Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help please, computer keeps freezing

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help please, computer keeps freezing

Unread postby nige52 » August 18th, 2007, 7:28 am

To sum it up, although I have lots of anti-spyware installed, my computer for no reason freezes. The mouse cursor won't move and I can see the red LED of the hard drive is working overtime. The only way to unlock it is to re-boot, and that doesn't always work first time :cry:
Here is my Hi-jack this log, many thanks in advance,
Nige

Logfile of HijackThis v1.99.1
Scan saved at 13:24:43, on 18/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/y ... r1_8us.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - http://updates.lifescapeinc.com/install ... nstall.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://80.32.184.140:5050/activex/AxisCamControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp ... atools.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
nige52
Regular Member
 
Posts: 34
Joined: November 27th, 2006, 6:28 am
Location: Spain
Advertisement
Register to Remove

Unread postby askey127 » August 19th, 2007, 4:16 pm

Hi nige52,
Let's see if we can find out whether malware is causing the problem.
If there is anything you don't understand, or find you cannot do, please ask.
----------------------------------------------------------
Download and Install CCleaner
  • Download CCleaner from here
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish
-----------------------------------------------------------
Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck "Only delete files in Windows Temp folders older than 48 hours".
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
-----------------------------------------------------------
Download Blacklight Beta from here:
https://europe.f-secure.com/exclude/blacklight/fsbl.exe
* Download fsbl.exe and save it to C:\
Go to Start, Run, copy in the following text and press Enter:
C:\fsbl.exe /expert
(space between fsbl.exe and /expert)

Accept the agreement, leave [X]scan through Windows Explorer checked.
Click > scan, Then > next
You'll see a list of all items found.
Don't choose Rename if something was found!
There will also be a log in C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stands for numbers).
Copy and paste the contents of this log into your next reply.
-----------------------------------------------------
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log to your Desktop as filename KAV.txt

Please post KAV.txt, and the contents of the fsbl Log.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby nige52 » August 20th, 2007, 7:17 am

Thank you, here are the 2 reports;

08/20/07 11:41:06 [Info]: BlackLight Engine 1.0.64 initialized
08/20/07 11:41:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/20/07 11:41:06 [Note]: 7019 4
08/20/07 11:41:06 [Note]: 7005 0
08/20/07 11:41:28 [Note]: 7006 0
08/20/07 11:41:28 [Note]: 7011 1556
08/20/07 11:41:28 [Note]: 7026 0
08/20/07 11:41:28 [Note]: 7026 0
08/20/07 11:41:31 [Note]: FSRAW library version 1.7.1022
08/20/07 11:52:36 [Note]: 2000 1012
08/20/07 12:03:05 [Note]: 7007 0

Nothing was found here in the rootkit scan.

Here is the Kaspersky scan;

