Hi all for some reason spybot runs very slow. I done a virus scan using Panda and also used ad-aware. when spybot finishes it says everything is okay.

And also, When I first start up my system and the windows welcome screen comes on for a couple of seconds, another little screen pops up after the welcome screen comes on, there are some funny symbols up in the top left side of the box. If you right click on the symbols, there is a list of options, most are unicode options, what ever that is. I am going to try to attach a picture of the screen and my HJT log. This screen goes away after a couple of min. and my computer carries on booting up. I just dont know what to do . any help would be very nice and thank you in advance.

Logfile of HijackThis v1.99.1
Scan saved at 3:17:59 PM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Lee\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Program Files 2\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138726036637
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DD3379A-FEEE-411C-B28A-69CAFDBB94CC}: NameServer = 85.255.115.60 85.255.112.136
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Welcome to the forum, If you still need help and are not receiving it elsewhere, please follow these directions.

1) Thanks to LonnyRJones and any others who helped with this fix.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

(hold those logs until we complete the instruction)

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DD3379A-FEEE-411C-B28A-69CAFDBB94CC}: NameServer = 85.255.115.60 85.255.112.136

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the C:\fixwareout\report.txt, a new HJT log and let me know how the computer is running now.

Thanks

C:\Program Files\Java\jre1.5.0_06\ <<< please check your Java program for an update, this is a security issue, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Hi and thanks for the quick reply. I downloaded fixwareout but I am unable to run it, it comes up with an error ( unable to execte C\fixwareout\fixit.bat code 1155 shellexecute failed ) I do have the latest java installed. any ideas?

Try deleting all of what you downloaded and download it again. Then try again. It is important that we get that fix to run.

I would like you to post any information or error messages "exactly" as they occur, we may need to ask the creator of the fix to look at them.

Thanks

Hi again. I deleted the program a couple of times but it still does not work. I will show you exactly what it says ( I can't copy and paste the error box)

Setup

Unable to execute file:
C:\fixwareout\fixit.bat

ShellExecuteEx failed; code 1155
No application is associated with the specified file for this operation

OK

and also when i go to run the program from the desktop it keeps installing it over and over again.

Thanks

Thanks for that feedback, I am getting information from the creator of the fix. If he should he need to post to this topic, please follow his directions. It will probably be tomorrow sometime before we hear from him.

Thanks

Its probably just an association problem

Batch File Association Fix (Restore the default associations for BAT files)
http://www.dougknox.com/xp/file_assoc.htm
Download/save that zip, extract the file inside to your desktop
Double click on batch_file_assoc.reg and answer yes to the prompts, you should see a succeed message, did you ?

Delete fixwareout.exe, open this folder and run fixit.bat c:\fixwareout\fixit.bat

Is this sililur to what your seeing before windows starts ?
http://forums.spybot.info/showthread.php?p=44013#post44013

Hi . and thanks for the reply, after I downloaded that batch file fix and try to open it. windows wants to know what program created it, in order to open it. not sure what to do to open it.

Is this similur to what your seeing before windows starts ?
http://forums.spybot.info/showthread.php?p=44013#post44013

Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


::xp only
ftype regfile=regedit.exe "%%1"
ftype batfile="%%1" %%*
ftype exefile > look.txt
ftype htafile >> look.txt
ftype cmdfile >> look.txt
ftype comfile >> look.txt
ftype batfile >> look.txt
ftype regfile >> look.txt
start notepad look.txt

Run check.bat and post back with the text that will open

Now try running fixit.bat again.

Hi me again :) the screen that pops up is like the one that you had me look at, except the symbols do change, and when I right click on it it has something to do with unicode.

I cut and paste the bat file in notepad and named it check.bat then selected all files and saved it to the desktop. When I double click on it nothing happens. does it matter what the encoding box selection is when it is saved?

Lets try this method
Open a command prompt (start run type cmd press enter) type
ftype regfile=regedit.exe "%%1"
press enter, type in
ftype batfile="%%1" %%*
press enter, type exit and press enter to exit the command prompt

Hi I tried to run the cmd command in the run window but it will not work. so itried the command prompt in accesories and put it in there, I typed it in different ways but it didnt work. I also tried to boot in safe mode and tried it there, after booting in safe mode with command prompt. am I doing something wrong or is it just screwed up that bad? thanks for the help also:D:

Lets try UnHookExec.inf
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2004-050614-0532-99

I installed the file you asked me to, now what should I do?

