Delay on reboot (15 mins)

L

LM79

New Member
Hi there,

Compaq Presario P4 2ghz laptop
XP, IE6, AVG, Adaware
15 min delay upon reboot to XP.

Sigh~ this is a pain in the @rse. after the symptoms disappear... laptop is pretty much normal... please help me????

Upon turning it on/rebooting: applications take 15mins to load after clicked (eg MS Outlook).
While waiting for this to happen there is absolutely no Hard drive movement and/or sound from laptop. Cntrl+Alt+Del does nothing (although would be useful to see what apps are running!)
Mouse is able to be moved, but clicking only works on certain things:
*I can highlight icons, open Jpegs, browse folders, view recycle bin etc.
*I cannot use the start button, open IE, MS Outlook, click on any apps in my quicklaunch task bar, right click the task bar.... importantly, I cannot use cntrl+alt+del.

15-20 mins later (no exaggeration), all the key strokes and mouse clicks start working:
outlook and/or IE load up, my docs load up, MSN msgnr loads, the start button spings up my apps, and the task manager shows up, once, twice (depending on how many times I pressed cntrl+alt+del!!!)

To avoid this situation, I just "sleep"/hibernate my laptop instead of completely turning it off everytime.
When I wake it up, it is fine.

Note that during the 15 min period, there is no noise of harddrive movement or egg timer on the mouse/cursor.
--------------------------
HJT log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 12:18:05 a.m., on 2/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq\My Documents\Downloads\Appns\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LCIDConfig] C:\WINDOWS\lcidchng.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150717858126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150717836665
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
 
That will probably be down to the nasty Backdoor and probable rootkit infection present.

O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
Click to expand...

If a Moderator approves my suggestion, I suggest you run a tool called SDFix which covers this nasty.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
Hi there,
here is my SDFIX report
I waited a while for a moderator to confirm you suggestion - no-one came to the party so I proceeded anyway. Please have a look below?
====================
SDFix: Version 1.83

Run by Compaq - Tue 08/05/2007 - 21:56:14.13

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Windows Spool Service

ImagePath:
"C:\WINDOWS\wdfmgr.exe"

Windows Spool Service - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\DQB1L3~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\KVCAHA~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\IZKN632H\CA0723ST.HTM - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\o - Deleted
C:\WINDOWS\system32\TFTP2548 - Deleted
C:\WINDOWS\system32\TFTP2576 - Deleted
C:\WINDOWS\system32\TFTP472 - Deleted
C:\WINDOWS\system32\TFTP620 - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Documents and Settings\\Compaq\\Desktop\\BlueSoleil\\BlueSoleil.exe"="C:\\Documents and Settings\\Compaq\\Desktop\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT10.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT11.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT12.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT13.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT14.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT15.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT16.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT17.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT18.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT1C.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT22.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT25.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT53.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT8A.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BITC.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BITD.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BITE.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BITF.tmp
C:\WINDOWS\system32\ttsut.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished
------------------------------------------------
And now the HJT report

Logfile of HijackThis v1.99.1
Scan saved at 10:44:40 p.m., on 8/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LCIDConfig] C:\WINDOWS\lcidchng.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150717858126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150717836665
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

-----------------------------
please advise??

Thanks,
LM
 
I waited a while for a moderator to confirm you suggestion - no-one came to the party so I proceeded anyway.
Click to expand...
Sorry about that, I should have messaged you. Are things any better now?

Edit: scrap that, more to do...
 
Last edited:
That went well :)

As Buzz says though, more to do!!

Please start by uninstalling Ewido anti-spyware. The new version has been relabelled AVG Anti-Spyware and has much better removal capabilities.

Copy the rest of these instructions to notepad for easy reference and perform all steps in the order they're listed. This will give the machine a thoroughly good cleanup from all angles.




Step # 1

Download and install the trial version of AVG Anti-Spyware.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the "Update" icon then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once updated, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports", select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • Close AVG Anti-Spyware for use later.


Step # 2

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Step # 3

Download ComboFix from either of these links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click Combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Please tell me if you get the following error message:

"Unable to run com files !! Possible rootkit inteference. Tell this to the forum helper. Combofix will now exit"

The above message is very important!!!


Step # 4

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware and select the "Scanner" icon at the top.
  • Then select the "Scan" tab and click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient as it may take a while to complete.
  • A prompt will appear if any infections are found: please select "Apply all actions".
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left of the screen and save it to your desktop as text file.
  • Close AVG Anti-Spyware and reboot your system.


Step # 5

Lastly, use the Kaspersky On-line Scanner
  • Accept the Active X object and download the latest definitions.
  • When the scanner is ready, click Scan Settings.
  • Select the Extended anti-virus database.
  • Select Scan Archives & Scan Mail Bases and then ok.
  • Click My Computer to run a full system scan.
  • When complete, choose Save as Text and save the log file to your desktop ready for posting.


Step # 6

Please post the following in your next reply:
  • ComboFix log.
  • AVG Report-Scan.txt.
  • Kaspersky results.
  • New HijackThis log.
  • Any problems you encountered.
 
Hi John,

as per your instructions:

ComboFix log.

"Compaq" - 2007-05-12 1:30:16 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Compaq\My Documents\Downloads\Appns\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\winserv.dat
C:\install.log
C:\WINDOWS\hosts


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))


2007-05-10 23:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-21 01:33 <DIR> d-------- C:\Program Files\Common Files\Canon
2007-04-21 01:33 <DIR> d-------- C:\Program Files\Canon
2007-04-12 22:22 <DIR> d-------- C:\Program Files\RarZilla Free Unrar


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-25 00:52:49 -------- d-----w C:\Program Files\BitComet
2007-04-25 00:52:19 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-04-09 04:34:28 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-09 04:34:22 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}"="C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"CARPService"="carpserv.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Display Settings"="C:\\Program Files\\HPQ\\Notebook Utilities\\hptasks.exe /s"
"QT4HPOT"="C:\\PROGRA~1\\HPQ\\ONE-TO~1\\OneTouch.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"LCIDConfig"="C:\\WINDOWS\\lcidchng.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DataLayer"="C:\\PROGRA~1\\COMMON~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\TRAYAP~1.EXE"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
Usnsvc usnsvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_DRIVER
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_GUARD


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 01:35:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?9?0?8??P???? ?X#B?????????????l|B? ??????

scanning hidden files ...

