View Full Version : SSODL: Excohico - Is this a problem?
This may sound silly because I really have no reason to suspect I have a problem except that I ran a HijackThis log recently and found something on it I hadn't seen before. I suppose it could be the result of some new software I installed but I'm just not sure.
Here is my log with the line in question in red:
Logfile of HijackThis v1.99.1
Scan saved at 11:24:19 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\AuntysPie\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.warrenhills.org/hshome.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C941A6E-BC62-4D59-97D3-FB5372F4B1CC} (MediaCaptureControl Class) - http://betajournal.comcast.net/resources/VibeJournalControls.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159373734627
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
O21 - SSODL: Excohico - {E2C6F7B9-46F6-4D78-AC34-D1BB6BA2E143} - C:\WINNT\system32\mp3elmic.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Now I really don't have any other indication that there is a problem other than I just don't ever remember seeing this in one of my logs before so it could very well be legit. I also did just install some new software (Spector Pro version 6.0) so maybe it's simply something needed by that program.
Of course if someone here recognizes this as a threat I'd like to know.
Please let me know what you think. You folks here are always so helpful.
Cindylu
pskelley
2006-10-31, 12:49
Hi Cindylu, welcome back. You are running MSConfig in Selective Startup mode, so I do not know what I am not seeing. You need to post HJT logs in Normal Mode in MSConfig.
I don't like the looks of this one, know what it is? O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) - there is nothing at CastleCops on the CLSID number: http://www.castlecops.com/ActiveX.html
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing) May or may not still be active, the (file missing) could be a glitch in HJT
Nothing at Google looks good when this item is present:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=wvuss%2edll+
O21 - SSODL: Excohico - {E2C6F7B9-46F6-4D78-AC34-D1BB6BA2E143} - C:\WINNT\system32\mp3elmic.dll
Nothing at CastleCops: http://www.castlecops.com/O21.html nothing at Google when searching for the file.
I think they are both bad, but to be sure use one or more of these free online scanners to find out:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Post a new HJT log with everything enabled in MSConfig and the information about these two items.
Thanks
Hi pskelly,
I appreciate your helping me with this.
First, regarding the O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) This appeared on my hjt log back in March 2006. I was working with Shelflife here at the time trying to remove vundo from my computer and I had been running a number of hjt logs. While I was gettingn everything squared away, I decided to update java since I hadn't done that before and I got the information on how to do that from one of the boards here.
After I uninstalled my old version and installed the updated version of java, that 016 file showed up. I'm not sure why but because of all the hjt logs I was running at the time I can tell exactly when it showed up and it was right when I changed to the new java version.
The other file wvuss.dll which is says it is "missing" in the registry key is leftover from vundo. I ran the vundo fix and the file was deleted from the system32 folder but for some reason I could not delete that registry key. If you click on my name here and look back at March 2006 you can probably see where I was trying to work on this with Shelflife and were unable to get rid of this with ewido, etc. It appears that it's a leftover and since everything was cleaned out it doesn't affect anything to my knowledge.
This last file, O21 - SSODL: Excohico - {E2C6F7B9-46F6-4D78-AC34-D1BB6BA2E143} - C:\WINNT\system32\mp3elmic.dll still bothers me.
I tried those 3 scans you suggested with the following results:
http://virusscan.jotti.org/ - told me "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file" Naturally, this did not make me feel real comfortable. I turned off my firewall and tried again and got the same message.
http://www.kaspersky.com/scanforvirus - when I tried this one, I hit the submit button and it just brought me right back to the screen where I was supposed to browse for the file...as it I hadn't even submitted anything. This lead me to believe it uploaded as 0 bytes also.
http://www.virustotal.com/flash/index_en.html - Finally, I tried this one and it uploaded as 0 bytes also. It scanned but of course it found nothing.
This all makes me very uneasy about that file. Here on my laptop I have scanned that file with Spybot, Ewido, Ad Aware and Norton but all have found nothing. I am concerned, however, as to whether or not it is some kind of malware that is not allowing itself to be scanned.(is this possible?)
And, of course, for all I know this might be a Spector Pro file. Spector Pro assured me that it is not detectable even by virus scanners. So I guess that may make this more complicated. Perhaps I will give them a call and see if they can shed some light on this while I'm checking these other things out.