Ok, now continue with the instructions in post two
http://forums.spybot.info/showpost.php?p=45633&postcount=2

I really ........ hate to say this, but I still get the same error message that I had when I first installed the fixwareout program. :eek:

Odd
Download then install avg antirootkit
http://fileforum.betanews.com/detail/AVG_AntiRootkit/1154697799/1
fallow the prompts to restart your pc then run the program and do an indepth search, when its finished press save results and post it in your next reply.

Also a kaspersky online scan
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
We dont need to see item's listed as "Object is locked skipped" so edit those out.
We do not need to see items reported that are in an antivirus quorantine folder.

Hi and thanks for the reply. here are the results of the 2 scans. If there is that many viruses why wouldn't norton or panda pick them up?

Friday, October 13, 2006 12:27:26 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/10/2006
Kaspersky Anti-Virus database records: 231516


Scan Settings
Scan using the following antivirus database
extended
Scan Archives
true
Scan Mail Bases
true

Scan Target
My Computer
A:\
C:\
D:\
E:\
F:\
H:\

Scan Statistics
Total number of scanned objects
38357
Number of viruses found
11
Number of infected objects
48 / 0
Number of suspicious objects
0
Duration of the scan process
00:28:41


Infected Object Name
Virus Name
Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat
Object is locked
skipped

C:\Documents and Settings\JW\Cookies\index.dat
Object is locked
skipped

C:\Documents and Settings\JW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\JW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\JW\Local Settings\History\History.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\JW\Local Settings\History\History.IE5\MSHist012006101320061014\index.dat
Object is locked
skipped

C:\Documents and Settings\JW\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\JW\NTUSER.DAT.LOG
Object is locked
skipped

C:\Documents and Settings\LocalService\Cookies\index.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG
Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG
Object is locked
skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll
Object is locked
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\AVApp.log
Object is locked
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\AVError.log
Object is locked
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\AVVirus.log
Object is locked
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\07C2180D.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0B1B1818.class
Infected: Trojan-Downloader.Java.OpenConnection.aj
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0E2D0A65.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\123B6A14.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\153B0139.wmf
Infected: Exploit.Win32.IMG-WMF.c
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1556511C.zip/GetAccess.class
Infected: Trojan.Java.ClassLoader.c
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1556511C.zip/InsecureClassLoader.class
Infected: Exploit.Java.ByteVerify
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1556511C.zip/Dummy.class
Infected: Trojan.Java.ClassLoader.Dummy.a
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1556511C.zip/Installer.class
Infected: Trojan-Downloader.Java.OpenConnection.v
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1556511C.zip
ZIP: infected - 4
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1556511C.zip
CryptFF: infected - 4
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\16C75BE6.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\25250377.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2C455573.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\32A66818.class
Infected: Trojan-Downloader.Java.OpenConnection.aj
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3A86796B.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3C251343.wmf
Infected: Trojan-Downloader.Win32.Agent.acd
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3C251343.zip/BlackBox.class
Infected: Exploit.Java.ByteVerify
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3C251343.zip/VerifierBug.class
Infected: Exploit.Java.ByteVerify
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3C251343.zip/Beyond.class
Infected: Trojan-Downloader.Java.OpenConnection.aa
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3C251343.zip
ZIP: infected - 3
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3C251343.zip
CryptFF: infected - 3
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3C56090D.class
Infected: Trojan.Java.ClassLoader.h
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\45844617.wmf
Infected: Exploit.Win32.IMG-WMF.c
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\459E15FA.zip/GetAccess.class
Infected: Trojan.Java.ClassLoader.c
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\459E15FA.zip/InsecureClassLoader.class
Infected: Exploit.Java.ByteVerify
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\459E15FA.zip/Dummy.class
Infected: Trojan.Java.ClassLoader.Dummy.a
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\459E15FA.zip/Installer.class
Infected: Trojan-Downloader.Java.OpenConnection.v
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\459E15FA.zip
ZIP: infected - 4
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\459E15FA.zip
CryptFF: infected - 4
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49E73143.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49E73143.wmf
Infected: Trojan-Downloader.Win32.Agent.acd
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49EA5B3F.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49F12F38.class
Infected: Trojan.Java.ClassLoader.h
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49F12F38.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49FE572A.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49FE572A.wmf
Infected: Trojan-Downloader.Win32.Agent.acd
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4A08551F.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\509807DF.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5C8F39E5.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5EDD75C6.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\61507434.class
Infected: Trojan-Downloader.Java.OpenConnection.aj
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\63483A5B.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\681F75E3.class
Infected: Trojan.Java.ClassLoader.d
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\681F75E3.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6F086DA6.class
Infected: Trojan.Java.ClassLoader.d
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7C904056.class
Infected: Trojan-Downloader.Java.OpenConnection.aj
skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7F406DE1.htm
Infected: Exploit.JS.CVE-2005-1790.j
skipped

C:\RECYCLER\NPROTECT\NPROTECT.LOG
Object is locked
skipped

C:\System Volume Information\MountPointManagerRemoteDatabase
Object is locked
skipped

C:\System Volume Information\_restore{400D178A-159C-4667-9E13-E2A5AE7F09E4}\RP9\change.log
Object is locked
skipped

C:\Temporary Internet Files\Content.IE5\index.dat
Object is locked
skipped

C:\WINDOWS\Debug\PASSWD.LOG
Object is locked
skipped

C:\WINDOWS\SchedLgU.Txt
Object is locked
skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
Object is locked
skipped

C:\WINDOWS\Sti_Trace.log
Object is locked
skipped

C:\WINDOWS\system32\CatRoot2\edb.log
Object is locked
skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb
Object is locked
skipped

C:\WINDOWS\system32\config\AppEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\default
Object is locked
skipped

C:\WINDOWS\system32\config\default.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SAM
Object is locked
skipped

C:\WINDOWS\system32\config\SAM.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SecEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\SECURITY
Object is locked
skipped

C:\WINDOWS\system32\config\SECURITY.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\software
Object is locked
skipped

C:\WINDOWS\system32\config\software.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SysEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\system
Object is locked
skipped

C:\WINDOWS\system32\config\system.LOG
Object is locked
skipped

C:\WINDOWS\system32\h323log.txt
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
Object is locked
skipped

C:\WINDOWS\wiadebug.log
Object is locked
skipped

C:\WINDOWS\wiaservc.log
Object is locked
skipped

C:\WINDOWS\WindowsUpdate.log
Object is locked
skipped

AVG scan

Scan process completed.

c:\WINDOWS\Prefetch\CSJCH.EXE-152DE4D1.pf Hidden file
c:\WINDOWS\Prefetch\DMYYA.EXE-06F84269.pf Hidden file
c:\WINDOWS\system32\cszcq.exe Hidden file
c:\WINDOWS\system32\dmuqk.exe Hidden file

Scan with that avg tool , when it is finished put a check next to those items and have it remove them, it will need to reboot the PC, let it.

after windows has loaded
Download (save) not open
REG File Association Fix (Restore default associations for REG files)
and
Batch File Association Fix (Restore the default associations for BAT files)
to your desktop
http://www.dougknox.com/xp/file_assoc.htm
extract the file's inside both , put them in c:\ for easy access
go start run type in
regedit
press enter
Important, ensure my computer is hilighted
go file import browse to xp_regfile.reg and choose open, close regedit.
once regedit is closed (IT MUST BE CLOSED)double click on batch_file_assoc.reg , you should see a sucessfull message, did you ?
open the c:\fixwareout\findt folder and double click on findt.bat, which should make a report.txt in the same folder, post that.

OK here is the txt report it generated. thanks again:)

Good

run C:\fixwareout\fixit.bat fallow the prompts
let me know if you see any errors

I ran fixit.bat and followed the prompts. it shut down my computer and rebooted and did a scan and then asked me to submit the report it made with a new Hijack this log.

ixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F198C2E1EAB4-D868-C2A4-9F76-F13BB110{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\kqumd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmuqk.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

Logfile of HijackThis v1.99.1
Scan saved at 9:05:35 PM, on 10/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Lee\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Program Files 2\HiJack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138726036637
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" tmp01.txt
reg export "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system" tmp02.txt


Run check.bat then attach (not post) tmpo1.txt and tmp02.txt to a new reply please.

here are the results of running check.bat had to post it in two different posts.

I cannot post the first file it exceeds the post limit did you want me to copy and paste?

edit out everything except for these two lines
"legalnoticecaption"=""
"legalnoticetext"=""
and attach or post that

I 'm not sure what you needed me to do in your last post, but I seperated the 1st report into 2 files and it is letting me attach it that way, hope this is what you needed. can't understand why it done that. the file size was 22 and the limit is 19 but it let me post it this way ? I checked it to make sure everything was there.:red:

Thats fine, unfortunatly im not seeing what we ecpected.


Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


@echo off
echo this make take a few minutes
reg save "HKEY_LOCAL_MACHINE\SOFTWARE" %systemdrive%\one.hiv
PING 1.1.1.1 -n 1 -w 1000 >NUL
reg save "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" %systemdrive%\two.hiv
PING 1.1.1.1 -n 1 -w 1000 >NUL
echo Finished
pause & exit

Run check.bat then put both c:\one.hiv and c:\two.hiv in a zip and send them to me
Send it to submitlonnyATsubratam.org
Replace AT with @

Hi

Do you have any idea when the odd startup screen started ?
If so what program or website do you suspect ?
Are there any other problems or symtoms ?
Do you see the odd startup screen when starting into safe mode ?

I want to be sure the basic assosiations are fixed
Download and use "INF File Association Fix (Restore the default assocation for INF files)"
http://www.dougknox.com/xp/file_assoc.htm
Then download and right-click install UnHookExec.inf again
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2004-050614-0532-99

Are you familur with the windows event viewer ?
control panel > administrator tools > even viewer
For now rightclick on each one at a time and choose clear all events
application
security
system
Then we can go back in a day or two and look for errors and warnings

Create a hijackthis uninstall list
Start HiJackThis
Press 'Config'
Press 'Misc Tools'
Press 'Open Uninstall Manager'
Press 'Save List'
Save the log to a convenient location
Copy the log and post its contents in this thread

I do not remember when it first started doing it, but it has been for quite some time. I am not the only one that uses this computer so not sure about the rest. Ive done what you requested and will post the results from Hijack this. Thanks again:D:

Is anything on that list recent or unfamilur to you or the other users ?

Is the pc on a network ?

Go start > settings > control panel > administrator tools > event viewer
any errors or warnings ? if so go action save log as , save as tab delimited *.txt, save it somewhere and attach it, do that for each catogory that has error's or warnings

If it is an XP pro PC ?
Go start > settings > control panel > administrator tools >computer managment > local security policies > security Options >
under each of these
interactive logon: Message Text for users attempting to logon
interactive logon: Message Title for users attempting to logon
Double-click on each, what do you see there ?

Here are the results. I have a question. is it alright to run norton file fix or any other programs at this time or should I wait? I did run norton fix and it came up with a lot of errors but didn't do anything about it. don't want to screwup anything you have done.

Sorry I didn't post this in the other one. but I do have xp Pro and I did find the 2 files you wanted me to check, they were not exactly where you said, maybe different version. anyway there wasn't anything when I double clicked on them they were blank. hope this helps

What exactly is norton file fix ?

Hold off running any fix utilitys except for virus and antispyware scan's

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


Windows Registry Editor Version 5.00
;
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"LegalNoticeCaption"=-
"LegalNoticeText"=-
"system"=-
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"system"=""
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC.

Did that odd logon screen still appear ?

The screen did not appear, thanks for the help. should I delete all the things that you asked me to download like check.bat, avg antiroot, and Atf cleaner or should I run any of them. And what do you think of Registry mechanic and CCleaner?

Fantastic

As far as i know atfcleaner and CCleaner are about the same, I suggest keeping atf cleaner
and avg antiroot
I'm not familiar with reg mechanic, i generally dont recommend using reg cleaners.

You can delete fixwareout.exe and its folder c:\fixwareout folder
UnHookExec.inf, the bat, reg and txt files we made arent needed now, delete them.

I would like to thank you for all the help. your one of the best at what you do. Where others have failed or just gave up you persisted and came through, hats off to you.:crowned: thanks again

Im Glad we could help. it was a community effort.

Im curious where else you posted for help ?

Hi, sorry it took so long to answer. I don't really want to say where else I posted my problem. Don't like to bash or discredit other sites. But one thing I will say is that it is one of the more popular downloading and help sites on the net. Thanks again.;)

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad we could help.