Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Windows Vista Machine - Suddenly Disabled

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Windows Vista Machine - Suddenly Disabled

Unread postby tommy1974 » July 20th, 2008, 1:56 am

Hello, something suddenly happened with my Windows Vista machine today - it has become very slow and unable to run many programs. I can't print, run MS Word or Adobe Acrobat, or much else. Sometimes whatever this is will kill an application as I'm starting it. It disrupts the functionality of IE 7 so I am not able to use it (I am posting this from my Apple laptop). IE7 just tells me that it's not connected to the internet, which I know not to be true. It disables the Windows Aero feature and forces me to Windows Basic. (The aero feature and IE 7 will come back temporarily if I restart but then are easily disabled again.) I frequently get the following warning "Close programs to prevent information loss: Your computer is low on memory. Save your files and close these programs: Windows Sidebar, Windows Explorer (Desktop, Folders), System Settings Protector." Another warning: "Your computer is low on memory. To restore enough memory for your computer to work correctly, save your files and then close or restart all open programs." This will happen even if I don't start any applications. So, something is hogging up a lot of memory but there's nothing obvious in the Task Manager.

I downloaded Spybot S&D and it found and fixed a changed registry entry and some cookies but that didn't fix the overall problem. I can send you a log or something from that if you wish. I tried to check it out with Ad-Aware but the malware won't let it run. I have a HijackThis log, and here it is. Any help you can give will be very much appreciated. I must confess, by the way, that I did press the Analyze This button in HijackThis, but I didn't do anything except look at the web page that came up (some times it works) and the statistics about the stuff on my computer. I didn't try to delete anything, or kill any processes, or any of that. I hope I didn't mess things up for you.

-------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:04 AM, on 7/20/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\TamirRekha\Desktop\HijackThis.exe
C:\hp\kbd\kbd.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: cleanup.bat
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6955 bytes
tommy1974
Active Member
 
Posts: 6
Joined: July 20th, 2008, 1:28 am
Advertisement
Register to Remove

Re: Windows Vista Machine - Suddenly Disabled

Unread postby Katana » July 22nd, 2008, 6:55 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------

There is nothing obvious showing in your log, let's have a closer look


Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


Deckard's System Scanner (DSS)

Please download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Windows Vista Machine - Suddenly Disabled

Unread postby tommy1974 » July 22nd, 2008, 10:44 am

Hello Katana, thanks for your help. FYI, when I started the DSS, I did right-click and "Run as Administrator". Here are the results.

main.txt:

Deckard's System Scanner v20071014.68
Run by TamirRekha on 2008-07-22 08:35:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 1 Restore Point(s) --
1: 2008-07-19 23:56:42 UTC - RP541 - Installed Ad-Aware


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis (run as TamirRekha.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:45 AM, on 7/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\hp\kbd\kbd.exe
C:\Users\TamirRekha\Desktop\dss.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
C:\Users\TAMIRR~1\Desktop\TamirRekha.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: cleanup.bat
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6916 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C6100 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C6100 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-07-22 08:30:25 428 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{C91A450F-C791-43D6-9318-51943F47996C}.job
2008-07-20 11:24:00 256 --a------ C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-19 18:57:25 0 d-------- C:\Program Files\Lavasoft
2008-07-19 18:57:24 0 d-------- C:\Users\All Users\Lavasoft
2008-07-19 18:55:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-19 18:05:06 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-19 17:56:43 0 d-------- C:\_DON MUTHUSWAMI Movie
2008-07-19 11:00:39 0 d-------- C:\Users\All Users\NOS
2008-07-19 11:00:38 0 d-------- C:\Program Files\NOS
2008-06-26 21:07:39 0 d-------- C:\Users\All Users\WLInstaller


-- Find3M Report ---------------------------------------------------------------

2008-07-19 18:55:47 0 d-------- C:\Program Files\Common Files
2008-07-19 10:30:03 0 d-------- C:\Users\TamirRekha\AppData\Roaming\TrueCrypt
2008-07-09 03:09:15 0 d-------- C:\Program Files\Windows Mail
2008-05-27 15:34:57 0 d-------- C:\Program Files\Picasa2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 02:38 AM]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [09/28/2006 08:42 AM]
"KBD"="C:\HP\KBD\KbdStub.EXE" [12/08/2006 10:16 AM]
"RtHDVCpl"="RtHDVCpl.exe" [01/15/2008 11:26 AM C:\Windows\RtHDVCpl.exe]
"@"="" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 09:52 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [07/06/2007 09:15 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [07/06/2007 09:15 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [07/06/2007 09:15 PM]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/26/2008 02:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 02:33 AM]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/19/2008 02:33 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 02:33 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [02/25/2008 08:23 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

