View Full Version : Windows Explorer referenced memory not read
kitbeery
2006-09-17, 16:23
When I do a search, or use explore function, I often get a dialog box "Windows Explorer has encountered a problem and needs to close" (w/Sorry, etc,Debug,send error report). At this point I need to go to Task Manager and end process on the non-responding Explorer in order to get back to my desktop.
Sometimes I get a related? " Application error-explorer.exe- instruction @ ox******** reference memory @ ox*********. The memory could not be read."
I believe this all started when I d/l a codec (last week-before the most recent sticky!). I have scanned w/ various programs but recently the online scanners (I've tried many) -and d/l ewido scan, hang up at a certain folder in My Documents. I've narrowed it down to a folder "Classical Music" and when I try to delete this folder -(I can delete others)-, the Explorer hangs up as above.
Other notes:
1)The partial ewido scan showed Downloader.Agent.uj, and numerous tracking cookies. It hung up when getting to the Classical Music folder.
2)Spybot in safe mode took 3 hours to scan and showed Pipas.A, which reoccurs after fixing.
3)Through out these various scans I have had various & numerous files in System32 of the dm***.exe variety.
Fresh Hijack this! (P.S. the five 017 entries had been previously fixed in HJT, but I restored them for you to see.)
Logfile of HijackThis v1.99.1
Scan saved at 6:03:46 AM, on 17-Sep-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://www3.ca.com
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23FEB6A9-DCE4-4755-B94D-2F7CC187FD9F}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{59E1A27A-34CE-4297-84DF-15D9461035AE}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BEDBDD1-D1DE-4AFE-8E25-930F21D7BB5A}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.74 85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.74 85.255.112.61
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
Firmwareout:
Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
please post this at the forum
See next post for Kapersky scan.
kitbeery
2006-09-17, 16:24
Kapersky Online scan - done previously when the scan didn't hang up.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, September 14, 2006 6:22:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 15/09/2006
Kaspersky Anti-Virus database records: 223428
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 64514
Number of viruses found: 3
Number of infected objects: 18 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:17:57
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\LOGS\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3091169423_1114112_37103 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3091169423_917504_37100 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{75E7A539-2A86-4A91-ADCA-0629BC9281F8}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{96CF4FFF-B565-43A5-83D9-B4D9729FD351}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Alt Kit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Alt Kit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Alt Kit\ntuser.dat Object is locked skipped
C:\Documents and Settings\Alt Kit\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Mozilla\Firefox\Profiles\f068tw3a.default\history.dat Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Mozilla\Firefox\Profiles\f068tw3a.default\parent.lock Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED/[From "Communications" <Communications@mail.alpamail.org>][Date Fri, 5 Aug 2005 17:23:46 -0400]/UNNAMED/[From "Equifax" <Info@Equifax-mail.com>][Date Fri, 5 Aug 2005 19:24:30 -0400]/UNNAMED/[From HE ... /[From eBay Inc <custservice_id_5464151092287@ebay.com>][Date Sat, 06 Aug 2005 21:24:12 -0400]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED/[From "Communications" <Communications@mail.alpamail.org>][Date Fri, 5 Aug 2005 17:23:46 -0400]/UNNAMED/[From "Equifax" <Info@Equifax-mail.com>][Date Fri, 5 Aug 2005 19:24:30 -0400]/UNNAMED/[From Me73@aol.com][Date Sat, 6 Aug ... /[From Me73@aol.com][Date Sat, 6 Aug 2005 00:53:49 EDT]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED/[From "Communications" <Communications@mail.alpamail.org>][Date Fri, 5 Aug 2005 17:23:46 -0400]/UNNAMED/[From "Equifax" <Info@Equifax-mail.com>][Date Fri, 5 Aug 2005 19:24:30 -0400]/UNNAMED/[From Me73@aol.com][Date Sat, 6 Aug 2005 00:43:04 EDT]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED/[From "Communications" <Communications@mail.alpamail.org>][Date Fri, 5 Aug 2005 17:23:46 -0400]/UNNAMED/[From "Equifax" <Info@Equifax-mail.com>][Date Fri, 5 Aug 2005 19:24:30 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED/[From "Communications" <Communications@mail.alpamail.org>][Date Fri, 5 Aug 2005 17:23:46 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 7 skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Inbox.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Sent.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Templates.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\Local Folders\Trash.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\099d271c.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\28221a3e.