Anyway.............Here is my hjt log with Normal StartUp:
Logfile of HijackThis v1.99.1
Scan saved at 9:46:16 AM, on 11/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINNT\system32\DllHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Messenger\msmsgs.exe
C:\AuntysPie\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.warrenhills.org/hshome.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C941A6E-BC62-4D59-97D3-FB5372F4B1CC} (MediaCaptureControl Class) - http://betajournal.comcast.net/resources/VibeJournalControls.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159373734627
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
O21 - SSODL: Excohico - {E2C6F7B9-46F6-4D78-AC34-D1BB6BA2E143} - C:\WINNT\system32\mp3elmic.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Thank you again for your help.
Cindylu
pskelley
2006-11-01, 17:22
Thanks for the information, what kind of sypmtoms are you having at this time? Let's consider a few things:
1) All activeX (Downloaded Program Files) items can be removed at any time. If they are needed, the next time you visit the site, you will be prompted to download it again. We will remove it.
2) the 020 item looks like leftover Vundo also, unless you have a program running like TeaTimer (other programs, even part of Norton can do it) that blocks changes, and then you should get a message asking if you wish to allow the change. We will remove that 020 item.
3) this item: O21 - SSODL: Excohico - {E2C6F7B9-46F6-4D78-AC34-D1BB6BA2E143} - C:\WINNT\system32\mp3elmic.dll
Neither the CLSID number or the name of the file show anything in a Google search, this is a good indication it is up to no good. We will remove it.
4) This is a registration reminder and usless - Startup: PowerReg Scheduler.exe
http://www.google.com/search?hl=en&lr=&q=PowerReg+Scheduler.exe&btnG=Search
5) Before we remove, let's make sure we have backups.
Open HJT > Open the Misc Tools section > Click on Main at the top > Make sure there is a check in the second box > "Make backups before fixing items".
Let's also make sure the recycle bin has not been bypassed:
RIGHT click on the Recycle Bin and choose properties. It should, by default, be set to "Use one setting for all drives"
Make sure the box "Do not move files to the Recycle Bin. Remove files immediately when deleted IS NOT CHECKED. Make sure you have space for deleted items, I keep my bin set at 5%. Now when we delete the file or folder, it will be moved to the bin and can be restored IF needed for some reason.
6) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
7) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
8) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - Startup: PowerReg Scheduler.exe
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) -
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing) G
O21 - SSODL: Excohico - {E2C6F7B9-46F6-4D78-AC34-D1BB6BA2E143} - C:\WINNT\system32\mp3elmic.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
9) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINNT\system32\mp3elmic.dll <<< delete that file (after a few days you can delete it from your Recycle Bin.
10) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post another HJT log along with any comments you think will help.
Thanks
Couple of other items I see:
C:\Program Files\Java\jre1.5.0_06\ <<< Your Java program is out of date, this will get you infected. See this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
This program >>> O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
Do you own it? If not, it is running and using considerable resources everytime you boot. If you do not own it, turn it off so it does not run. It is also obsolete, Grisoft of AVG virus protection purchased the program from ewido and it is now called AVG Anti-Spyware 7.5. You can update here:
http://www.ewido.net/en/ if you wish to keep the scanner, but there is still no reason to have it running without ownership, you get no benefit from realtime protection once the trail period is over. If you would like, once you update, run a scan using these tutorial from John McKenna. Post the scan results so I can take a look if you run it.
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Okay, finally getting back to you here. I have good news and bad news. The bad news is I uninstalled Ewido and installed the new AVG version and after doing two scans in safe mode (which took 2 1/2 hours each) for the 2nd time my laptop shut down or hibernated or whatever WITHOUT generating a report. But this last time I looked at it right before it happened and it had not detected anything and it registered that it was scanned twice now. I will try again in regular mode and see if I can at least get some kind of a report. I had the box checked to generate a report so I don't know what the problem is.
As for the rest of the things we were discussing....
O4 - Startup: PowerReg Scheduler.exe got rid of this using hjt
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) -got rid of this using hjt
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)couldn't get rid of this but not surprised since I couldn't get rid of it back in March when I got rid of the rest of vundo
O21 - SSODL: Excohico - {E2C6F7B9-46F6-4D78-AC34-D1BB6BA2E143} - C:\WINNT\system32\mp3elmic.dll Finally discovered what this was. I emailed Spector Pro and they told me file names are randomly generated so they could not be sure if this was theirs or not. They said there WOULD be a SSODL file from them. I had tried to delete JUST the file but it said "access denied." So I uninstalled Spector Pro and low and behold the SSODL and the file it referred to was gone. I reinstalled it and a new randomly named SSODL and file were created. So it was definitely the Spector Pro that installed the SSODL. Basically I guess what I am saying is that YES it is Spyware but it is my OWN spyware I installed to spy on myself (or rather my 14 year old daughter..........and yes, she knows she's being watched).