C:\Users\TamirRekha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [5/11/2007 2:25:36 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
cleanup.bat [7/12/2006 9:57:44 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [1/2/2007 9:40:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
HPService HPSLPSVC
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8556b7b5-eb13-11db-89cd-001a9251a2f1}]
AutoRun\command- K:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1F92EBFD-3382-4747-BF58-B6B1BB2B996C}]
"C:\Program Files\UninstallScripts\IPSec 06_01.054\Install.wsf" //job:ActiveSetup

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-22 08:40:51 ------------

And here is extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
Percentage of Memory in Use: 88%
Physical Memory (total/avail): 893.82 MiB / 106.58 MiB
Pagefile Memory (total/avail): 854.42 MiB / 38.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1890.47 MiB

C: is Fixed (NTFS) - 226.62 GiB total, 150.52 GiB free.
D: is Fixed (NTFS) - 6.26 GiB total, 0.88 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Fixed (NTFS) - 37.21 GiB total, 16.56 GiB free.
K: is Removable (FAT)

\\.\PHYSICALDRIVE0 - ST325082 0AS SCSI Disk Device - 232.88 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 226.62 GiB - C:
\PARTITION1 - Installable File System - 6.26 GiB - D:

\\.\PHYSICALDRIVE6 - USB Flash Memory USB Device - 1898.31 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 1905.99 MiB - K:

\\.\PHYSICALDRIVE2 - Generic- Compact Flash USB Device

\\.\PHYSICALDRIVE5 - Generic- MS/MS-Pro USB Device

\\.\PHYSICALDRIVE4 - Generic- SD/MMC USB Device

\\.\PHYSICALDRIVE3 - Generic- SM/xD-Picture USB Device

\\.\PHYSICALDRIVE1 - HTS54804 0M9AT00 USB Device - 37.26 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 37.21 GiB - J:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Trend Micro AntiVirus v16.10.1079 ()
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: Trend Micro AntiVirus - Spyware Protection v15.10.2002 (Trend Micro, Inc.) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\TamirRekha\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TAMIRREKHA-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\TamirRekha
LOCALAPPDATA=C:\Users\TamirRekha\AppData\Local
LOGONSERVER=\\TAMIRREKHA-PC
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\hp\bin\Python;c:\Program Files\Common Files\Roxio Shared\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND=Pavilion
PLATFORM=HPD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4b02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
RoxioCentral=c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\TAMIRR~1\AppData\Local\Temp
TMP=C:\Users\TAMIRR~1\AppData\Local\Temp
USERDOMAIN=TamirRekha-PC
USERNAME=TamirRekha
USERPROFILE=C:\Users\TamirRekha
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

TamirRekha


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type18875 / Success
Event Submitted/Written: 07/22/2008 08:31:48 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type18873 / Success
Event Submitted/Written: 07/22/2008 08:31:47 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type18870 / Success
Event Submitted/Written: 07/22/2008 08:31:44 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type18845 / Success
Event Submitted/Written: 07/22/2008 08:25:21 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type18844 / Success
Event Submitted/Written: 07/22/2008 08:25:20 AM
Event ID/Source: 5615 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type595175 / Error
Event Submitted/Written: 07/22/2008 08:32:07 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Parallel port driver%%1058

Event Record #/Type595131 / Error
Event Submitted/Written: 07/22/2008 08:31:46 AM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos

Event Record #/Type595119 / Warning
Event Submitted/Written: 07/22/2008 08:30:41 AM
Event ID/Source: 4001 / Microsoft-Windows-WLAN-AutoConfig
Event Description:


Event Record #/Type595112 / Warning
Event Submitted/Written: 07/22/2008 08:29:21 AM
Event ID/Source: 16 / Microsoft-Windows-WindowsUpdateClient
Event Description:


Event Record #/Type595049 / Error
Event Submitted/Written: 07/22/2008 08:25:24 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Parallel port driver%%1058



