Jump to content
Squidolin

Squidolin - Log 01

Recommended Posts

I went through all the steps for the Anti-Malware-Full and here is my HijackThis log....

When I started HjT, my antivirus program reported a dangerous operation had been detected and blocked, then HjT started and I got this error message...

"For some reason your system denied write access to the Hosts file. If any Hijacked domains are in this file, HijackThis may NOT be able to fix this.

If that happens, you need to edit the file yourself. To do this, click Start, Run and type:

notepad C:\WINDOWS\system32\drivers\etc\Hosts

and press Enter..." (there's more, but not relevant)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:10:27 PM, on 23/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

D:\Program Files\Panda\pavsrv51.exe

D:\Program Files\Panda\AVENGINE.EXE

C:\WINDOWS\system32\svchost.exe

D:\Program Files\Panda\TPSrv.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

D:\Program Files\Panda\PsCtrls.exe

D:\Program Files\Panda\PavFnSvr.exe

D:\Program Files\Panda\APVXDWIN.EXE

D:\QuickCam\LogiTray.exe

D:\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\WINDOWS\system32\HPZipm12.exe

D:\Program Files\Panda\AntiSpam\pskmssvc.exe

d:\program files\panda\firewall\PSHOST.EXE

D:\Program Files\Panda\PsImSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

D:\QuickCam\FxSvr2.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\iPod\bin\iPodService.exe

D:\Program Files\Panda\SRVLOAD.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

D:\Program Files\Panda\WebProxy.exe

D:\Program Files\Panda\PavBckPT.exe

C:\WINDOWS\system32\wuauclt.exe

D:\HJThis.exe

D:\Program Files\Panda\psimreal.exe

D:\Program Files\Panda\avciman.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [sCANINICIO] "D:\Program Files\Panda\Inicio.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [LogitechVideoTray] D:\QuickCam\LogiTray.exe

O4 - HKLM\..\Run: [LogitechVideoRepair] D:\QuickCam\ISStart.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\sotnoeqf.dll",forkonce

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\QuickCam\ManifestEngine.exe boot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.msi.com.tw

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169066930140

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su/ocx/15029/CTPID.cab

O20 - Winlogon Notify: awtst - C:\WINDOWS\

O20 - Winlogon Notify: jkkhefc - C:\WINDOWS\

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Panda Software Controller - Panda Software International - D:\Program Files\Panda\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - D:\Program Files\Panda\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Program Files\Panda\pavsrv51.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - D:\Program Files\Panda\AntiSpam\pskmssvc.exe

O23 - Service: Panda Host Service (PSHost) - Panda Software International - d:\program files\panda\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Program Files\Panda\PsImSvc.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - D:\Program Files\Panda\TPSrv.exe

--

End of file - 8091 bytes

I also got the warning from my antivirus program during the scan, after the error message about the denied write access.

Thanks for your time.

Share this post


Link to post
Share on other sites

Unfortunately, Panda antivirus is not a very good antivirus in all of my experiences with it. The errors you got were because Panda is attempting to protect your Hosts file. You may wish to uninstall it and use Avast.

Are there any programs listed in the HijackThis log that look unfamiliar to you?

You do have some Winlogon hijacks from Virtumonde (awtst) and SpywareQuake (jkkhecf).

Save all these files to your desktop for easier access.

To remove Virtumonde you'll need VundoFix.

VundoFix

  • Double-click VundoFix.exe to run it.
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

For the SpywareQuake removal, you'll need RogueScanFix, smitRem and FixSQ (should be paired with smitRem).

RogueScanFix

  • After installing, launch and you will be presented with the Credits screen. At this screen press the spacebar and you will be presented with a menu. Press the number 1 on your keyboard and press enter. At the next screen simply press the spacebar on your computer to start the removal process.

    Note: Please note that when the program starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall gives an alert about this, please allow the download.exe or run.bat program to access the Internet.


  • When the program starts, your desktop will disappear, which is normal, so please do not be concerned. It will then start the SpywareQuake uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of SpywareQuake.
  • When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. Close this by pressing the Exit button. If there a notepad open called task.txt, you can close that as well.
  • If there were more files that needed to be deleted, the program will prompt you to reboot your computer. Press the Yes button and allow the computer to reboot. When you are back at the desktop, close the task.txt notepad if it is open.

smitRem

  • Double click smitRem and click on the Start button. The program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem.
  • Reboot into Safe Mode and open the smitRem folder on your desktop. Double-click on the RunThis.bat file.
  • When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process.
  • If there is an uninstaller present for an infection that smitRem removes, it will start this uninstaller.
  • Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue.
  • When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program.
  • When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.
  • Reboot your computer back to normal mode.

Share this post


Link to post
Share on other sites

Hi...I'll give Avast a go then, instead of Panda.

The only items I see, that I don't want to see, are the icq.com entry and the Uniblue Registry,

O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\sotnoeqf.dll",forkonce

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

You mentioned the first one in the other thread, but the Uniblue isn't showing up in Control Panel\Add-Remove programs, so I don't know how to get rid of it. Even after reinstalling it to see if it will show up there, but still it hadn't.

I'll go through the other stuff, and post another HijackThis log(?)

Thanks

**The links for smitRem and FixSQ are not working...but I found them another way***

Share this post


Link to post
Share on other sites

**The links for smitRem and FixSQ are not working...but I found them another way from BleepingComputer.com***

Thanks for letting me know. I'll mirror some here on Lunarsoft soon.

I forgot to mention, when you install avast you can do a custom install and not install the skins. :hello:

If the Uniblue is not a program that you currently use, I can help you remove it easily. If HijackThis fails to remove that entry, or it keeps coming back I'll let you know how we can fix it.

Share this post


Link to post
Share on other sites

I've done the above mentioned scans and stuff...

Roguescanfix got hung up at one point, but I managed to get it going somehow.

smitRem got going eventually too.

Don't know what to do with FixSQ.reg

I would like to get rid of Uniblue, yes.

Latest HijackThis log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:57:21 PM, on 24/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\Explorer.EXE

D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

D:\QuickCam\LogiTray.exe

D:\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\LVCOMSX.EXE

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

D:\QuickCam\FxSvr2.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

D:\HJThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [LogitechVideoTray] D:\QuickCam\LogiTray.exe

O4 - HKLM\..\Run: [LogitechVideoRepair] D:\QuickCam\ISStart.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\QuickCam\ManifestEngine.exe boot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.msi.com.tw

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169066930140

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su/ocx/15029/CTPID.cab

O20 - Winlogon Notify: awtst - C:\WINDOWS\

O20 - Winlogon Notify: jkkhefc - C:\WINDOWS\

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--

End of file - 6847 bytes

Looks like ...

O20 - Winlogon Notify: awtst - C:\WINDOWS\

O20 - Winlogon Notify: jkkhefc - C:\WINDOWS\

...are still hanging on for dear life hehehe

Share this post


Link to post
Share on other sites

With the reg file, you simply double click to merge it. Sorry about that. :hello:

Generated by Tarun's HijackThis Converter v0.50 Beta.

Default-color items are optional, red are known to be malicious.

Created registry value

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

Changed registry value

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Created registry value

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

Enumeration of suspicious auto-loading registry entries

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\QuickCam\ManifestEngine.exe boot

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Extra IE context menu items

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Extra "Tools" menu items and buttons

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

Downloaded Program Files item

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys

O20 - Winlogon Notify: awtst - C:\WINDOWS\

O20 - Winlogon Notify: jkkhefc - C:\WINDOWS\

After removing these items, you will want to reboot your computer.

Have you noticed any change in your performance? Are you getting any errors or popups?

Share this post


Link to post
Share on other sites

I re-ran HijackThis and checked everything from your last post, then hit the "Fixed Checked" button and rebooted.

I still get the same memory errors as I've been getting for the last 3 months or so :(

Plus this new error...

"MOM.EXE" The application failed to initialize properly (0xc0000135). Click on OK to terminate the problem.

I ran HighjackThis and here's the latest log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:35:08 PM, on 24/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\QuickCam\LogiTray.exe

D:\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\LVCOMSX.EXE

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

D:\QuickCam\FxSvr2.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\system32\Tablet.exe

D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Me\Desktop\HJThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [LogitechVideoTray] D:\QuickCam\LogiTray.exe

O4 - HKLM\..\Run: [LogitechVideoRepair] D:\QuickCam\ISStart.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.msi.com.tw

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169066930140

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su/ocx/15029/CTPID.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--

End of file - 5280 bytes

My computer does seem to boot up a lot faster though.

Share this post


Link to post
Share on other sites

I see those malicious entries of the Winlogon are gone. :hello:

The memory error you are having is about your ATI Catalyst Control Center. Do you have the .NET Framework installed? It will show up in your Control Panel.

You can go to Windows Update and download the Framework there if you need it. The redistributable packages can be found on Microsoft's Search. I would recommend using Windows Update if you can, as it will automate the process and make things much easier for you.

Should that not resolve the issue, you may wish to reinstall the ATI Catalyst Control Center. Here is a link to the ATI Driver Download. You would need to uninstall all of the ATI items, from the CCC to the display driver.

Share this post


Link to post
Share on other sites

I haven't been able to Update Windows at all since I've been getting the original error message (this is an example, when I open Windows Explorer, I get this --->) "explorer.exe - The instruction at "0x00401613" referenced memory at "0x00006678". The memory could not be "read". Click on OK to terminate the program" I get this error a lot, but different addresses. When I open Windows Explorer, try to update anything, including Avast and Windows ( I have to turn Auto updates for both off so that I'm not tormented by that error message all day). Even when I close a program, I get this error at times.

For a laugh, I tried to update Windows today, and it seemed to download the updates I needed and installed them, but I still got the error for something different than "upgrader.exe" that I usually get it for when I try to update Windows.

I have the .NET stuff also already.

I'll reinstall the ATI stuff to get rid of the new error though. (Done, and the MOM.EXE error is gone...thanks)

Share this post


Link to post
Share on other sites

Go into Dial-a-fix and click Tools (hammer icon).

At the bottom, you'll want to do the SFC Purge. Doing the purge first will clean out the cache which may contain malware or corrupt programs/dlls. After that, you'll do the SFC Scan.

Once that has completed, you'll close that and go back to the main DAF window. Click the green checkmark button and then click Go.

Share this post


Link to post
Share on other sites

Have you used any enhancements on your system? XPize is one such example.

Also, do you get any program crash errors where you can send the crash report to Microsoft?

Share this post


Link to post
Share on other sites

I haven't used any enhancements that I know of, escept for that Uniblue Registry Booster, which is now gone anyway.

I used to get the chance to send an error report when Panda got the message when it tried to update automatically, but I don't have that anymore either.

I do have a second hardddrive that is +200GB, so I did have to run software for Windows to recognise it, but I'm pretty sure I had installed that long before I started getting these errors.

I just tried to update Avast to get the errors, which both happened, errors and update, but no chance to send an error report.

Share this post


Link to post
Share on other sites

Start by removing Internet Explorer extensions, every toolbar (Yahoo, Google, Verizon, Earthlink, etc), Google desktop, things like that.

Also, to submit a crash log, please do this:

  • Start
  • Run
  • "%allusersprofile%\Application Data\Microsoft\Dr Watson"
    That is including the quotes.

Upload the user.dmp that's in there and we'll find the cause.

Share this post


Link to post
Share on other sites

Yes, I did get Windows updated, but this time got the memory error at a later stage for each item updated.

I don't use IE at all except to update Windows or my Motherboard, so I don't think there are any extensions associated with it other than what comes with it. I use Firefox, and it comes with Goggle Toolbar now, so I can't get rid of that(?), I have no ther addons or anything with Firefox.

The user.dmp is 1MB, how can I upload it, the max file size for here is 150K.

Share this post


Link to post
Share on other sites

That dump says explorer crashed because of an access violation caused by a stack overflow in normaliz.dll (part of IE) called from a program named Upgrader.exe, which I have to assume is another virus. Tarun can take it from here :hello:

Share this post


Link to post
Share on other sites

Ok, thanks.

I did a bit of research myself, and the first listings when I "Google" it, all relate to problems with Panda Antivirus....oh well...I've since switched to Avast, but I guess this Upgrade.exe is lingering hehehe

I'll wait patiently of course before I do anything to get myself into a possibly bigger mess :hello:

Ok, I couldn't wait...

I did some more research, and decided to remove IE7 from my machine. So far, I have had zero errors. Even when I open Windows Explorer, which used to guarantee the error, nothing, it opens fine.

Share this post


Link to post
Share on other sites

You can get rid of the Firefox Google Toolbar; I would recommend it, it causes all kinds of trouble. Firefox doesn't come with Google Toolbar if you download it directly from Mozilla, links to do so are on the front page of this site.

You don't need to re-install, though; Google Toolbar is just an extension, and you can uninstall it. Go to Tools > Add-ons, in the Extensions tab click on it and click "Uninstall". Press the "Restart" button at the bottom to complete the process.

Share this post


Link to post
Share on other sites

Squidolin, you may want to upload the upgrader.exe to VirusTotal to see what the online scanner says.

As for normaliz.dll, from what I was able to find, it's an Internet Explorer DLL that is "Unicode Normalization DLL, v6.0.5243.0". Possible solutions said to reinstall Internet Explorer.

Go ahead and see if you can use Windows Update fully and get all of the updates (omitting IE7). Then you may wish to wait a week or so before you update to IE7. :hello:

Share this post


Link to post
Share on other sites

I did a search of my harddrives, and couldn't find upgrader.exe. That was just using Start->Search. Is there another way?

I turned Auto Updates back on for Windows, and it found one for IE6. I figure if I don't need IE7 to update anything then I probably won't bother at all.

I couldn't find the link on the front page of this site, so I just went to www.mozilla.com and hit the download button for Firefox 2.0.0.5, which I have been using since it came out, and I still have the Google toolbar, and there's nothing listed in Tools->Add-ons.

Share this post


Link to post
Share on other sites

IE7 is recommended as it has a lot of fixes and added security, actually; but that is up to you.

As for the Google Toolbar, it should be listed in the Add-Ons section. The only other place where it might be coming from (though I remotely doubt it) is Add/Remove programs.

Optionally, you could do a clean install of Firefox. To do that you would Uninstall your current Firefox. Be sure your Mozilla Firefox directory in Program Files is deleted, along with your profile directory.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×