C:\system.sav\CTO.TXT 4096 bytes
C:\system.sav\CTOHW.TXT 16 bytes
C:\system.sav\DAYLGSAV.reg 320 bytes
C:\system.sav\FAVTOOL.LOG 696 bytes
C:\system.sav\INFO.BOM 8192 bytes
C:\system.sav\INFO2.BOM 8192 bytes
C:\system.sav\ISLOGCHK.LOG 472 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGDEV.LOG 40 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RegionCF
C:\system.sav\RegionCF\euro.reg 216 bytes
C:\system.sav\RegionCF\SFr.reg 232 bytes
C:\system.sav\RmDev.log 16384 bytes
C:\system.sav\T55XGB.B22 4096 bytes
C:\system.sav\TNXHLC.002 4096 bytes
C:\system.sav\TNXHLC.AC1 4096 bytes
C:\system.sav\TNXXIN.B22 4096 bytes
C:\system.sav\TNXXPS.AC1 4096 bytes
C:\system.sav\TNXXPS.B22 4096 bytes
C:\system.sav\util
C:\system.sav\util\adobe.log 160 bytes
C:\system.sav\util\AppEvBk1.old 65536 bytes
C:\system.sav\util\AppEvBk2.old 65536 bytes
C:\system.sav\util\ATIRES.EXE 69632 bytes
C:\system.sav\util\bootldr.flg 0 bytes
C:\system.sav\util\BOOTSEC.NT4 512 bytes
C:\system.sav\util\CDDMA.REG 4096 bytes
C:\system.sav\util\CHECKLOG.EXE 98304 bytes
C:\system.sav\util\CIA.INI 69632 bytes
C:\system.sav\util\ClassMnu.log 72 bytes
C:\system.sav\util\CMDOOBE.CMD 72 bytes
C:\system.sav\util\COMPNAME.EXE 32768 bytes
C:\system.sav\util\cpqsm.exe 86016 bytes
C:\system.sav\util\DEFUSER.REG 320 bytes
C:\system.sav\util\deldir.log 4096 bytes
C:\system.sav\util\delmodem.bat 160 bytes
C:\system.sav\util\delmodem.ini 184 bytes
C:\system.sav\util\grnscrn.bto 552 bytes
C:\system.sav\util\grnscrn.exe 49152 bytes
C:\system.sav\util\infobomg.exe 102400 bytes
C:\system.sav\util\INSTALL.LOG 380928 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\MKBSDAT.EXE 16384 bytes
C:\system.sav\util\NbUtil.log 184 bytes
C:\system.sav\util\oca.reg 352 bytes
C:\system.sav\util\oca_mrk.bat 120 bytes
C:\system.sav\util\oobe.min 136 bytes
C:\system.sav\util\oobe.wpe 184 bytes
C:\system.sav\util\osexclude.txt 224 bytes
C:\system.sav\util\PININST.INI 48 bytes
C:\system.sav\util\PININST.LOG 0 bytes
C:\system.sav\util\POSTOOBE.CMD 280 bytes
C:\system.sav\util\postproc.ini 4096 bytes
C:\system.sav\util\Powerset.log 96 bytes
C:\system.sav\util\random.ini 32 bytes
C:\system.sav\util\SecEvBk1.old 65536 bytes
C:\system.sav\util\SecEvBk2.old 65536 bytes
C:\system.sav\util\SETNAME.EXE 32768 bytes
C:\system.sav\util\SRCPATH.REG 432 bytes
C:\system.sav\util\SysEvBk1.old 65536 bytes
C:\system.sav\util\SysEvBk2.old 65536 bytes
C:\system.sav\util\sysrstr
C:\system.sav\util\touchpad.log 184 bytes
C:\system.sav\util\WINDVD.LOG 176 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 65


********************************************************************

Completion time: 2007-05-12 1:35:35
C:\ComboFix-quarantined-files.txt ... 2007-05-12 01:35
------------------------------------------------------

AVG Report-Scan.txt.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:45:19 a.m. 12/05/2007

+ Scan result:



C:\COMPAQ\APIsp\mfu\Carepaq.exe -> Logger.Age.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Compaq\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Compaq\Cookies\compaq@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.


::Report end

-----------------------------------------------------------

Kaspersky results.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 12, 2007 3:22:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/05/2007
Kaspersky Anti-Virus database records: 317847
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 49772
Number of viruses found: 3
Number of infected objects: 8 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:44:41

Infected Object Name / Virus Name / Last Action
C:\AVG7QT.DAT Infected: Trojan.Win32.Qhost skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Compaq\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\Compaq\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Compaq\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped
C:\Documents and Settings\Compaq\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Documents and Settings\Compaq\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq\Local Settings\History\History.IE5\MSHist012007051220070513\index.dat Object is locked skipped
C:\Documents and Settings\Compaq\Local Settings\Temp\~DF7542.tmp Object is locked skipped
C:\Documents and Settings\Compaq\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq\My Documents\Downloads\Appns\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Compaq\My Documents\Downloads\Appns\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Compaq\ntuser.dat Object is locked skipped
C:\Documents and Settings\Compaq\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\QooBox\Quarantine\C\WINDOWS\hosts.vir Infected: Trojan.Win32.Qhost skipped
C:\SDFix\backups\backups.zip/backups/i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP190\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{BAC64EB9-17ED-4A16-A046-028D30F93ABC}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060820-190336.backup Infected: Trojan.Win32.Qhost skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
---------------------------------------------------------------

New HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 6:42:12 p.m., on 12/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Compaq\My Documents\Downloads\Appns\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LCIDConfig] C:\WINDOWS\lcidchng.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150717858126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150717836665
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

-------------------------------------------------------------

Any problems you encountered

Still same on reboot.. 15 mins before I can do anything...
In fact - had to wait 15 for the HJT programme to start up!!!
And when I rebooted (per your instructions) and the start up screen stuck there for 15 mins approx ["welcome..... loading your personal settings"]


Your thoughts please?
THat was a lot of work! =)
 
in safe mode everything seems to work ok... but the PC remains offline from the internet.
things seem to load ok.
When I resumed a normal session it was still the same old story.

Please advise,
LM
 
There may be a possible software issue here as well. Although the next process may be tedious, it may well expose the problem. Can I suggest you go to Start > Run and type msconfig > OK to open the System Configuration Utility. Once open, click the Startup tab to reveal all the programs you have configured to load at startup. Remove the check from the box before each entry listed and OK out of the Utility. Restart the machine when prompted.

If the machine boots up normally you know it's software related. It's then a process of adding each startup entry back via msconfig one by one (rebooting between each addition) to see which is causing the problem.

Let me know how you get on. :)
 
Ok. will give it a shot this weekend.
I have heard of this method before - but have managed to avoid until now!

I thought it could be a MS Outlook problem. often it is very slow to respond when I hit "reply" or fwd" etc. I thought it could be becuase it uses MS Word as the email editor, but it is still slow if I elect not to use Word. Sometimes, when I open MS outlook and it is DLing messages, the screen freezes - I can use other windows/apps in the meantime but have to wait several minutes before I can read messages.
Another problem (sometimes occurs) is when I have say 5 unread emails - I click on 1 of them to read and the Outlook screen freezes. Again, this does not seem to effect other apps running.

Also, thought I should confirm that I have approx 3/30GB free HD - should be sufficient.

Not sure if above info helps you or not???:)

Will take your recommended action in the next few days.

Thanks again,
LM
 
Last edited:
Hi John,
actually, removing ALL start up apps as suggested makes little difference to my system. Windows appears to load up faster before the HD stops moving... I open up MS outlook and looks fine... then I open IE and have to wait 10-15mins before I can use the PC. the mouse moves, and I cannot hear any HD movement neither can I see the HD indicator flashing on the laptop.

Format and start over?

Please advise,
LM
 
A few posts ago you said that everything worked in Safe Mode. Can you go into Safe Mode (with networking) and launch Internet Explorer to test if it causes the same problem.
 
Hi John,
seems to be much faster now, although still now what it used to be.
MSN messenger takes ages to load (again without making any noises) and also, "locking" the workstation/laptop takes 2-3 mins too.

Please advise,
LM
 
Can you have a look at your Event Viewer logs please to see if there are any clues.

Go to Start > Run and type eventvwr to open the Event Viewer.

Look in the Application and System logs for errors (signified by a red circle with a white cross).

Double-click each of these error symbols to reveal more information.

You should find an Event ID number and Source information.

Check out these Event ID errors and related sources here.

Further info on the Event Viewer can be found here.
 
Most of the App errors are
- "MsiInstaller" where they are updates from the internet that have failed for MS Outlook and Office.
- Also a few "application hangs".

Under system error:
- Dhcp : Your computer has lost the lease to its IP address 10.1.1.6 on the Network Card with network address 00028A99C531.
- Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Office 2003 (KB920813).
- Timeout (30000 milliseconds) waiting for the Ati HotKey Poller service to connect.

I cannot understand that website that you gave me... when I enter in the event id and the source I cannot make head or tails out of the page... tells you the same as above more or less.

Please advise,
LM
 
You must log in or register to reply here.
Back
Top