-- End of Deckard's System Scanner: finished at 2008-07-22 08:40:51 ------------
tommy1974
Active Member
 
Posts: 6
Joined: July 20th, 2008, 1:28 am

Re: Windows Vista Machine - Suddenly Disabled

Unread postby Katana » July 22nd, 2008, 11:14 am

There is still nothing out of the ordinary showing, please do the following



Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper




Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary and let the database download.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Windows Vista Machine - Suddenly Disabled

Unread postby tommy1974 » July 22nd, 2008, 9:01 pm

Hello Katana, thanks again for your response. I'm afraid my attempt to follow your instructions did not go as smoothly as I hoped, and I only have 75% of the information you were looking for, if that. I hope that doesn’t mess you up too much. With regard to the Combo Fix, my antivirus software (Trend Micro) stepped in three times to try to block whatever was going on. The first time it gave me a choice whether to allow or prevent, and I selected "Allow." The next two times, it just blocked something and didn't give me a choice. I'm sorry I didn't catch the specific programs that it blocked. Also, in the middle of the Combo Fix run, I got the following message from Windows: "NirCmd has stopped working: A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available." But I did manage to get a log, and it is posted below, along with a new HijackThis log.

With regard to the Kaspersky Online Scanner, I had to install the prerequisite Java software, and once I did that, I could not do the scan with either IE or Firefox. With either one, something kept killing either the browser itself or Java so that the browser would be removed. I don’t know if Windows is killing it because it’s low on memory, or whatever malware/virus in this computer is directly killing it. Sometimes, the browsers would not start at all and give me some kind of warning. On one of my tries, the Kaspersky scan got up to about 60% of the database, and then it was suddenly killed. So, sorry I could not get the results of that scan for you. I will keep trying as much as I get a chance.

Here is what I do have, below:

ComboFix log:

ComboFix 08-07-21.2 - TamirRekha 2008-07-22 17:07:18.1 - NTFSx86

MicrosoftÆ Windows Vistaô Home Premium 6.0.6001.1.1252.1.1033.18.104 [GMT -5:00]

Running from: C:\Users\TamirRekha\Desktop\ComboFix.exe

* Created a new restore point

.



((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))

.



2008-07-22 08:34 . 2008-07-22 08:34 <DIR> d-------- C:\Deckard

2008-07-19 18:57 . 2008-07-19 19:12 <DIR> d-------- C:\Users\All Users\Lavasoft

2008-07-19 18:57 . 2008-07-19 19:12 <DIR> d-------- C:\ProgramData\Lavasoft

2008-07-19 18:57 . 2008-07-19 18:57 <DIR> d-------- C:\Program Files\Lavasoft

2008-07-19 18:55 . 2008-07-19 18:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-07-19 18:05 . 2008-07-19 18:58 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy

2008-07-19 18:05 . 2008-07-19 18:58 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy

2008-07-19 18:05 . 2008-07-19 18:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-07-19 17:56 . 2008-07-19 17:58 <DIR> d-------- C:\_DON MUTHUSWAMI Movie

2008-07-19 11:00 . 2008-07-19 15:33 <DIR> d-------- C:\Users\All Users\NOS

2008-07-19 11:00 . 2008-07-19 15:33 <DIR> d-------- C:\ProgramData\NOS

2008-07-19 11:00 . 2008-07-19 15:33 <DIR> d-------- C:\Program Files\NOS

2008-07-16 08:58 . 2008-06-25 20:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll

2008-07-16 08:58 . 2008-06-25 20:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll

2008-07-16 08:58 . 2008-06-25 22:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll

2008-07-08 15:43 . 2008-04-26 03:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe

2008-07-08 15:43 . 2008-04-26 03:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe

2008-07-08 15:43 . 2008-04-26 03:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys

2008-07-08 15:43 . 2008-04-11 22:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll

2008-07-08 15:43 . 2008-05-09 22:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll

2008-07-08 15:43 . 2008-04-04 20:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys

2008-07-08 15:43 . 2008-04-04 22:34 15,360 --a------ C:\Windows\System32\pacerprf.dll

2008-07-08 15:42 . 2008-05-08 16:59 430,080 --a------ C:\Windows\System32\vbscript.dll

2008-07-08 15:42 . 2008-05-08 16:59 180,224 --a------ C:\Windows\System32\scrobj.dll

