Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Stop errors HJT log and details included

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Stop errors HJT log and details included

Unread postby Piney » July 26th, 2006, 1:50 am

A friend had contacted me about a problem with receiving "Stop" errors.
Her initial HJT log appeared clean to me, other than needing to upgrade Java from 1.4.2 to most recent available.

Before the upgrade of Java, the Stop/shutdown happened 10-12 times a day. Occurances did not indicate a pattern. She might be working on her music, using Pal-Talk, sorting through email, playing on zone.com, although she did say it happened more when she was working with her music. She said the computer just 'died', screen went black, then the computer would boot back up again and she'd have the error report box showing.

I heard nothing from her for a couple of months, then received a HJT log with the info that the Stop/shutdown problem was occuring again.

She has been taught (and is paranoid enough to follow through) about updating her Nortons and Windows, keeping temps, TIFs etc cleaned up.

I honestly see nothing out of the norm in her log. Perhaps fresher eyes will spot something.
=======================
Logfile of HijackThis v1.99.1
Scan saved at 10:08:16 PM, on 7/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\WINDOWS\system32\CMMON32.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GCR Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b40641.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZB ... b32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b32846.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zp ... b40746.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/St ... b35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZP ... b35759.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE70B31-2A93-4AF6-82DA-B463338FE781}: NameServer = 65.254.160.23 65.254.160.22
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you in advance :)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm
Advertisement
Register to Remove

Unread postby 1972vet » July 26th, 2006, 1:14 pm

Greetings Piney,

Nice to meet you. I'm studying the log and can say, right off the bat I spotted a couple of trojans.

I'll have more in a bit.
Regards,
1972vet
Regular Member
 
Posts: 34
Joined: June 2nd, 2006, 11:44 pm

Unread postby 1972vet » July 26th, 2006, 1:48 pm

OK Piney,

Looks like one definate trojan, and one maybe. The file "CMMON32.EXE" is listed as a trojan here and here.

The file "palstart.exe" is called a trojan here and is only considered adware here with a risk rating of 2 out of 10.

There are also these forums http://forums.tomcoyote.org/lofiversion ... 36369.html
http://gladiator-antivirus.com/forum/lo ... 33339.html

Where the user was instructed to remove it. I trust those people...

Is your friend from South Boston, VA. or use the GCR Company as her ISP? If not, this one should go:
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE70B31-2A93-4AF6-82DA-B463338FE781}: NameServer = 65.254.160.23 65.254.160.22
1972vet
Regular Member
 
Posts: 34
Joined: June 2nd, 2006, 11:44 pm

Unread postby Piney » July 26th, 2006, 2:26 pm

Hi 1972vet :)

Thank you for reviewing the log.

My friend uses GCR for her connection so those items are ok.

Regarding the CMMON32.EXE.... I looked at that 5 ways from Sunday. Where it is listed in the System32 folder (and since I have one there, also) I hesitated to have her remove it. Properties check showed mine to be: Microsoft Connection Manager Monitor. So, I waffled on it. I did have her check in the System32 folder for hers, it shows the same type of icon as mine. I didn't have her do a search of files and folders for any others.
I can have her search for other instances, unless you think this is the trojan and not the MS connection manager?

Palstart.exe is the executable for Pal-Talk, an old voice chat program used by some of the tournament hosts for zone.com. I wouldn't have it on my computer, but that is me :roll:

I await your reply :)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby 1972vet » July 26th, 2006, 11:56 pm

According to the Task List at ATW, there is a definite impact on the performance of the PC when that .exe is running. They state that whenever they have terminated the task, the PC's performance has improved. the Internet connection has stayed up, and they hadn't noticed any ill consequences as a result of terminating CMMON32.

I have never seen that executable running in my task manager. I used to have dial up but perhaps my ISP was one that didn't use this dialer.
Since she has dial up, just ask her to use the Task Manager to kill that process. Then try the dial up connection. If it still works, I would be inclined to remove the process from the start up folder. If it doesn't, a simple reboot will fix the problem.

You're aware of Jotti's and VirusTotal...if a scan there produces some positive result...

Those issues I pointed to notwithstanding, the stop errors she has been getting no doubt originate from some other issue.
I can help you troubleshoot the stop errors if you like. Let me know what you decide.
1972vet
Regular Member
 
Posts: 34
Joined: June 2nd, 2006, 11:44 pm

Unread postby Piney » July 27th, 2006, 12:54 am

I thank you for taking the time to research her log!

I will suggest she use the task manager to kill the executable.

Someone "coughed" and pointed out that I should have her check the error log for the exact STOP error she gets. I'd completely forgotten about checking the error log! :oops:

I am also going to have her check her hard drive with WD diagnostic download. Since the upgrade of Java, the occurances have decreased greatly (1-2 a week vs 10-12 daily).

I'm relieved that I'd not missed any new malware, although as I mentioned she is very paranoid about her computer's state of health! There should be more like her :lol:

Thank you again, vet! Let's leave this topic open until I get the report from her error log.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby 1972vet » July 27th, 2006, 9:05 am

Sure thing.
In your original post I notice you mention "Stop Error" instead of reboot so I am assuming you have her configuration set to disable the automatic reboot upon receiving a stop error. Thus I will skip the suggestion to change the config.

You can however, try to force a "Blue Screen" stop error message thereby giving you the instant clue if the problems stem from a faulty driver.

Have her do this:

Click-->Start-->Run
then type "Verifier" in the Run box and click OK.

The Driver Verifier Manager will open. Keep the default setting of "Create Standard Settings" and click "Next". Put the Bullet in the option for "Automatically select all drivers installed on this computer". Click "Finish"

A list of drivers to be verified on the next boot will be shown.
If your computer stops with a blue screen, you should get an error message with the problem driver.
That's the message that you need. Have her write down the contents and post it back here in this thread on your next reply. We can suggest another config change that will make it simple to go after the faulty driver even if it's hidden.

To turn off the Verifier, click-->Start--> run
and type: verifier /reset
Then reboot again to record the change to the hard disk.

Good Luck!
Regards,
1972vet
Regular Member
 
Posts: 34
Joined: June 2nd, 2006, 11:44 pm

Unread postby Piney » July 27th, 2006, 1:03 pm

Thank you for the latest info!

She did do the WD diagnostics and evidently has some bad sectors on the harddrive :( I'll work with her to do the 'verifier' as you suggested.

It may be time for her to see a local tech to 'fix it', or invest in a new computer.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Piney » August 1st, 2006, 1:06 am

This topic can be closed. The errors point to more than she can handle, so is taking the computer to a tech.

Thank you, again for helping her :)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby 'KotaGuy » August 5th, 2006, 2:06 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 310 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware