Squidolin Posted July 24, 2007 Share Posted July 24, 2007 I went through all the steps for the Anti-Malware-Full and here is my HijackThis log.... When I started HjT, my antivirus program reported a dangerous operation had been detected and blocked, then HjT started and I got this error message... "For some reason your system denied write access to the Hosts file. If any Hijacked domains are in this file, HijackThis may NOT be able to fix this. If that happens, you need to edit the file yourself. To do this, click Start, Run and type: notepad C:\WINDOWS\system32\drivers\etc\Hosts and press Enter..." (there's more, but not relevant) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:10:27 PM, on 23/07/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe D:\Program Files\Panda\pavsrv51.exe D:\Program Files\Panda\AVENGINE.EXE C:\WINDOWS\system32\svchost.exe D:\Program Files\Panda\TPSrv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe D:\Program Files\Panda\PsCtrls.exe D:\Program Files\Panda\PavFnSvr.exe D:\Program Files\Panda\APVXDWIN.EXE D:\QuickCam\LogiTray.exe D:\iTunes\iTunesHelper.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\WINDOWS\system32\HPZipm12.exe D:\Program Files\Panda\AntiSpam\pskmssvc.exe d:\program files\panda\firewall\PSHOST.EXE D:\Program Files\Panda\PsImSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe D:\QuickCam\FxSvr2.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\iPod\bin\iPodService.exe D:\Program Files\Panda\SRVLOAD.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe D:\Program Files\Panda\WebProxy.exe D:\Program Files\Panda\PavBckPT.exe C:\WINDOWS\system32\wuauclt.exe D:\HJThis.exe D:\Program Files\Panda\psimreal.exe D:\Program Files\Panda\avciman.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [sCANINICIO] "D:\Program Files\Panda\Inicio.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [LogitechVideoTray] D:\QuickCam\LogiTray.exe O4 - HKLM\..\Run: [LogitechVideoRepair] D:\QuickCam\ISStart.exe O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\sotnoeqf.dll",forkonce O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\QuickCam\ManifestEngine.exe boot O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.msi.com.tw O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169066930140 O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su/ocx/15029/CTPID.cab O20 - Winlogon Notify: awtst - C:\WINDOWS\ O20 - Winlogon Notify: jkkhefc - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Panda Software Controller - Panda Software International - D:\Program Files\Panda\PsCtrls.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - D:\Program Files\Panda\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Program Files\Panda\pavsrv51.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - D:\Program Files\Panda\AntiSpam\pskmssvc.exe O23 - Service: Panda Host Service (PSHost) - Panda Software International - d:\program files\panda\firewall\PSHOST.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Program Files\Panda\PsImSvc.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - D:\Program Files\Panda\TPSrv.exe -- End of file - 8091 bytes I also got the warning from my antivirus program during the scan, after the error message about the denied write access. Thanks for your time. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 24, 2007 Administrator Share Posted July 24, 2007 Unfortunately, Panda antivirus is not a very good antivirus in all of my experiences with it. The errors you got were because Panda is attempting to protect your Hosts file. You may wish to uninstall it and use Avast. Are there any programs listed in the HijackThis log that look unfamiliar to you? You do have some Winlogon hijacks from Virtumonde (awtst) and SpywareQuake (jkkhecf). Save all these files to your desktop for easier access. To remove Virtumonde you'll need VundoFix. VundoFixDouble-click VundoFix.exe to run it.When VundoFix re-opens, click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. For the SpywareQuake removal, you'll need RogueScanFix, smitRem and FixSQ (should be paired with smitRem). RogueScanFixAfter installing, launch and you will be presented with the Credits screen. At this screen press the spacebar and you will be presented with a menu. Press the number 1 on your keyboard and press enter. At the next screen simply press the spacebar on your computer to start the removal process. Note: Please note that when the program starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall gives an alert about this, please allow the download.exe or run.bat program to access the Internet.When the program starts, your desktop will disappear, which is normal, so please do not be concerned. It will then start the SpywareQuake uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of SpywareQuake.When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. Close this by pressing the Exit button. If there a notepad open called task.txt, you can close that as well.If there were more files that needed to be deleted, the program will prompt you to reboot your computer. Press the Yes button and allow the computer to reboot. When you are back at the desktop, close the task.txt notepad if it is open.smitRemDouble click smitRem and click on the Start button. The program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem.Reboot into Safe Mode and open the smitRem folder on your desktop. Double-click on the RunThis.bat file.When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process.If there is an uninstaller present for an infection that smitRem removes, it will start this uninstaller.Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue.When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program.When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.Reboot your computer back to normal mode. Link to comment Share on other sites More sharing options...