2008-07-08 15:42 . 2008-05-08 16:59 172,032 --a------ C:\Windows\System32\scrrun.dll

2008-07-08 15:42 . 2008-05-08 16:59 155,648 --a------ C:\Windows\System32\wscript.exe

2008-07-08 15:42 . 2008-05-08 16:58 135,168 --a------ C:\Windows\System32\wshom.ocx

2008-07-08 15:42 . 2008-05-08 16:58 135,168 --a------ C:\Windows\System32\cscript.exe

2008-07-08 15:42 . 2008-05-08 16:59 90,112 --a------ C:\Windows\System32\wshext.dll

2008-06-26 21:07 . 2008-06-26 21:07 <DIR> d-------- C:\Users\All Users\WLInstaller

2008-06-26 21:07 . 2008-06-26 21:07 <DIR> d-------- C:\ProgramData\WLInstaller



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-19 22:56 --------- d-----w C:\ProgramData\DVD Shrink

2008-07-19 15:30 --------- d-----w C:\Users\TamirRekha\AppData\Roaming\TrueCrypt

2008-07-19 15:26 235,840 ----a-w C:\Windows\system32\drivers\truecrypt.sys

2008-07-09 08:09 --------- d-----w C:\Program Files\Windows Mail

2008-05-27 20:34 --------- d-----w C:\Program Files\Picasa2

2008-05-16 16:58 12,632 ----a-w C:\Windows\System32\lsdelete.exe

2008-04-29 10:49 237,568 ----a-w C:\Windows\System32\UCI32M29.dll

2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll

2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll

2008-04-23 04:42 428,544 ----a-w C:\Windows\System32\EncDec.dll

2008-04-23 04:42 293,376 ----a-w C:\Windows\System32\psisdecd.dll

2008-03-19 02:49 174 --sha-w C:\Program Files\desktop.ini

2007-04-15 05:41 173,795 ----a-w C:\Users\Public\WUSB54GC_v3[1].0.1.0.exe

2007-04-15 04:34 0 ----a-w C:\Users\TamirRekha\AppData\Roaming\wklnhst.dat

2007-04-15 05:16 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2007-04-15 05:16 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2007-04-15 05:16 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 02:33 1233920]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 02:33 125952]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 02:33 202240]

"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 20:23 443968]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 08:42 65536]

"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 10:16 65536]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 21:15 86016]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 21:15 8466432]

"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 21:15 81920]

"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 11:26 4874240 C:\Windows\RtHDVCpl.exe]



C:\Users\TamirRekha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-05-11 14:25:36 155648]



C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

cleanup.bat [2006-07-12 09:57:44 221]

HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)



[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AutoUpdateDisableNotify"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-641255278-2233017734-2161527173-1000]

"EnableNotificationsRef"=dword:00000007



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{6D5865B9-33B6-4392-8817-ACC5BD6EC61E}"= C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections

"{82931695-04F3-4695-86E8-6C7F7012C7F9}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections

"{920F0572-488C-4D72-95DB-5F3866E14789}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

"{CE2215A8-A65E-4108-8784-2B251D44DA56}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

"{18D0B124-71DB-4D54-91A6-C4E05A86100F}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

"{00FC659F-B5C2-4B81-B9C3-6245D2CA3A92}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

"{8AFC4557-40ED-4F8E-B60A-AF053FE61B95}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

"{50E2FA48-FD25-4719-86B7-9AA942AC7738}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

"{291A8B86-5D5E-4D9A-AAC0-2A8A7CF9480D}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

"{77880DCB-82D7-4D46-B465-F065BD9DDD07}"= Disabled:UDP:C:\Users\TamirRekha\AppData\Local\Temp\7zSF0E2.tmp\setup\HPZnui01.exe:hpznui01.exe

"{381E2563-48DF-400B-83A1-33C371509049}"= Disabled:TCP:C:\Users\TamirRekha\AppData\Local\Temp\7zSF0E2.tmp\setup\HPZnui01.exe:hpznui01.exe



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]

"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink





[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8556b7b5-eb13-11db-89cd-001a9251a2f1}]

\shell\AutoRun\command - K:\LaunchU3.exe -a



*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90



[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1F92EBFD-3382-4747-BF58-B6B1BB2B996C}]

"C:\Program Files\UninstallScripts\IPSec 06_01.054\Install.wsf" //job:ActiveSetup

.

Contents of the 'Scheduled Tasks' folder

"2008-07-20 16:24:00 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"

- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

"2008-07-22 13:30:25 C:\Windows\Tasks\User_Feed_Synchronization-{C91A450F-C791-43D6-9318-51943F47996C}.job"

- C:\Windows\system32\msfeedssync.exe

.

- - - - ORPHANS REMOVED - - - -



HKCU-Run-HPAdvisor - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

HKLM-Run-Trend Micro AntiVirus 2007 - C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe





.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie

R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000





**************************************************************************



catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-22 17:14:03

Windows 6.0.6001 Service Pack 1 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

Completion time: 2008-07-22 17:21:19

ComboFix-quarantined-files.txt 2008-07-22 22:21:03



Pre-Run: 161,247,879,168 bytes free

Post-Run: 160,749,912,064 bytes free



154 --- E O F --- 2008-07-16 14:09:27



New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:32 PM, on 7/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\KbdStub.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\TamirRekha\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: cleanup.bat
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6199 bytes


HiJackThis Uninstall List:

32 Bit HP CIO Components Installer
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
DivX
Enhanced Multimedia Keyboard Solution
Hardware Diagnostic Tools
HijackThis 2.0.2
HP Customer Feedback
HP Customer Participation Program 8.0
HP Easy Setup - Core
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart Essential
HP Photosmart.All-In-One Driver Software 8.0 .A
HP Picasso Media Center Add-In
HP Solution Center 8.0
HP Update
HPSSupply
Korean Fonts Support For Adobe Reader 8
Microsoft Office Converter Pack
Microsoft Office Professional Edition 2003
Microsoft Organization Chart 2.0
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.15)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
muvee autoProducer 5.0
My HP Games
NVIDIA Drivers
Picasa 2
Python 2.4.3
Realtek High Definition Audio Driver
Rhapsody Player Engine
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Soft Data Fax Modem with SmartCP
Sony Picture Utility
Spybot - Search & Destroy
Trend Micro AntiVirus
Trend Micro AntiVirus
TrueCrypt
VideoLAN VLC media player 0.8.6a
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
tommy1974
Active Member
 
Posts: 6
Joined: July 20th, 2008, 1:28 am

Re: Windows Vista Machine - Suddenly Disabled

Unread postby Katana » July 23rd, 2008, 5:30 am

The instructions at Bleeping Computer specifically ask you to disable ALL your security programs prior to running ComboFix.
For the Kaspersky scan, did you start IE with Administrator rights ?

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> ActiveScan << LINK
  • Click the Scan Now button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Windows Vista Machine - Suddenly Disabled

Unread postby tommy1974 » July 24th, 2008, 7:06 pm

Hello Katana, I was able to do the HijackThis fix but my computer still behaves the same way. I have not been able to do the ActiveScan because the ActiveScan website tries to do an update and it always fails. It gets to 99% of the update and then stops and says it has an error for some unknown reason. I will keep trying. I am more successful with Firefox than with IE because IE gives me a hard time with the ActiveX control regardless of whether I tell it to allow the control or have it set to allow ActiveX controls under Internet Options.

To answer your question about the Kaspersky scan, yes I did start IE with "Run as Administrator." Something is just killing the browser. It happens with Firefox too.

Whenever I try to use IE, I frequently get message box popups (assuming the browser isn't just killed). The message boxes generally say things like:

"Search_Glow: iexplore.exe - Application Error"
"ssvagent.exe - Application Error"
"Microsoft Visual C++ Debug Library" and some kind of runtime error
"The exception unknown software exception (0x40000015) occurred in the application at location 0x4714f110. Click OK to terminate the program."

Usually when I see a message box like this, that's the end; the browser won't work anymore. Sometimes it will tell me it can't connect to the internet, which I know not to be true. Also, it happens quite often where the inside part of the message box doesn't fill in, so I can only see the "Search_Glow:..." and the "x" in the upper right to close the box, and the middle part is transparent. I guess this is happening because of the memory hogging.

These types of events are often accompanied by being forced from Windows Aero to Windows Basic displays as well.