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\Moose Dung - A Bushcraft Blog.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\SacBee -- Car Czar.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\SacBee -- Citrus Heights.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\SacBee -- Garden Detective.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\SacBee -- Gardening.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\SacBee -- George Will.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\SacBee -- Golf.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\SacBee -- Outbound.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\SacBee -- Outdoors.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\SacBee -- William F. Buckley.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\Mail\News & Blogs\Trash.msf Object is locked skipped
C:\Documents and Settings\Kit\Application Data\Thunderbird\Profiles\2xyq6i43.default\panacea.dat Object is locked skipped
C:\Documents and Settings\Kit\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Application Data\Mozilla\Firefox\Profiles\f068tw3a.default\Cache\FEBE472Cd01 Infected: Trojan-Clicker.HTML.IFrame.g skipped
C:\Documents and Settings\Kit\Local Settings\Application Data\Mozilla\Firefox\Profiles\f068tw3a.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Application Data\Mozilla\Firefox\Profiles\f068tw3a.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Application Data\Mozilla\Firefox\Profiles\f068tw3a.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Application Data\Mozilla\Firefox\Profiles\f068tw3a.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\History\History.IE5\MSHist012006091420060915\index.dat Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Temp\~DF119C.tmp Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kit\My Documents\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED/[From "Communications" <Communications@mail.alpamail.org>][Date Fri, 5 Aug 2005 17:23:46 -0400]/UNNAMED/[From "Equifax" <Info@Equifax-mail.com>][Date Fri, 5 Aug 2005 19:24:30 -0400]/UNNAMED/[From HE ... /[From eBay Inc <custservice_id_5464151092287@ebay.com>][Date Sat, 06 Aug 2005 21:24:12 -0400]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\My Documents\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED/[From "Communications" <Communications@mail.alpamail.org>][Date Fri, 5 Aug 2005 17:23:46 -0400]/UNNAMED/[From "Equifax" <Info@Equifax-mail.com>][Date Fri, 5 Aug 2005 19:24:30 -0400]/UNNAMED/[From Me73@aol.com][Date Sat, 6 Aug ... /[From Me73@aol.com][Date Sat, 6 Aug 2005 00:53:49 EDT]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\My Documents\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED/[From "Communications" <Communications@mail.alpamail.org>][Date Fri, 5 Aug 2005 17:23:46 -0400]/UNNAMED/[From "Equifax" <Info@Equifax-mail.com>][Date Fri, 5 Aug 2005 19:24:30 -0400]/UNNAMED/[From Me73@aol.com][Date Sat, 6 Aug 2005 00:43:04 EDT]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\My Documents\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED/[From "Communications" <Communications@mail.alpamail.org>][Date Fri, 5 Aug 2005 17:23:46 -0400]/UNNAMED/[From "Equifax" <Info@Equifax-mail.com>][Date Fri, 5 Aug 2005 19:24:30 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\My Documents\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED/[From "Communications" <Communications@mail.alpamail.org>][Date Fri, 5 Aug 2005 17:23:46 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\My Documents\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text/[From Me <Me@surewest.net>][Date Fri, 05 Aug 2005 13:23:16 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\My Documents\Mail\Local Folders\Inbox/[From "Me" <Me@airline.com>][Date Mon, 31 Jan 2005 11:23:57 -0800]/text Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Kit\My Documents\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 7 skipped
C:\Documents and Settings\Kit\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kit\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP499\A0061438.exe Infected: Trojan-PSW.Win32.IcqSmiley.c skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP504\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\2005_OFFICE.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{83CA6C62-B092-4F65-A24C-D984C57EEF2F}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Media Ce.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\csbwl.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_700.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT0166c.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT01673.TMP Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
I await your instructions.
-Kit
kitbeery
2006-09-17, 18:12
But wait!- there’s more…
New ewido scan of My documents folders stopped at the forementioned “Classical Music” folder and set an error:
“ewido anti-spyware 4.0 Exception: Something bad happened in the application. Error diagnostic file ewido.err saved to (the ewido folder)”
And then got a windows dalog box with
“ewido .exe has encountered a problem and needs to close”
We are sorry for the inconvenience.”
(Debug/send error report/don’t send)
Ewido.err: file
//==<ewido anti-spyware 4.0>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 00006570 <pages range base not found>
Exception Date: 09/17/2006 06:50:49
File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172
MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp
Registers:
EAX:00000000
EBX:012F0000
ECX:7C91056D
EDX:37510003
ESI:7C80DDF5
EDI:00000095
CS:EIP:001B:00006570
SS:ESP:0023:04208F98 EBP:612E6F74
DS:0023 ES:0023 FS:003B GS:0000
Flags:00010246
Intel specific method
Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module
00006570 612E6F74 <frame 612E6F74 not readable>
ImageHelp specific method
Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address
00006570 04208F94 00000000 012F0000 00200008 04208FF8 <pages range base not found>
01490000 612E6F74 00000000 00000000 00000000 00000000 <module file name get failed with error 0 for module 01490000>
Loaded Modules:
Base Size Module
00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
7C900000 0B0000 5.01.2600.2180 C:\WINDOWS\system32\ntdll.dll
7C800000 0F4000 5.01.2600.2945 C:\WINDOWS\system32\kernel32.dll
76BF0000 00B000 5.01.2600.2180 C:\WINDOWS\system32\PSAPI.DLL
10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll
77F60000 076000 6.00.2900.2937 C:\WINDOWS\system32\SHLWAPI.dll
77DD0000 09B000 5.01.2600.2180 C:\WINDOWS\system32\ADVAPI32.dll
77E70000 091000 5.01.2600.2180 C:\WINDOWS\system32\RPCRT4.dll
77F10000 047000 5.01.2600.2818 C:\WINDOWS\system32\GDI32.dll
77D40000 090000 5.01.2600.2622 C:\WINDOWS\system32\USER32.dll
77C10000 058000 7.00.2600.2180 C:\WINDOWS\system32\msvcrt.dll
71AB0000 017000 5.01.2600.2180 C:\WINDOWS\system32\WS2_32.dll
71AA0000 008000 5.01.2600.2180 C:\WINDOWS\system32\WS2HELP.dll
76B40000 02D000 5.01.2600.2180 C:\WINDOWS\system32\WINMM.dll
7C9C0000 815000 6.00.2900.2951 C:\WINDOWS\system32\SHELL32.dll
76380000 005000 5.01.2600.2180 C:\WINDOWS\system32\MSIMG32.dll
763B0000 049000 6.00.2900.2180 C:\WINDOWS\system32\comdlg32.dll
773D0000 102000 6.00.2900.2180 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.dll
774E0000 13D000 5.01.2600.2726 C:\WINDOWS\system32\ole32.dll
71AD0000 009000 5.01.2600.2180 C:\WINDOWS\system32\WSOCK32.dll
76D60000 019000 5.01.2600.2912 C:\WINDOWS\system32\iphlpapi.dll
77C00000 008000 5.01.2600.2180 C:\WINDOWS\system32\VERSION.dll
5CD70000 007000 5.01.2600.0000 C:\WINDOWS\system32\serwvdrv.dll
5B0A0000 007000 5.01.2600.0000 C:\WINDOWS\system32\umdmxfrm.dll
771B0000 0A9000 6.00.2900.2937 C:\WINDOWS\system32\WININET.dll
77A80000 094000 5.131.2600.2180 C:\WINDOWS\system32\CRYPT32.dll
77B20000 012000 5.01.2600.2180 C:\WINDOWS\system32\MSASN1.dll
77120000 08C000 5.01.2600.2180 C:\WINDOWS\system32\OLEAUT32.dll
5AD70000 038000 6.00.2900.2180 C:\WINDOWS\system32\uxtheme.dll
74720000 04B000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
77B40000 022000 5.01.2600.2180 C:\WINDOWS\system32\appHelp.dll
76FD0000 07F000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL
77050000 0C5000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll
77A20000 054000 5.01.2600.2180 C:\WINDOWS\System32\cscui.dll
76600000 01D000 5.01.2600.2180 C:\WINDOWS\System32\CSCDLL.dll
77920000 0F3000 5.01.2600.2180 C:\WINDOWS\system32\SETUPAPI.dll
76980000 008000 5.01.2600.2751 C:\WINDOWS\system32\LINKINFO.dll
76990000 025000 5.01.2600.2180 C:\WINDOWS\system32\ntshrui.dll
76B20000 011000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL
5B860000 054000 5.01.2600.2952 C:\WINDOWS\system32\NETAPI32.dll
769C0000 0B3000 5.01.2600.2180 C:\WINDOWS\system32\USERENV.dll
605D0000 009000 5.01.2600.2180 C:\WINDOWS\system32\mslbui.dll
71A50000 03F000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
662B0000 058000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll
71A90000 008000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
76F20000 027000 5.01.2600.2938 C:\WINDOWS\system32\DNSAPI.dll
76FB0000 008000 5.01.2600.2180 C:\WINDOWS\System32\winrnr.dll
76F60000 02C000 5.01.2600.2180 C:\WINDOWS\system32\WLDAP32.dll
76FC0000 006000 5.01.2600.2938 C:\WINDOWS\system32\rasadhlp.dll
75F80000 0FD000 6.00.2900.2937 C:\WINDOWS\system32\browseui.dll
77760000 170000 6.00.2900.2937 C:\WINDOWS\system32\shdocvw.dll
754D0000 080000 5.131.2600.2180 C:\WINDOWS\system32\CRYPTUI.dll
76C30000 02E000 5.131.2600.2180 C:\WINDOWS\system32\WINTRUST.dll
76C90000 028000 5.01.2600.2180 C:\WINDOWS\system32\IMAGEHLP.dll
71B20000 012000 5.01.2600.2180 C:\WINDOWS\system32\MPR.dll
75F60000 007000 5.01.2600.2180 C:\WINDOWS\System32\drprov.dll
71C10000 00E000 5.01.2600.2180 C:\WINDOWS\System32\ntlanman.dll
71CD0000 017000 5.01.2600.2180 C:\WINDOWS\System32\NETUI0.dll
71C90000 040000 5.01.2600.2180 C:\WINDOWS\System32\NETUI1.dll
71C80000 007000 5.01.2600.2180 C:\WINDOWS\System32\NETRAP.dll
71BF0000 013000 5.01.2600.2180 C:\WINDOWS\System32\SAMLIB.dll
75F70000 009000 5.01.2600.2180 C:\WINDOWS\System32\davclnt.dll
75970000 0F7000 5.01.2600.2180 C:\WINDOWS\system32\MSGINA.dll
76360000 010000 5.01.2600.2180 C:\WINDOWS\system32\WINSTA.dll
74320000 03D000 3.525.1117.0000 C:\WINDOWS\system32\ODBC32.dll
20000000 017000 3.525.1117.0000 C:\WINDOWS\system32\odbcint.dll
77FE0000 011000 5.01.2600.2180 C:\WINDOWS\system32\Secur32.dll
05060000 2C5000 5.01.2600.2180 C:\WINDOWS\system32\xpsp2res.dll
73BA0000 013000 5.01.2600.2180 C:\WINDOWS\system32\sti.dll
74AE0000 007000 5.01.2600.2180 C:\WINDOWS\system32\CFGMGR32.dll
73D70000 013000 6.00.2900.2180 C:\WINDOWS\system32\shgina.dll
40000000 079000 5.02.3790.3646 C:\WINDOWS\system32\audiodev.dll
09980000 23F000 10.00.0000.4332 C:\WINDOWS\system32\WMVCore.DLL
070E0000 03B000 10.00.0000.4332 C:\WINDOWS\system32\WMASF.DLL
593F0000 092000 5.01.2600.2180 C:\WINDOWS\system32\wiashext.dll
4EC50000 1A3000 5.01.3102.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll
59A60000 0A1000 5.01.2600.2180 C:\WINDOWS\system32\DBGHELP.DLL
It seems there’s something about that “Classical Music” folder that windows doesn’t like. As soon as I access it thru scanners, explore, or search, or delete (when I get that far), the explorer problem occurs.
LonnyRJones
2006-09-17, 21:46
Hello
Delete all saved, stored or sent emails in Thunderbird and Outlook
For this error
Check for missing files
....
C:\WINDOWS\system32\AUTOEXEC.NT not there
Go here and use the fix for your paticular system
fixautont.html: http://www.tech-forums.net/computer/topic/29806.html
Then run fixwareout again , post its report.
kitbeery
2006-09-18, 19:40
Brute Force Uninstaller! Wow that was interesting...
here's the new log: BTW 2006-09-10 was the day I stupidly d/l that bad? codex.
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3085D0F4808F-0488-BCB4-0A02-6C288
291{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\utymd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1trap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\2trap
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmytu.exe"=-
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM
ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSIWG.EXE 51,769 2006-09-10
C:\WINDOWS\SYSTEM32\DMYTU.EXE 62,022 2004-08-10
Other suspects.
Directory of C:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
LonnyRJones
2006-09-18, 20:12
Delete those two files
C:\WINDOWS\SYSTEM32\CSIWG.EXE
C:\WINDOWS\SYSTEM32\DMYTU.EXE
Close all browsers Start Hijackthis and place a check next to these items.
O17 - HKLM\System\CCS\Services\Tcpip\..\{23FEB6A9-DCE4-4755-B94D-2F7CC187FD9F}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{59E1A27A-34CE-4297-84DF-15D9461035AE}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BEDBDD1-D1DE-4AFE-8E25-930F21D7BB5A}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.74 85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.74 85.255.112.61
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note:
If You have connection problems or those 017's ~ 85.255.114.74 85.255.112.61, return >
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
Are there any current problems or questions ?
kitbeery
2006-09-18, 20:57
OK, accomplished all the above, and PC is fixed. Never could have done it without you. Thanks so much.
This case is closed!
LonnyRJones
2006-09-18, 21:37
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Surf safe
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Glad we could help. :)