Squidolin Posted July 24, 2007 Author Share Posted July 24, 2007 Hi...I'll give Avast a go then, instead of Panda. The only items I see, that I don't want to see, are the icq.com entry and the Uniblue Registry, O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\sotnoeqf.dll",forkonce O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S You mentioned the first one in the other thread, but the Uniblue isn't showing up in Control Panel\Add-Remove programs, so I don't know how to get rid of it. Even after reinstalling it to see if it will show up there, but still it hadn't. I'll go through the other stuff, and post another HijackThis log(?) Thanks **The links for smitRem and FixSQ are not working...but I found them another way*** Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 24, 2007 Administrator Share Posted July 24, 2007 **The links for smitRem and FixSQ are not working...but I found them another way from BleepingComputer.com*** Thanks for letting me know. I'll mirror some here on Lunarsoft soon. I forgot to mention, when you install avast you can do a custom install and not install the skins. If the Uniblue is not a program that you currently use, I can help you remove it easily. If HijackThis fails to remove that entry, or it keeps coming back I'll let you know how we can fix it. Link to comment Share on other sites More sharing options...
Squidolin Posted July 24, 2007 Author Share Posted July 24, 2007 I've done the above mentioned scans and stuff... Roguescanfix got hung up at one point, but I managed to get it going somehow. smitRem got going eventually too. Don't know what to do with FixSQ.reg I would like to get rid of Uniblue, yes. Latest HijackThis log... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:57:21 PM, on 24/07/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe D:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\Explorer.EXE D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe D:\Program Files\Alwil Software\Avast4\ashWebSv.exe D:\QuickCam\LogiTray.exe D:\iTunes\iTunesHelper.exe C:\WINDOWS\system32\LVCOMSX.EXE D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe D:\QuickCam\FxSvr2.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe D:\HJThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [LogitechVideoTray] D:\QuickCam\LogiTray.exe O4 - HKLM\..\Run: [LogitechVideoRepair] D:\QuickCam\ISStart.exe O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\QuickCam\ManifestEngine.exe boot O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.msi.com.tw O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169066930140 O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su/ocx/15029/CTPID.cab O20 - Winlogon Notify: awtst - C:\WINDOWS\ O20 - Winlogon Notify: jkkhefc - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe -- End of file - 6847 bytes Looks like ... O20 - Winlogon Notify: awtst - C:\WINDOWS\ O20 - Winlogon Notify: jkkhefc - C:\WINDOWS\ ...are still hanging on for dear life hehehe Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 24, 2007 Administrator Share Posted July 24, 2007 With the reg file, you simply double click to merge it. Sorry about that. Generated by Tarun's HijackThis Converter v0.50 Beta. Default-color items are optional, red are known to be malicious. Created registry value R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 Changed registry value R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank Created registry value R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local Enumeration of suspicious auto-loading registry entries O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\QuickCam\ManifestEngine.exe boot O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Extra IE context menu items O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Extra "Tools" menu items and buttons O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL Downloaded Program Files item O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys O20 - Winlogon Notify: awtst - C:\WINDOWS\ O20 - Winlogon Notify: jkkhefc - C:\WINDOWS\ After removing these items, you will want to reboot your computer. Have you noticed any change in your performance? Are you getting any errors or popups? Link to comment Share on other sites More sharing options...