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, August 20, 2007 1:15:52 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 20/08/2007
Kaspersky Anti-Virus database records: 385377
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 74972
Number of viruses found: 4
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 00:51:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12182006-101936.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nigel\Application Data\Thunderbird\Profiles\pwkbcg8e.default\Mail\Local Folders\Inbox/[From "eBay Inc." <account@ebay.com>][Date Sat, 21 Oct 2006 02:28:50 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.ln skipped
C:\Documents and Settings\Nigel\Application Data\Thunderbird\Profiles\pwkbcg8e.default\Mail\Local Folders\Inbox/[From "PayPal" <service@intl.paypal.com>][Date Sun, 29 Oct 2006 07:47:59 +0500]/html Infected: Trojan-Spy.HTML.Paylap.cb skipped
C:\Documents and Settings\Nigel\Application Data\Thunderbird\Profiles\pwkbcg8e.default\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 2 skipped
C:\Documents and Settings\Nigel\Application Data\Thunderbird\Profiles\pwkbcg8e.default\Mail\Local Folders\Junk/[From "eBay Inc." <account@ebay.com>][Date Sat, 21 Oct 2006 02:28:50 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.ln skipped
C:\Documents and Settings\Nigel\Application Data\Thunderbird\Profiles\pwkbcg8e.default\Mail\Local Folders\Junk/[From "PayPal" <service@intl.paypal.com>][Date Sun, 29 Oct 2006 07:47:59 +0500]/html Infected: Trojan-Spy.HTML.Paylap.cb skipped
C:\Documents and Settings\Nigel\Application Data\Thunderbird\Profiles\pwkbcg8e.default\Mail\Local Folders\Junk Mail Berkeley mbox: infected - 2 skipped
C:\Documents and Settings\Nigel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Identities\{89C3001D-ED71-4AD3-9424-4FB3366A3BA4}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Identities\{89C3001D-ED71-4AD3-9424-4FB3366A3BA4}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Identities\{89C3001D-ED71-4AD3-9424-4FB3366A3BA4}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Identities\{89C3001D-ED71-4AD3-9424-4FB3366A3BA4}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Messenger\ncaddick@easy.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Messenger\ncaddick@easy.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Messenger\ncaddick@easy.com\SharingMetadata\Working\database_9C70_CE65_70CE_462C\dfsr.db Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Messenger\ncaddick@easy.com\SharingMetadata\Working\database_9C70_CE65_70CE_462C\fsr.log Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Messenger\ncaddick@easy.com\SharingMetadata\Working\database_9C70_CE65_70CE_462C\tmp.edb Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{48D6059A-90CC-47C5-A57A-91B417C6174A} Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Windows Live Contacts\ncaddick@easy.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Windows Live Contacts\ncaddick@easy.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\History\History.IE5\MSHist012007082020070821\index.dat Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Temp\~DF57F8.tmp Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Temp\~DF5820.tmp Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Temp\~DF69F6.tmp Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Temp\~DF6A2A.tmp Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Temporary Internet Files\Content.IE5\MQLZ0M24\mando[1].htm Object is locked skipped
C:\Documents and Settings\Nigel\ntuser.dat Object is locked skipped
C:\Documents and Settings\Nigel\ntuser.dat.LOG Object is locked skipped
C:\Program Files\a-squared Free\Quarantine\4ec44f5b7dce2d84fb777afa6a3350be.a2q/WINDOWS/system32/justfreegames_WinAdCtlInstPack.exe Infected: not-a-virus:AdWare.Win32.WinAD.b skipped
C:\Program Files\a-squared Free\Quarantine\4ec44f5b7dce2d84fb777afa6a3350be.a2q ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{671B24F5-3BBA-4084-90FA-041A7FCB0D59}\RP329\A0109746.exe Infected: IM-Worm.Win32.Sohanad.t skipped
C:\System Volume Information\_restore{671B24F5-3BBA-4084-90FA-041A7FCB0D59}\RP329\A0109873.exe Infected: IM-Worm.Win32.Sohanad.t skipped
C:\System Volume Information\_restore{671B24F5-3BBA-4084-90FA-041A7FCB0D59}\RP329\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\53CE4D7FF9544CA.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT037a6.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT037a9.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{671B24F5-3BBA-4084-90FA-041A7FCB0D59}\RP329\change.log Object is locked skipped

Scan process completed.
nige52
Regular Member
 
Posts: 34
Joined: November 27th, 2006, 6:28 am
Location: Spain

Unread postby askey127 » August 20th, 2007, 9:26 am

nige52,
You evidently have two fraudulent e-mails in your Inbox. Both look to be phishing scams :

C:\Documents and Settings\Nigel\Application Data\Thunderbird\Profiles\pwkbcg8e.default\Mail\Local Folders\Inbox/[From "eBay Inc." <account@ebay.com>][Date Sat, 21 Oct 2006 02:28:50 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.ln skipped

C:\Documents and Settings\Nigel\Application Data\Thunderbird\Profiles\pwkbcg8e.default\Mail\Local Folders\Inbox/[From "PayPal" <service@intl.paypal.com>][Date Sun, 29 Oct 2006 07:47:59 +0500]/html Infected: Trojan-Spy.HTML.Paylap.cb skipped


You also have some infected entries in your Junk folder. I would delete them all. If you set Thunderbird for text only instead of HTML, you will be protected against hidden HTML infections.

I don't see anything in your logs that would suggest malware as the reason for your boot problems, however.

As a start to troubleshooting, let's do a couple more things:
----------------------------------------------------------------------
Got to Start, Run and type cmd and hit <Enter>
When the command window comes up, type :
chkdsk c: and hit <Enter> again.
Maximize the command window, and wait for the scan to finish.
Read the results to see if it says that it found problems with your file system. Tell me what it found in your next post.
------------------------------------------------------------------------
IF it has found problems with your file system, type this into the command window at the prompt:
chkdsk c: /F
You will get a message that the volume is locked, and a request to do the repair on Reboot.
Hit Ctrl-Alt-Del and reboot the machine.
It will scan again and make the repairs as the first part of the boot process.
------------------------------------------------------------------------
After it boots up, Go to My Computer, right click the C: drive and choose properties.
Please record what it reports for Used space and free space on the drive and report that back in your next post, along with your notes from the chkdsk scan.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby nige52 » August 20th, 2007, 10:50 am

OK, I've done as you said and here are the results. I was a bit concerned about the Thunderbired issues as I un-installed Thunderbird quite a while ago, but following the path, I found the file in application data and binned it.
Free space is 114 GB
Used space is 34.1 GB

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Nigel>chkdsk c:
The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
Deleting corrupt attribute record (128, "")
from file record segment 73089.
File verification completed.