So I guess maybe that's a first. Spectorsoft said they were undetectable to virus scanners so I guess they were right. Glad they're on the good side.
At this point I think I'm clean. I upgraded my JRE to 1.5 9 so I think I'm set. BTW, I LOVE that ATF Cleaner...........so much faster than going in and deleting cookies, cache, prefetch, etc. What a time saver!
I will post a fresh hjt log and AVG scan a bit later.
Yes, I'm planning on running another scan tomorrow morning. It'll probably take a couple hours to run.
Thanks!
Cindylu
Just a quick update here...
After 3 tries and over 7 and 1/2 hours of tryng to scan with the new AVG product from grisoft, I have uninstalled it from my computer. I am very disappointed in the product. My old Ewido worked wonders but the new AVG does not work on my computer at all.
It will scan for about 2 1/2 hours and then when it's almost done (and has found nothing) it just shuts down my system completely. No report, nothing, just shuts down everything. I had the box checked to save reports of all scans but it seems to just stop in the middle and shut down my system. I went to their website and all I could find was information stating that the product is apparently no longer compatible with Norton Internet Security which I have.
So I will have to scan again with something else and report back a bit later. Just wanted to keep you updated as to my progress.
Thanks.
Cindylu
pskelley
2006-11-08, 21:50
Thanks for that feedback, please be aware that we use that product on many computers, in fact I just downloaded and ran it on one of mine and the scan completed in around 45 minutes, so it is unlikely that AVG Anti-Spyware 7.5 is at fault. If you have it on your computer, please uninstall it.
What I would like from you would be a new HJT log and a description of the malware issues you are having, include error messages "word for word".
Thanks
Okay, I did as you had asked before and I ran my hjt log with a "Normal" start up. Please note I don't usually use a Normal start up because I don't like all that stuff running in the background. So I typically uncheck the boxes in msconfig for hotsync, kodak, quicktime, microsoft messenger, Adobe Reader, Realplayer, etc.
As far as issues, as far as I know I believed my system to be clean at this point since I figured out what the SSODL was. I uninstalled the AVG and reinstalled the old Ewido which has always worked fine for me right up until the day before I uninstalled it and installed AVG. Perhaps the new AVG setup file was corrupted during the download? I never had issues with the old Ewido but like I said, on the grisoft website they do say there are some issues with Norton Internet Security when running the new AVG product. I'm planning on running a scan with the old Ewido which I know worked for me before. If that no longer works then I'll know there is some other issue here.
Anyway......here is my new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 4:18:15 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Palm\HOTSYNC.EXE
C:\WINNT\system32\DllHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\AuntysPie\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.warrenhills.org/hshome.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C941A6E-BC62-4D59-97D3-FB5372F4B1CC} (MediaCaptureControl Class) - http://betajournal.comcast.net/resources/VibeJournalControls.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159373734627
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
O21 - SSODL: Matavime - {896AD922-3DB4-45B2-86E3-BE03004430CD} - C:\WINNT\system32\subiwkbd.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Thanks again.
Cindylu
pskelley
2006-11-08, 23:07
Thanks for the feedback, You know how to use MSConfig but I will give you this link anyhow:
http://netsquirrel.com/msconfig/ You can return to Selective Startup to save your resources when you wish.
Let me say there is another option...if you don't use the programs, uninstall them in Add Remove programs.
I also wish to point out that ewido is now owned by Grisoft and there will no longer be updates for the ewido scanner. After a short while it's databases will be useless.
I am not surprised the issue is with NIV, it's software does not play nice with many programs. Must be why I never use it.
Is this another parental supervision program?
O21 - SSODL: Matavime - {896AD922-3DB4-45B2-86E3-BE03004430CD} - C:\WINNT\system32\subiwkbd.dll
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Safe surfing...tashi will close your topic in a few days.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier
I'm completely in a panic now. Things are going downhill fast.
I have had my system crash twice in the past 2 weeks. I really thought that it was because my laptop is old and perhaps it's time has just run out. I then had problems when running the AVG scans, that it would crash after running for over 2 hours and was just about done. So I uninstalled it and reinstalled the old Ewido.
Last night I went to try and run a scan using Norton AntiVirus and it told me the antivirus files were corrupt and reinstall the product. After 3 hours on the phone with norton I did uninstall and reinstall and it appeared it was running okay.
This morning I went online, checked email and was about to run a full system scan when I got the SAME Norton error. After being on the phone with them I am currently running a scan from the Norton Web site.
The thing is..................I'm not convinced they can help me. I'm pretty fed up with Norton at this point because they OFTEN do not detect trojans and I'm very concerned at this point.
I will post a current hjt log but I have one other question first. When I click on My Computer and then click on Drive 3(Local Hard Drive) I have all my typical folders and then I have a bunch of files including a .cab file. Should I be suspicious of these? They are named _Sid.txt, 560cc060-1fa5-4ca1-b0bf-acff9d1b2e16.cab which contains some kind of xml file, alerts.txt, ctp.log, devicetable.log, drwtsn32.log, firewall.txt, threatalerts.txt, and a bunch of others. The .cab file and the alerts.txt, firewall.txt and the threatalerts.txt files, when I hover over them with my cursor, all show that they were modified on 7/2906 at the exact same time in the morning. Is this something to be concerned about or is this normal?
I honestly don't know where to turn at this point but I am hoping you can help me. I don't know when to assume I have a virus that is causing Norton to be corrupt or what.
Here is my current hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 10:54:15 AM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\AuntysPie\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.warrenhills.org/hshome.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C941A6E-BC62-4D59-97D3-FB5372F4B1CC} (MediaCaptureControl Class) - http://betajournal.comcast.net/resources/VibeJournalControls.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159373734627
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
O21 - SSODL: Matavime - {896AD922-3DB4-45B2-86E3-BE03004430CD} - C:\WINNT\system32\subiwkbd.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Again I appreciate your help.
Cindylu
pskelley
2006-11-10, 18:29
Hello Cindylu, have you considered dumping Symantec/Norton? It may be well that all of their junk is causing your issues? If you want links to free progams, let me know.
I am more than willing to run some scans to see if something hidden is causing your problem, but I am about to bet this is not the case. It may take a new install of your Operating system to fix these issues. Let's try a few things for and see what happens. I first need to say the HJT log appears to be clean of malware, I would turn of ewido, actually my advice would be to uninstall the program. It uses a lot of resources and gives no benefits unless you are using the scanner and as I said the data base will quickly be out of date if it is not now.
When you say
I have had my system crash twice in the past 2 weeks. what exactly do you mean by that? What message "word for word" are you receiving?
When Windows "crashes" it usually tell you what the problem was that caused this with some kind of error message and there are many, many reasons this could happen.
In case missing or corrupt system files is causing the issue, let's run System File Checker. I would be interested in know what files it replaces if this is possible. Click Start>Run, type in sfc /scannow, hit Enter.
Note: there is a space between sfc and /scannow
This should replace any corrupted/missing system files and will hopefully fix things. You may need your XP disc in your CD drive for this.
I can also say that I had a few minor issues with my browser, and installing Internet Explorer 7.0 stopped them all, this may be the way to go.
Since you say it is an old computer, when did you update your drivers last? It only take one bad driver to lock up a system, especially at boot up.
These issues require extensive troubleshooting, which is not what I do. Give the things I have mentioned a try, and provide any information I have asked for. I will try a couple of more things and then suggest a couple of good sites where they can help you troubleshoot Windows issues.
Please also understand that when you run your computer in Selective Startup, as you are, I have no way of knowing if a program that is malware is causing the problem.
Even with Selective startup, I still see these programs that are probably not needed at startup:
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
http://www.castlecops.com/startuplist-1367.html
If you don't use it:
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
http://www.castlecops.com/startuplist-1568.html
what do you use this for?
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
http://www.liutilities.com/products/wintaskspro/processlibrary/tgcmd/
running all of the time, how often do you need to check for those updates?
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
http://www.castlecops.com/startuplist-2113.html
Really ?
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
http://www.castlecops.com/startuplist-1366.html
Running all of the time
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
http://www.castlecops.com/startuplist-117.html
Here is some information about NT services if it helps:
http://www.mvps.org/winhelp2002/services.htm
You stil never told me what this was:
O21 - SSODL: Matavime - {896AD922-3DB4-45B2-86E3-BE03004430CD} - C:\WINNT\system32\subiwkbd.dll
Please scan the file and post the information if you don't know:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
You should have an idea now of what you are up against. I would love to have the time to troubleshoot your computer issues, but I just do not have it. I have three I can barely keep up with myself.
_________________________________________________________________
Let's take a look for a hidden rootkit, like this:
Download BlackLight from here:
http://www.f-secure.com/blacklight/
Follow the directions to download to your Desktop then run the program. It will produce a text file on your Desktop, copy and paste the results here to your topic. Do not try to do anything with the information.
_________________________________________________________________
We have had trouble running AVG Anti-Spyware, so I hope this one will run for you. I would uninstall ewido before you do this. Follow the directions, this is a multipurpose tool that looks for many infections. Post the results for me to view.
Thanks to sUBs and anyone who helped with this fix.
1. Download ComboFix.exe using either of these links:
* bleepingcomputer.com
http://download.bleepingcomputer.com/sUBs/combofix.exe
* techsupportforum.com
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Thanks
Thank you for getting back to me so quickly.
At this point I am definitely considering dumping Norton. I have had so many issues with them (including a recent LiveUpdate that was missing a .dll file that caused issues with the program, I mean come on.....I PAY for this service).....
Anyway..........like I said, I am doing an online scan at Norton per their advice but I will not trust the scan even if it says I am clean so perhaps it is time to get another product. Any recommendations you have would be appreciated.
As far as what I mean by my system crashing..........I mean twice in the past couple of weeks it has just shut off completely. No error message, no warning, just shut off. The same thing happened when I was doing the AVG scan, it would just shut completely off with no warning or anything. I began growing concerned about this when I read another post here that a person's system was crashing and a rootkit was causing it. I am concerned that something like that might be behind it.
I have not updated any drivers in a very long time so it is quite possible this could be causing a problem.
The file
O21 - SSODL: Matavime - {896AD922-3DB4-45B2-86E3-BE03004430CD} - C:\WINNT\system32\subiwkbd.dll
Is the Spector Pro file. I uninstalled the product and the old SSODL disappeared. Then I reinstalled it and this new randomly named SSODL appeared. Spectorsoft told me that their product would install a randomly generated SSODL file so that makes sense.
So as soon as I finish this Norton scan which I'm hoping is almost done, I will work on the rest of the things you suggested and I will get back to you as soon as possible with the information. My main focus right now is to determine if there is a rootkit.
Will be back in touch soon hopefully.
Cindylu
pskelley
2006-11-10, 19:35
OK Cindylu, I am not going to give you more information on top of what you have. Consider and try each of my suggestions. I am also concerned that this product: Spector Pro might be the cause of your issues. Monitoring programs often cause more trouble than they are worth. Have you tried the computer with it uninstalled?
I would refer you on to folks who are more knowledgeable at troubleshooting Windows issues, but I want to be sure there is no malware at work before doring so.
Thanks
I guess I need to make a call here. This online scan with Norton is really taking a ridiculous amount of time. It has been going for over 2 hours now and has only scanned a little over 31,000 files. I know at this rate it's going to take about 16 hours for a scan to be done. I feel like I'm wasting time when I could be actually getting to the source of the problem in another way.
Therefore, I'm going to bail out of the Norton scan since it just seems to be a pointless waste of time and I'm going to try the things you suggested right now.
Will let you know what I find.
Cindylu
How refreshing it was to scan with a product that actually gives results, good or bad.
Blacklight said it did not find anythingl The results of the Blacklight scan is as follows:
11/10/06 14:46:12 [Info]: BlackLight Engine 1.0.47 initialized
11/10/06 14:46:12 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/10/06 14:46:12 [Note]: 7019 4
11/10/06 14:46:12 [Note]: 7005 0
11/10/06 14:46:23 [Note]: 7006 0
11/10/06 14:46:23 [Note]: 7011 400
11/10/06 14:46:24 [Note]: 7026 0
11/10/06 14:46:24 [Note]: 7026 0
11/10/06 14:46:42 [Note]: FSRAW library version 1.7.1020
11/10/06 15:05:18 [Note]: 2000 1012
11/10/06 15:05:18 [Note]: 2000 1012
11/10/06 15:06:19 [Note]: 7007 0
The ComboFix results are as follows:
Owner - 06-11-10 15:07:51.75 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Owner\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-10-10 to 2006-11-10 ))))))))))))))))))))))))))))))))))
2006-11-10 10:51 28,672 --a------ C:\WINNT\system32\drivers\CO_Mon.sys
2006-11-09 22:34 48,824 --a------ C:\WINNT\system32\S32EVNT1.DLL
2006-11-09 22:34 109,744 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2006-11-01 13:57 2,646 --a------ C:\WINNT\system32\patexlib.dll
2006-11-01 13:46 174,592 --a------ C:\WINNT\system32\minapdev.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-10 13:04 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-10 10:49 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-09 23:12 -------- d-------- C:\Program Files\Norton Internet Security
2006-11-09 23:03 -------- d-------- C:\Program Files\Symantec
2006-11-09 22:36 10344 --a------ C:\WINNT\system32\drivers\symlcbrd.sys
2006-11-09 22:34 -------- d-------- C:\Program Files\Common Files
2006-11-09 20:41 -------- d-------- C:\Program Files\Symantec Technical Support
2006-11-08 10:35 -------- d-------- C:\Program Files\Ideas Library 3
2006-11-05 16:40 -------- d-------- C:\Program Files\LabelCreator Pro
2006-11-02 14:55 -------- d-------- C:\Program Files\e-Sword
2006-11-01 14:54 -------- d-------- C:\Program Files\Java
2006-11-01 14:51 -------- d-------- C:\Program Files\Common Files\Java
2006-10-30 17:21 -------- d-------- C:\Documents and Settings\Owner\Application Data\Comcast
2006-09-27 11:56 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-27 11:33 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-27 11:31 -------- d-------- C:\Program Files\Microsoft Works
2006-09-13 00:01 1084416 --a------ C:\WINNT\system32\msxml3.dll
2006-08-25 10:45 617472 --a------ C:\WINNT\system32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINNT\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINNT\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINNT\system32\6to4svc.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Comcast\\COMCAS~1\\data\\xtras\\mssysmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"GWMDMMSG"="GWMDMMSG.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"GWMDMpi"="C:\\WINNT\\GWMDMpi.exe"
"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe"
"tgcmd"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"Gateway Ink Monitor"="\"C:\\Program Files\\Gateway Utilities\\GWInkMonitor.exe\""
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"MSConfig"="C:\\WINNT\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="\"C:\\WINNT\\System32\\msiexec.exe\" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="\"C:\\WINNT\\System32\\msiexec.exe\" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"Matavime"="{896AD922-3DB4-45B2-86E3-BE03004430CD}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINNT\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Dataviz Messenger.lnk"
"backup"="C:\\WINNT\\pss\\Dataviz Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINNT\\DVZCOM~1\\DvzMsgr.exe "
"item"="Dataviz Messenger"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINNT\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -h"
"item"="Kodak EasyShare software"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak software updater.lnk"
"backup"="C:\\WINNT\\pss\\Kodak software updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="Kodak software updater"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINNT\\pss\\HotSync Manager.lnkStartup"
"location"="Startup"
"command"="C:\\Palm\\HOTSYNC.EXE "
"item"="HotSync Manager"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realplay"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
HKEY_LOCAL_MACHINE\
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20061101-143012-810
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
backup-20061101-143011-894
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) -
backup-20061101-143011-216
O4 - Startup: PowerReg Scheduler.exe
backup-20060323-163620-853
O20 - Winlogon Notify: wvuss - C:\WINNT\
backup-20060323-083525-980
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
backup-20060323-083525-991
O4 - HKLM\..\Run: [caxchg] C:\WINNT\caxchg.exe
backup-20060323-083525-481
O2 - BHO: (no name) - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - (no file)
backup-20060323-083525-211
O4 - HKLM\..\Run: [shicoxp] C:\WINNT\shicoxp.exe
backup-20060321-230753-100
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
backup-20060321-230614-157
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
backup-20060321-230324-743
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
backup-20060321-230324-472
O4 - HKLM\..\Run: [shicoxp] C:\WINNT\shicoxp.exe
backup-20060321-230324-726
O4 - HKLM\..\Run: [caxchg] C:\WINNT\caxchg.exe
backup-20060321-230324-306
R3 - Default URLSearchHook is missing
backup-20060321-230324-692
O2 - BHO: (no name) - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - (no file)
Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Norton AntiVirus - Run Full System Scan - Owner.job
Completion time: 06-11-10 15:10:28.09
C:\ComboFix.txt ... 06-11-10 15:10
Perhaps one of these will shed some light on what's going on.
I do suppose it is possible that Spector Pro is causing a problem. If I find I have no malware issues, I will uninstall Spector Pro for a couple of weeks and see if the issues continue.
Also, I look forward to any advice on what you feel would be the best one to replace my Norton AntiVirus. I really think it's time for a change as far as that's concerned. It simply doesn't make me feel protected.
All your help is GREATLY appreciated.
Cindylu
And as promised, here is a fresh hjt log with normal startup:
Logfile of HijackThis v1.99.1
Scan saved at 3:48:02 PM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINNT\system32\DllHost.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\AuntysPie\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.warrenhills.org/hshome.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C941A6E-BC62-4D59-97D3-FB5372F4B1CC} (MediaCaptureControl Class) - http://betajournal.comcast.net/resources/VibeJournalControls.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159373734627
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
O21 - SSODL: Matavime - {896AD922-3DB4-45B2-86E3-BE03004430CD} - C:\WINNT\system32\subiwkbd.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I will check back again later.
Cindylu
pskelley
2006-11-11, 01:12
Did you get the Private Message?
BlackLight is clean, no rootkits, we can try another scan for rk's if you want.
combofix: Use these scanners to find out if these items are bad or good. Be very careful to delete only bad files and if you not not sure post the scan results for me to look at.
Once you delete them let them stay in the Recycle bin for a few days to be sure.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
C:\WINNT\system32\drivers\CO_Mon.sys
C:\WINNT\system32\S32EVNT1.DLL
C:\WINNT\system32\drivers\SYMEVENT.SYS
C:\WINNT\system32\patexlib.dll
C:\WINNT\system32\minapdev.dll
____________________________________
I do suppose it is possible that Spector Pro is causing a problemSince I am not sure when these issues started, I don't know if it was originally installed at the time your issues started or not. Did you pay for the product, if not uninstall it. If you need another product to do the job, let me know and I will see if I can find one?
I personally have never used Norton/Symantec but I have heard a lot of complaints about the resources it uses and the fact that it is of questionable performance. I can not confirm this.
When I ask Google for information, I get this:
http://www.software-antivirus.com/
http://antivirus.about.com/cs/beforeyoubuy/tp/aatpavwin.htm
http://www.consumersearch.com/www/software/antivirus-software/
http://anti-virus-software-review.toptenreviews.com/
If you want a free program, here are three to choose from:
http://free.grisoft.com/freeweb.php
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
Keep in mind there is no tech support for these free versions. I installed AVG on my sister's new Dell and it works fine. It is not the best available, but the price is right. I have to let you make that call.
The only thing I see in the log is that old Vundo line with no file and the resource wasters I pointed out earlier.
Let get rid of the old Backups in HJT:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTRestore
How to restore items mistakenly deleted
We do not want to restore them, put a check in front of each item and Delete them, you can probably hit the Delete all butten. You could see these in the combofix log.
Thanks
I ran the scans on those files you suggested. All came back clean except the one file, patexlib.dll was not able to be scanned because it was being uploaded as 0 bytes.
I'm not sure if that could be another Spector Pro file or not. It happens to have been created on the same day I uninstalled and reinstalled Spector Pro so it's possible it could be another one of their files. I think what I will do is tomorrow I will uninstall Spector Pro again and see if that file disappears. If not, perhaps I will try putting it in the Recycle Bin and see what happens.
I also think I'll leave Spector Pro unistalled for a couple of weeks so I can assess how my system is performing. I did purchase the product and it wasn't cheap but I may be able to just use it periodically.
I like the looks of the antivirus programs and I am leaning toward the Kaspersky. The only thing is I would also like a firewall which is why I had gone with Norton in the first place so I could have my antivirus and firewall integrated. Can you recommend any good firewalls?
I will let you know what happens regarding that file. Also, as an aside, while I was sitting here working tonight, oddly enough, Norton AntiVirus, which refused to work for the last 2 days even with help from the Symantec techsupport, it suddenly fired up for its regularly scheduled Friday night scan. Why it suddenly decided it could work is beyond me but it's been scanning away so I've just been letting it. So far hasn't found anything. Just seems strange that I could not start a scan manually from the Norton Window but it is able to start a scheduled scan with no problem. Go figure.
It's getting late here so I will work on this again tomorrow. Thanks again for your continued help.
Cindylu
I'm sorry.......one more thought here before I forget........If you do have another rootkit scanner I'd like to do one more just to be sure. I don't mean to be paranoid but better to be safe than sorry.
Okay, time to get some sleep.
pskelley
2006-11-11, 13:43
Hi Cindylu, this one: patexlib.dll Google can't indentify so please delete it. I am 99% sure it's not a good file but allow it to set in the recycle bin for a few days before you delete from there. It is easier to restore a file from there than to hunt for and download them from online.
Let's try this scanner, I tested it this morning and it worked well. I could not see how to copy/paste the results since I am clean.
Please read this information before you proceed, if programs are running the results will be effected as described. I would make sure nothing is running except what you need to start the computer.
http://www.sophos.com/readmes/readsar.txt
http://www.sophos.com/products/free-tools/sophos-anti-rootkit/download/
1. Click on Submit at the bottom
2) Download Sophos Anti-Rootkit
3) Save to your local disk C:\
4) Click the sarsfx.exe icon to open
5) Default location: C:\SOPHTEMP
6) Navigate to the icon and click it to open
7) Click the sargui.exe to open the interface
8) By default all areas are checked, you can
scan the area you wish.
9) When finished, post the results...if you are free
of infection your will see "No hidden items found by scan"
________________________________________
I know nothing of monitoring software, but here is a link to some free stuff:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=free+child+monitoring+software
Can you tell me how much ram you have on the computer and how much drive space you have available.
RAM: right click MyComputer and choose Properties. At the bottom of the System Properties window will be the RAM.
Drive Space: Open MyComputer and then right click the Local Disk (C:) and choose Properties. I am interested in the free space you have available.
________________________________________
One last thing to take a look at:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Your comments:
Kaspersky is a well respected company but I have never used it. We use the free online scanner a lot. Are you using a router? I personally use the free version of Zone Alarm, but there are others available. You want to make sure your SP2 firewall is turned off when running a third party firewall.
Lots of information here: http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=review+firewalls to help you decide.
Thanks
Update...I had to do some detective work on this patexlib.dll file. I deleted it and left it in the recycle bin. Then I decided I was going to uninstall Spector Pro so I thought I would restore the patexlib.dll file and see if it disappeared when I unistalled Spector Pro.
When I tried to restore it, I got a message saying "This folder already contains a file named patexlib.dll would you lile to replace the existing file created Nov 11 at 9:20 with the old one (in the recycle bin) created Nov 10 10:17?
So, I decided to see if I could figure out what was running when the file was recreating itself. I deleted the new patexlib.dll created today and went back to the system32 folder. It was still deleted. I connected to the internet and went to the forums here and sort of hung out to see if it recreated itself when I went online. Checked - still gone. I checked my email. Looked for file again. Still gone.
I closed my internet connection and my email. Waited a bit and fired up my Spector Pro. Checked the System32 folder and there was patexlib.dll. The minute I fired up Spector Pro the patexlib.dll file recreated itself. It is apparently associated with Spector Pro somehow.
At present, I am going to uninstall Spector Pro and run without it and see if I can fix some of these other issues. I really like the software as there is so many valuable things it can do. It even logs everything uploaded and downloaded from the internet so I can see if my kids have inadvertantly downloaded a nasty. But I suppose I can reinstall it at a later time as long as I have my serial number so I will try running without it for a bit.
Will try that sophos scan in a bit and report back.
Cindylu
The Sophos scan pronounced me clean so I guess everything here is okay.
I did uninstall Spector Pro and I then tried to open my antivirus program and it worked. Apparently something in the Spector Pro application was affecting the antivirus software. Good call. I will have to call Spectorsoft and ask them some questions. They said their software would not be detected by any antivirus software, they didn't say it would shut it down.
Thank you so much for your time and patience. I happy to know that my Java is up to date and my system is clean. Thanks again.
Cindylu
pskelley
2006-11-15, 14:46
Sound good Cindylu:bigthumb: except for ATF-Cleaner which is a great little program, you may remove the programs we downloaded during the fix.
Safe surfing...tashi:) will close your topic in a few days.
Thanks...Phil
LonnyRJones
2006-11-25, 23:39
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).