Squidolin Posted July 24, 2007 Author Share Posted July 24, 2007 I re-ran HijackThis and checked everything from your last post, then hit the "Fixed Checked" button and rebooted. I still get the same memory errors as I've been getting for the last 3 months or so :( Plus this new error... "MOM.EXE" The application failed to initialize properly (0xc0000135). Click on OK to terminate the problem. I ran HighjackThis and here's the latest log... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:35:08 PM, on 24/07/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe D:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE D:\QuickCam\LogiTray.exe D:\iTunes\iTunesHelper.exe C:\WINDOWS\system32\LVCOMSX.EXE D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe D:\QuickCam\FxSvr2.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe D:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Me\Desktop\HJThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [LogitechVideoTray] D:\QuickCam\LogiTray.exe O4 - HKLM\..\Run: [LogitechVideoRepair] D:\QuickCam\ISStart.exe O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.msi.com.tw O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169066930140 O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su/ocx/15029/CTPID.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe -- End of file - 5280 bytes My computer does seem to boot up a lot faster though. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 24, 2007 Administrator Share Posted July 24, 2007 I see those malicious entries of the Winlogon are gone. The memory error you are having is about your ATI Catalyst Control Center. Do you have the .NET Framework installed? It will show up in your Control Panel. You can go to Windows Update and download the Framework there if you need it. The redistributable packages can be found on Microsoft's Search. I would recommend using Windows Update if you can, as it will automate the process and make things much easier for you. Should that not resolve the issue, you may wish to reinstall the ATI Catalyst Control Center. Here is a link to the ATI Driver Download. You would need to uninstall all of the ATI items, from the CCC to the display driver. Link to comment Share on other sites More sharing options...
Squidolin Posted July 24, 2007 Author Share Posted July 24, 2007 I haven't been able to Update Windows at all since I've been getting the original error message (this is an example, when I open Windows Explorer, I get this --->) "explorer.exe - The instruction at "0x00401613" referenced memory at "0x00006678". The memory could not be "read". Click on OK to terminate the program" I get this error a lot, but different addresses. When I open Windows Explorer, try to update anything, including Avast and Windows ( I have to turn Auto updates for both off so that I'm not tormented by that error message all day). Even when I close a program, I get this error at times. For a laugh, I tried to update Windows today, and it seemed to download the updates I needed and installed them, but I still got the error for something different than "upgrader.exe" that I usually get it for when I try to update Windows. I have the .NET stuff also already. I'll reinstall the ATI stuff to get rid of the new error though. (Done, and the MOM.EXE error is gone...thanks) Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 24, 2007 Administrator Share Posted July 24, 2007 Go into Dial-a-fix and click Tools (hammer icon). At the bottom, you'll want to do the SFC Purge. Doing the purge first will clean out the cache which may contain malware or corrupt programs/dlls. After that, you'll do the SFC Scan. Once that has completed, you'll close that and go back to the main DAF window. Click the green checkmark button and then click Go. Link to comment Share on other sites More sharing options...
Squidolin Posted July 25, 2007 Author Share Posted July 25, 2007 Ok, did all that, and finally got DAF to run through completely with no hangups, thanks a ton. However, I still get the "memory could not be "read"." errors :( Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 25, 2007 Administrator Share Posted July 25, 2007 Have you used any enhancements on your system? XPize is one such example. Also, do you get any program crash errors where you can send the crash report to Microsoft? Link to comment Share on other sites More sharing options...
Squidolin Posted July 25, 2007 Author Share Posted July 25, 2007 I haven't used any enhancements that I know of, escept for that Uniblue Registry Booster, which is now gone anyway. I used to get the chance to send an error report when Panda got the message when it tried to update automatically, but I don't have that anymore either. I do have a second hardddrive that is +200GB, so I did have to run software for Windows to recognise it, but I'm pretty sure I had installed that long before I started getting these errors. I just tried to update Avast to get the errors, which both happened, errors and update, but no chance to send an error report. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 25, 2007 Administrator Share Posted July 25, 2007 I'm still looking into this issue to find a solution for you. :hello: Link to comment Share on other sites More sharing options...
Ultimate Predator Posted July 26, 2007 Share Posted July 26, 2007 I assume Squidolin yopu did do a Windows Update after all? Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 26, 2007 Administrator Share Posted July 26, 2007 Start by removing Internet Explorer extensions, every toolbar (Yahoo, Google, Verizon, Earthlink, etc), Google desktop, things like that. Also, to submit a crash log, please do this:StartRun"%allusersprofile%\Application Data\Microsoft\Dr Watson" That is including the quotes. Upload the user.dmp that's in there and we'll find the cause. Link to comment Share on other sites More sharing options...
Squidolin Posted July 26, 2007 Author Share Posted July 26, 2007 Yes, I did get Windows updated, but this time got the memory error at a later stage for each item updated. I don't use IE at all except to update Windows or my Motherboard, so I don't think there are any extensions associated with it other than what comes with it. I use Firefox, and it comes with Goggle Toolbar now, so I can't get rid of that(?), I have no ther addons or anything with Firefox. The user.dmp is 1MB, how can I upload it, the max file size for here is 150K. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 26, 2007 Administrator Share Posted July 26, 2007 You may want to try Files-Upload. :hello: Link to comment Share on other sites More sharing options...
Squidolin Posted July 26, 2007 Author Share Posted July 26, 2007 user.dmp :hello: Link to comment Share on other sites More sharing options...
DjLizard Posted July 26, 2007 Share Posted July 26, 2007 That dump says explorer crashed because of an access violation caused by a stack overflow in normaliz.dll (part of IE) called from a program named Upgrader.exe, which I have to assume is another virus. Tarun can take it from here :hello: Link to comment Share on other sites More sharing options...
Squidolin Posted July 26, 2007 Author Share Posted July 26, 2007 Ok, thanks. I did a bit of research myself, and the first listings when I "Google" it, all relate to problems with Panda Antivirus....oh well...I've since switched to Avast, but I guess this Upgrade.exe is lingering hehehe I'll wait patiently of course before I do anything to get myself into a possibly bigger mess Ok, I couldn't wait... I did some more research, and decided to remove IE7 from my machine. So far, I have had zero errors. Even when I open Windows Explorer, which used to guarantee the error, nothing, it opens fine. Link to comment Share on other sites More sharing options...
greenknight Posted July 26, 2007 Share Posted July 26, 2007 You can get rid of the Firefox Google Toolbar; I would recommend it, it causes all kinds of trouble. Firefox doesn't come with Google Toolbar if you download it directly from Mozilla, links to do so are on the front page of this site. You don't need to re-install, though; Google Toolbar is just an extension, and you can uninstall it. Go to Tools > Add-ons, in the Extensions tab click on it and click "Uninstall". Press the "Restart" button at the bottom to complete the process. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 26, 2007 Administrator Share Posted July 26, 2007 Squidolin, you may want to upload the upgrader.exe to VirusTotal to see what the online scanner says. As for normaliz.dll, from what I was able to find, it's an Internet Explorer DLL that is "Unicode Normalization DLL, v6.0.5243.0". Possible solutions said to reinstall Internet Explorer. Go ahead and see if you can use Windows Update fully and get all of the updates (omitting IE7). Then you may wish to wait a week or so before you update to IE7. :hello: Link to comment Share on other sites More sharing options...
Squidolin Posted July 26, 2007 Author Share Posted July 26, 2007 I did a search of my harddrives, and couldn't find upgrader.exe. That was just using Start->Search. Is there another way? I turned Auto Updates back on for Windows, and it found one for IE6. I figure if I don't need IE7 to update anything then I probably won't bother at all. I couldn't find the link on the front page of this site, so I just went to www.mozilla.com and hit the download button for Firefox 2.0.0.5, which I have been using since it came out, and I still have the Google toolbar, and there's nothing listed in Tools->Add-ons. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 26, 2007 Administrator Share Posted July 26, 2007 IE7 is recommended as it has a lot of fixes and added security, actually; but that is up to you. As for the Google Toolbar, it should be listed in the Add-Ons section. The only other place where it might be coming from (though I remotely doubt it) is Add/Remove programs. Optionally, you could do a clean install of Firefox. To do that you would Uninstall your current Firefox. Be sure your Mozilla Firefox directory in Program Files is deleted, along with your profile directory. Link to comment Share on other sites More sharing options...
Recommended Posts