.

(I am a little above novice about tech stuff) I hope to leaern enough to be able to tell the next tech what I need and to know if he or she is able to really fix things. This system that is in trouble is my main test and developemtn sysetm, and very valueable to me, as it has tons of rirrepalceable files. I have not been able to back up the whole htings recnetly as my DVD player will currently not work right, it may have a problem induced by Starforce but that will have to wait until I get my main problems dealt with.

Due to pressure at day job, (I am a Marketing and Sales Manager of a hotel and conference center undergoing liquidation) I have not had time to deal with this as fully as I would like but a fellow computer researcher and game reviewer told me about you all and how you saved the life of her computer so here i am, hopeful and eager to learn what I can.

So I suspect what I have is either a keylogger of some kind or a parasite or slave situation, and I am indeed woorried. I will be honestt, I dont think I can learn the techncial stuff I saw on glancing at the tutorials, I am a right brained artist type (http://www.christophergerlach.com) and frankly I am amazed that I have been able to over the past ten years learn to use and be somewhat familar with compys, but I am fearful of my ability to learn too much complex things. But I will try and do all i can if anyone can make some suggestions. I am also eager to see if there are some tools or programs you all know if that I can try to get this nasty thing out of my system with out borking the whole thing up.

I have tried a bunch of the anti virus cleaners as described above, but to opoerate my system as it is currently I had to delete ZoneAlarm I think it was called the free firewall the last tech installed, as it could not allow me to even get online ......so I am using the Windows Firewall now and AVG 7.5 but am on line not at all as I hate to see those green lights flashing with something in side my system that I do not konw what it is doing or to what or from who.

Any suggeiosnts eagerly watched for, I am back and forth trom home office to work office so i will check thie stread and the alterts to replies as I can, so thanks in advance for any suggestions or hlep, and I do have the DXDIAG of my system and i will get the exact list of the cleaners I tried if that is useful too. I am soewhat dislexic about names of things so I do not recall all the names right now. Thanks again and I am very glad you all are here.

I am going to try SuperAntiSpy Ware program now as it looks pretty good from what is posted in this forum.

My system is an AMD Athion 3400 2.6 ghz~ 2.5 GB RAM, 400 GB Hard Drive, 2ZS Audigy Snd Card, 6600 GT Nvida Vid card, running Win XP Pro SP2.

Edited by CrisGer, 23 April 2007 - 04:08 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 PM

Posted 23 April 2007 - 06:28 PM

OK, let me be completely honest with you here. Your best option is to reformat and reinstall Windows. I know you want to avoid that at all costs, but from what I've read in your previous post--and I've read them all--you've been on the net for a long time with no antivirus and no firewall, have been rootkitted and your PC has been part of a Botnet that has been used by cyber-criminals to spew spam and possibly distribute infections to other systems.

A lot of that has been cleaned up and we can clean some more, but there is no way to guarantee that it will be completely clean and malware nowdays does so much damage that it will never run like you want it to.

Please don't connect this PC to the internet until you have One good antivirus and One good firewall installed. You mentioned earlier having installed AVG and ZoneAlarm, but they are no longer in your log. You simply can't be on the internet without these types of programs.

Somthing else you need to understand is we don't usually work by advising some tech you have working on your system. There is no way to effectively co-ordinate what to do with him/her and it causes confusion. I as your helper need to have at least a modicum of control over what is done to be able to get a sense of cause and effect. I'm going to give you some things to do that should help you and the tech out, but won't be a s thorough as what we usually ask to be done in similar situations. It will be better to let your tech have control over what he wants to do, and when he's done, let me see what else I can suggest.

These instructions may be for people that have internet access, so bear that in mind if you already have access to setup files or need to get them from your work computer.


Please download AVG Free from here:

AVG Virus Scan

Save the setup file to your desktop.

Now boot your computer into Safe Mode

Install AVG and run a full system scan.


Scan again with HijackThis--either safe or normal mode doesn't matter. Put a checkmark next to the following entries:

R3 - URLSearchHook: (no name) - <default> - (no file)
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll


Close all other windows--you should only see HijackThis on your Desktop and Taskbar--and then click the "Fix checked" button.

Reboot/Restart your computer.

Now please Download LSPFix from:
http://www.bleepingcomputer.com/files/lspfix.php

Please refer to the tutorial here:
http://www.bleepingcomputer.com/forums/tutorial59.html

Disconnect from the Internet and close all Internet Explorer Windows. Run the program and check the "I know what I'm doing" box. Place all instances of xli.dll on the right by clicking xli.dll to select it in the Keep field then click on the button that points to the right. When all instances of the dll in bold and only this dll are in the Remove section, press the Finish button.

xli.dll

Then reboot.

If you are still having problems with your connection, download WinSockFix, save it to your desktop and run it. You may want to do this anyway as it will rebuild TCP/IP from scratch. Any reconfiguration from there you may need to consult with your ISP.

Once this is all done let me know if you are still getting BSOD's. Test your connection, but as I said earlier, don't stay on the net long without a firewall. At least turn on the Windows Firewall if you can't get anything else to work by going to Control Panel>Security Center. Click on Windows firewall toward the bottom, put a dot in "On", the click OK and reboot.

Before attempting to install any third party firewall, go back and turn the Windows firewall off. If things are running better after the above instructions, I suggest you try to install OutPost Firewall Free for now, and if you don't like it you can try some others I can suggest later. Always disable a firewall before uninstalling it.

Scan again with HijackThis and post a new log. Let me know when your tech friend has done what he can. There will be more to look for as HijackThis doesn't "see" everything. But I would advise while your tech friend is around that you get him to help you to back up the data you want to keep--if it takes getting him to get your CD player going again or if you have to buy or borrow something like an external hard drive.

I'll be gone now for a couple of hours.

The thing about people

is they change

when they walk away.--Mipso


#3 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:40 PM

Posted 23 April 2007 - 09:20 PM

OK, I will take you very seriously as my situation is serious I gather from your sobbering post. I have had AVG and a firewall up on my system off and on, but not for some time, so that was my window of vulnerablity. I will follow your instructions to the letter. I had AVG on there until just before running the last scans last night, as per the Hijack This thread instrucitons, I thought we could only run one Anti Virus program at a time, so i uninstalled it to run the ones on the list. I also had Zone firewall on there too and took it off to try to connect to the net, but the TCP was definitely borked.

Marcel is the tech working on it, and I will let him do what he can, he is a professional with a computer business here in town, Pagosa Springs, very small place in Colorado. He seems steady and knowledgable and he may indeed have to re install, He is doing an entire back up of all my data, so my earlier post was a bit desparing uneccessarily, and it turns out it can be backed up. I have been pretty stressed and am having to learn a lot fast here, as I have focused on the creative apsects of my IT work and neglected my tech learning as you have been very kind NOT to thump on me for, i appreciate it because I am feeling plenty of shame right now over this.

I will take all the steps you suggest as soon as my system is back to me, and will post the resulting log.

I am using my number 2 older test bed, a P4 with Win 98 SE which I use for older game study.

thanks so much for your help and I wont probably have my system in my hands until tomorrow, so I will let you know.

I cant thank you enough and for giving me specific steps and things to do and for thinking I am capable of learning to do what you tell me to do. I will certainly try.

I am horrified frankly to think my systme has been a bot slave. I think it has only been thus for a week, as before that, due to a misinatalled filter in my home my DSL was not fast enough or ample enough to make it worth anyone doing that and I did not have the 100% usage run up of the system until after last Saturday. At least I hope so, as I hate the idea of evil people doing that. I have put a lot of time and care and resources into my system and my work, and it is a terrible thing to contemplate that bad people would do that with it. I will follow your steps carefuly and re post when I get my system back.

thanks again. And if you think of anything else I will need to be prepared to do, let me know. I have access to the net now at home with this older system and can cache up the files and programs and or use the office comp too and shuttle tings back here. thanks again.
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#4 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:40 PM

Posted 23 April 2007 - 09:48 PM

OK I checked with Marcell, and he found another Trojan and some other virus and cleaned them out. He rebuilt the TCP saying that I had a network card that was jacked up.

At this point he said he thinks we may not need to re install and I will get the system back tomorrow. I will be sure to have a firewall active the one you said, and then will proceed from there under your direction. Thanks again, and will post as soon as I have completed your instructions. I hope it is OK for me to post here on this, if I should be posting somehwere or somehow else, let me know.

I have been studying what runs in my Program Manager and noted over time that there is something called Starwind running that I never activley turned on that I know of, I researched it and it appears to be a data sharing server, should I try to delete this? I need to find out what all the acronymns mean of the programs runnig in the background as I dont want lots of things running that are not needed. And I do not understand what SYNCHOST means, there are a whole list of them running in the program manager and they get bigger and bigger in terms of usage and I have not known what they do. Just some of the things I have tried to understand. OK, back to the main subject, fixing the comp. I will report when ready.

Edited by CrisGer, 23 April 2007 - 10:15 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 PM

Posted 24 April 2007 - 01:29 AM

OK, when Marcel is finished, just scan again with HijackThis and post a new log. Don't fix anything that I recommended as it may not be there anymore. Also if your connection is OK now don't worry about using LSPFix or WinsockFix. Just get a firewall installed and let me see where we stand now.

I'm about to fall asleep ATM, so will try to answer your questions and comments later. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#6 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:40 PM

Posted 24 April 2007 - 07:36 AM

OK, will do. Will scan with HijackThis and post log. Thanks again so very much. He said he was not getting any BSOD's and the internet connection was working fine. I am using the firewall you suggested on my older system now, and it works like a charm and is very easy to use. And AVG, which will both go on the newer system when I get it back today immediately. :thumbsup:
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#7 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:40 PM

Posted 24 April 2007 - 04:27 PM

Compy is back, no blue screens, Marcel scanned it for 4 hours, and found a SmithFraud item, but no bugs

here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 3:19:56 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Registry Repair Wizard Scheduler] "C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (file missing)
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177365219921
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe


I have AVG and Outpost running.
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#8 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:40 PM

Posted 24 April 2007 - 07:11 PM

OK, the only weird thing currently, i can get on line and use the net fine, but i cant go to my former home page which was google..instead it goes to the Netopia set up page for my router, and I cant change my home page in the Control Panel back to Google, or i can but it has no effect.

hmmm.

other wise all is well, i can to to any webpage by typing it in but I always have used google as my interface ususally.

I am getting this followng speed on my DSL which looks pretty good: so says the Netopia set up page, it also says my USB is not connected, in red, but everything is running fine.

Speed
1792/320 (kbps)
Line Attenuation
32/31 dB

Edited by CrisGer, 24 April 2007 - 07:13 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 PM

Posted 24 April 2007 - 08:13 PM

OK, well, first your log looks really good--Marcel did a fine job for you and there may not be much left for me to do. I do see one reg entry that needs to be corrected--nothing serious or that indicates an active infection is still present, just a little housecleaning. We'll run a few more checks to see what else is hanging around.

Also you should know I am on dialup and always have been, so can't be of much help with DSL issues, but you are welcome to post a new topic for help with that on the BC Hardware or XP forums.

Not real sure why you can't change your homepage. I'm assuming you're using Internet Explorer--when you go into Internet Options and change, have you been clicking on OK or just Xing out? Let's try these exact steps and see if it works:

1. Open Internet Explorer and click on the following link: http://www.google.com/
2. Click on the Tools in the toolbar then choose Internet Options.
3. Under the General tab, click on Use Current, then click OK.

Now scan again with HijackThis and put a check by the following entry:

R3 - URLSearchHook: (no name) - <default> - (no file)

Close IE and all other windows--you should only see HijackThis on your Desktop and Taskbar--and then click the "Fix checked" button.

Reboot and see if that has helped.

Then I want you to run another online scanner. You mentioned before that you had uninstalled your antivirus (AV) before running the online scans in the Preparation guide because you thought you weren't supposed to run two AV's at Once. What you don't want is more than one AV installed that has a resident real time protection running in the background and monitoring your system. On demand scanners are OK to have more than one of if you run only one at a time--you won't have any conflicts that way. Online scans aren't installed and monitoring your system, so uninstalling your resident AV is not only unnecessary but very undesirable. It may be a good idea to disable your realtime resident protection while running an online scan if you have probelms getting your scan to run, but I haven't had those problems.

Other things you should know is that this particular scan may take quite a while, but it is very thorough. It also does not remove malware, just detects risks and shows some files on your system that are locked that usually aren't malicious. I want to see it's log for informational purposes.

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. When the scan is complete choose save the results by clicking "Save Report As Text" Give the Report a name and save it to your desktop. You may only have the option of saving to html, if so just copy and paste that report.
9. Post the Kaspersky scan results in your next reply.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

There is a storm coming in so that is all for now.

Edit to include the link to Google.

The thing about people

is they change

when they walk away.--Mipso


#10 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:40 PM

Posted 24 April 2007 - 08:29 PM

OK, good, I will run those scans, and post the reports, need to get dinner first, long day at office, but I am happy you think things are progressing. I will also check to see if that fix works to allow me to access Google, thanks for that.

MOre soon
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#11 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:40 PM

Posted 24 April 2007 - 08:33 PM

OK, your first fix worked for changing my home page to Google, should i still run the specialized Hijack scan for that problem?

I will proceed to working on the in depth scans as I want to do the important things first, the Google anomaly seems fixed.

on to scans
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 PM

Posted 24 April 2007 - 08:50 PM

Yes, please follow all instructions given. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#13 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:40 PM

Posted 24 April 2007 - 09:10 PM

OK, will do.
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#14 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:40 PM

Posted 24 April 2007 - 09:13 PM

I started the Kapersky Scan and it is finding some virus and suspicious objects, will it quarnateen then or kill them? I was afraid the viruses woudl escape if nothing is done right away.......or should i just post the log and let you direct me from there?
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 PM

Posted 24 April 2007 - 09:31 PM

Don't worry, no need to panic. As I mentioned earlier, all Kaspersky scanner does is detect what is on your system--no quarantine--viruses don't "escape". All you have to worry about is if they are running, which is what I mean by active. Most of what Kaspersky sees won't be and may not even be bad. I'll know more when I see the logs.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users