Errors found. CHKDSK cannot continue in read-only mode.

C:\Documents and Settings\Nigel>


Thanks
Nige
nige52
Regular Member
 
Posts: 34
Joined: November 27th, 2006, 6:28 am
Location: Spain

Unread postby askey127 » August 20th, 2007, 1:45 pm

Were you able to run chkdsk c: in the mode with the /F parameter, and then reboot?
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby nige52 » August 20th, 2007, 1:58 pm

Er...I think so :lol:
I'll do it again to make sure
nige52
Regular Member
 
Posts: 34
Joined: November 27th, 2006, 6:28 am
Location: Spain

Unread postby nige52 » August 20th, 2007, 2:00 pm

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Nigel>chkdsk c:
The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
Deleting corrupt attribute record (128, "")
from file record segment 73089.
File verification completed.

Errors found. CHKDSK cannot continue in read-only mode.

C:\Documents and Settings\Nigel>
nige52
Regular Member
 
Posts: 34
Joined: November 27th, 2006, 6:28 am
Location: Spain

Unread postby askey127 » August 20th, 2007, 5:32 pm

I don't think you did it, or it didn't work. Not sure which.
-----------------------------------------------------
IF it has found problems with your file system,
Go To Start, Run and type cmd
hit <Enter>
Type this into the command window at the prompt:
chkdsk c: /F <==notice the /F, one space between c: and /F
hit <Enter>
You will get a message that the volume is locked, and a request to do the repair on Reboot. Answer Y
Then type exit to close the Command window.
Go to Start, Turn Off Computer and choose Reboot
It will scan again and make the repairs as the first part of the reboot process.

After it reboots, run it again without the /F parameter, and see if it still has an error.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby nige52 » August 21st, 2007, 2:02 pm

Here is the scan result, thanks:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Nigel>chkdsk c:
The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
0 percent completed.
nige52
Regular Member
 
Posts: 34
Joined: November 27th, 2006, 6:28 am
Location: Spain

Unread postby nige52 » August 21st, 2007, 2:05 pm

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Nigel>chkdsk c:
The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Deleting index entry CA8TY9FK.gif in index $I30 of file 34529.
Deleting index entry uk.yahoo[1] in index $I30 of file 34529.
Deleting index entry uk.yahoo[2].htm in index $I30 of file 34529.
Deleting index entry UK431A~1.YAH in index $I30 of file 34529.
Deleting index entry UKYAHO~2.HTM in index $I30 of file 34529.
Deleting index entry CASDIZK5.HTM in index $I30 of file 34562.
Deleting index entry mobil14[1].jpg in index $I30 of file 34562.
Deleting index entry MOBIL1~1.JPG in index $I30 of file 34562.
Index verification completed.

Errors found. CHKDSK cannot continue in read-only mode.

C:\Documents and Settings\Nigel>^V
nige52
Regular Member
 
Posts: 34
Joined: November 27th, 2006, 6:28 am
Location: Spain

Unread postby askey127 » August 21st, 2007, 3:25 pm

nige52,
My judgment is that you are in process of losing your hard drive. I believe that is the reason for the behavior you are seeing.

I would copy any vital data files off it as soon as possible and figure it will have to be replaced, the sooner the better.
Soon it may fail to boot at all.

All that disk activity is likely the drive trying (and retrying) to read and write files without incurring errors.
Good luck with it.

If you need hardware help with your PC, there are some good sites:
Good Hardware Help Forums
Computer Trouble here:
http://forum.computertrouble.co.uk/index.php
or
TechSupportGuy here : http://forums.techguy.org/21-windows-nt-2000-xp/
or
VirtualDr here: http://discussions.virtualdr.com/forumdisplay.php?f=48
or
PCPitStop here : http://forums.pcpitstop.com/index.php?showforum=3

All may require you to register free before posting for help.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby nige52 » August 22nd, 2007, 3:25 am

Thank you for all your help,
Although the freezing hasn't happened for 2 days now, I suspected that if it wasn't malware, it could be a drive problem.
I'll do as you recommend before it's too late,
Thanks again
Nige
nige52
Regular Member
 
Posts: 34
Joined: November 27th, 2006, 6:28 am
Location: Spain

Unread postby NonSuch » August 26th, 2007, 12:51 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27229
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 79 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware