PDA

View Full Version : Automatic Shutdown



Nick_R
2009-07-24, 03:41
Out of nowhere today, I got this little error message and after 60 seconds, my computer restarted. I haven't the slightest clue what is going on.


This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY/SYSTEM

Message
The system process
'C:/WINDOWS/system32/lsass.exe' terminated unexpectedly with status code-1073741819. The system will now shut down and restart.


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:41 PM, on 7/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\WPN111.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN111 Configuration Utility\WPN111.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154564335102
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {ED2E4BB5-60EA-4624-9DE2-998E441C699B} (OpenSiteInstall.opensite_install) - http://www.zuvio.com/OpenSiteInstall.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9387 bytes

Blade81
2009-07-24, 21:05
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.


Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

Nick_R
2009-07-24, 22:32
1. DDS: It scanned but then I got an error saying that Symantec Script Blocker has stopped it from opening the logfile. Unfortunately, I cannot find Symantec Script Blocker on my system to disable it... ???

2. GMER:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-24 15:32:07
Windows 5.1.2600 Service Pack 3


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[212] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\System32\wmfhotfix.dll
.text C:\Program Files\Canon\MyPrinter\BJMyPrt.exe[232] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\System32\wmfhotfix.dll
.text C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe[268] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\System32\wmfhotfix.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[284] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\System32\wmfhotfix.dll
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[368] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\System32\wmfhotfix.dll
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{38AE9EA3-F103-9F16-A792-ED2C16FB1CA2}\InprocServer32@ icmui.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{38AE9EA3-F103-9F16-A792-ED2C16FB1CA2}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{44A85F35-9CFA-15FF-785F-609CCB74362F}\InprocServer32@ C:\WINDOWS\System32\wbem\fastprox.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{44A85F35-9CFA-15FF-785F-609CCB74362F}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{5218F687-A38C-4622-C098-EDAB060EE2C7}\InprocServer32@InprocServer32 Hib]8n-}f(YR]eAR6.jiSpeechFiles>r3dhy{YVI?L1v(J^?,%X?
Reg HKLM\SOFTWARE\Classes\CLSID\{5218F687-A38C-4622-C098-EDAB060EE2C7}\ProgID@ Msasrx.MsasrUI.1
Reg HKLM\SOFTWARE\Classes\CLSID\{5218F687-A38C-4622-C098-EDAB060EE2C7}\VersionIndependentProgID@ Msasrx.MsasrUI
Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\InprocServer32@ C:\Program Files\Symantec\Web Tools\WTPlug.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\ProgID@ WTIntegratorPlugin.WTPluginFrame.1
Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\TypeLib@ {69A42F27-F847-40EC-A1AE-7D1EED36EE0D}
Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\VersionIndependentProgID@ WTIntegratorPlugin.WTPluginFrame
Reg HKLM\SOFTWARE\Classes\CLSID\{762B7873-4750-0CF6-4122-47DECAA221D6}\Implemented Categories\{C501EDBE-9E70-11D1-9053-00C04FD9189D}
Reg HKLM\SOFTWARE\Classes\CLSID\{762B7873-4750-0CF6-4122-47DECAA221D6}\InprocServer32@ C:\WINDOWS\System32\dxtmsft.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{762B7873-4750-0CF6-4122-47DECAA221D6}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{762B7873-4750-0CF6-4122-47DECAA221D6}\ProgID@ DXImageTransform.Microsoft.Iris.1
Reg HKLM\SOFTWARE\Classes\CLSID\{762B7873-4750-0CF6-4122-47DECAA221D6}\ToolBoxBitmap32@ C:\WINDOWS\System32\dxtmsft.dll,235
Reg HKLM\SOFTWARE\Classes\CLSID\{762B7873-4750-0CF6-4122-47DECAA221D6}\VersionIndependentProgID@ DXImageTransform.Microsoft.Iris
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\InProcServer32@ C:\WINDOWS\System32\dsdmo.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\InProcServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\ProgID@ Microsoft.DirectSoundCaptureNoiseSuppressDMO.1
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\VersionIndependentProgID@ Microsoft.DirectSoundCaptureNoiseSuppressDMO

---- EOF - GMER 1.0.15 ----

Blade81
2009-07-25, 00:30
Hi,

Are you able to reboot into safe mode? If yes, please try to run DDS there.

Nick_R
2009-07-25, 16:54
Hi,

Are you able to reboot into safe mode? If yes, please try to run DDS there.

I rebooted in safe mode and still got the script blocker error.

Here's what the beginning of the error message says:

Symantec Script Blocking has prevented a script action that could be harmful to you.

I've searched online to figure out how to disable or get rid of this alleged "Symantec Script Blocking" (which I didn't even know I had) but I haven't had any luck.

Blade81
2009-07-25, 16:59
Hi,

You have something Symantec related installed there, haven't you? Since you have AVG installed you won't need another antivirus protection running. Please uninstall Symantec related protection there.

Nick_R
2009-07-25, 20:53
Hi,

You have something Symantec related installed there, haven't you? Since you have AVG installed you won't need another antivirus protection running. Please uninstall Symantec related protection there.

That's the problem; I was never aware I had such a thing installed, and I cannot find an instance of it to uninstall. If it is on my system, it's hidden.

Can you identify its process? Perhaps if I can cancel the process in the Task Manager, I will be able to successfully run the scan and retrieve the logs.

Blade81
2009-07-26, 10:32
Hi,

Let's generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.

Nick_R
2009-07-29, 02:30
Here's the list:

ACDSee
Ad-Aware SE Personal
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player 11.5
Ahead Nero Burning ROM
Apple Software Update
ArcSoft PhotoStudio 5.5
AVG 8.5
Bonjour
Calendar Creator 7.0
Canon MP Navigator 3.0
Canon MP160
Canon MP160 User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint
CCleaner (remove only)
CloneCD
Diskeeper Home Edition
Easy CD & DVD Creator 6
Easy-WebPrint
Elecard MPEG 2 Player Version 1.35
EndItAll 2.0
EPSON Printer Software
FoneSync
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
iPod for Windows 2006-06-28
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_01
Java Web Start
Java(TM) 6 Update 3
Java(TM) 6 Update 5
LiveReg (Symantec Corporation)
Logitech MouseWare 9.79.1
Macromedia Flash Player 8
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync 4.0
Microsoft Office Standard Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.1)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
NETGEAR WPN111 Smart Wizard Wireless Utility
NSW_DRM_COLLECTION
PowerDVD
QuickTime
QuickTime for Windows (32-bit)
RapidInstall
RealPlayer
RTC Client API v1.2
S3 Gamma
S3 Savage4 Family Display Switch2 Utility
ScanSoft OmniPage SE 4.0
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
Symantec Script Blocking Installer
TI Connect 1.6
TreePrint
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Weather Services
WG111v2 Configuration Utility
Winamp (remove only)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows WMF Metafile Vulnerability HotFix 1.4
Windows XP Service Pack 3
WinISO 5.3


--

Symantec Script Blocking Installer is probably the key, but the issue is that that entry is not listed on the Add/Remove Programs page, but it is (obviously) listed in HJT. I'm not sure how to go about removing it.

Blade81
2009-07-29, 08:46
Hi,

If you reboot into safe mode (http://www.computerhope.com/issues/chsafe.htm#02) is the entry visible there?

If not, please try RevoUninstaller (http://www.revouninstaller.com/). Let me know how it goes.

Nick_R
2009-07-29, 17:33
Can the "Uninstall Command" provided by the HJT tool come in handy in any way?

If not, then I'll try the methods in your latest post.

Blade81
2009-07-30, 00:52
Hi,

Let's see if we can temporarily disable Script Blocker service.

Click start->run and write services.msc in the runbox. Find SBService on the list and double-click it. Change startup type to manual, click stop and then apply. Click ok to close the open windows.

See if you can run DDS after that service disabled.

Blade81
2009-08-07, 19:19
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.