As I said, I'll keep trying to get the ActiveScan done. Maybe with some luck it will work out. I'm sorry, it occurred to me that maybe I wasn't specific enough about what was happening with IE before but I hope this gives you additional information. Thank you for your help. I know my computer hasn't been very cooperative. Maybe that goes for me too. :oops:
tommy1974
Active Member
 
Posts: 6
Joined: July 20th, 2008, 1:28 am

Re: Windows Vista Machine - Suddenly Disabled

Unread postby Katana » July 24th, 2008, 9:19 pm

Hmm, It doesn't sound like a malware problem, but let's try one last scan


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\Users\Public\WUSB54GC_v3[1].0.1.0.exe
Click Submit/Send File
Please post back, to let me know the results.


If Virustotal is too busy please try Jotti
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Windows Vista Machine - Suddenly Disabled

Unread postby tommy1974 » July 27th, 2008, 9:45 pm

Hello Katana, sorry it took me so long to reply, as a very important family issue came up. I wouldn't call it an emergency but it was pretty important.

Anyway, the Malwarebytes' Anti-Malware program did find and get rid of a couple of things, which is good, but the computer still behaves the same way, acting all slow and giving me warnings that it's running low on memory. :( So, even if the anti-malware program successfully got rid of whatever was screwing up my pc, do I have to go in and fix things in its aftermath?

I've posted the scan results below.

Also, I don't know if this matters, but during the Malwarebytes scan, I got numerous error messages saying, "Malwarebytes' Anti-Malware: An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team. Error Code 722(3,7)." The numbers inside the parentheses were different sometimes, but it always seemed to start with 722. Is this normal?

I uploaded the file you requested to Virustotal, and it was checked by 34 different anti-virus/anti-malware programs, none of which seemed to find anything wrong with it.

Malwarebytes' Anti-Malware 1.23
Database version: 999
Windows 6.0.6001 Service Pack 1

5:52:08 PM 7/27/2008
mbam-log-7-27-2008 (17-52-08).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 234159
Time elapsed: 2 hour(s), 23 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\InstallShield Installation Information\{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Windows\System32\ias.dll (Trojan.Agent) -> Quarantined and deleted successfully.
tommy1974
Active Member
 
Posts: 6
Joined: July 20th, 2008, 1:28 am

Re: Windows Vista Machine - Suddenly Disabled

Unread postby Katana » July 28th, 2008, 4:04 am

C:\Windows\System32\ias.dll is a false positive, you need to restore it.

Open MBAM, and select the Quarantine Tab
Click on C:\Windows\System32\ias.dll and then click Restore



There is no malware that would be causing your problem.
Unfortunately you are now outside my area of knowledge, so I'm going to have to recommend that you visit one of the tech forums for assistance.

http://www.techsupportforum.com/
http://www.bleepingcomputer.com/forums/
http://forums.whatthetech.com/forums.html

All the forums above have good support for software/OS problems, and I'm sure they will be able to help.

When you start your thread, explain what the problem is and let them know that you have been checked for malware.
Give them the following link, so they can see the logs if needed
Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=32856

Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up :D


  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • Image
You can also delete any logs we have produced, and empty your Recycle bin.




The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partne ... bscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Windows Vista Machine - Suddenly Disabled

Unread postby tommy1974 » August 2nd, 2008, 3:04 am

Katana, thank you for all of your helpful advice. I will go ahead and restore that one file and take your suggestions for preventing future malware attacks on my computer.

As I was telling you, this problem pretty much makes that machine useless (my wife and I have to use this little MacBook), so I will go to one of the other forums like you suggested and provide the folks there a link to this thread. If it's not malware or virus, then maybe it is just a really bad setting or registry entry somewhere. The computer seems fine except for the fact that something is hogging memory big time; more than 85% of it is used in an unexplained way.

I had just had a really busy week but I just wanted to say thanks before this thread is closed as inactive. Thank you again for all your time and help, and hopefully I didn't cause you to waste a lot of your time. :)
tommy1974
Active Member
 
Posts: 6
Joined: July 20th, 2008, 1:28 am

Re: Windows Vista Machine - Suddenly Disabled

Unread postby Katana » August 2nd, 2008, 3:39 am

tommy1974 wrote: And hopefully I didn't cause you to waste a lot of your time. :)

Not at all,
It is never a waste of time making sure a machine is clean.

I hope they can sort you out soon :)

Take care

K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Windows Vista Machine - Suddenly Disabled

Unread postby Gary R » August 2nd, 2008, 4:41 am

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 17 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware