System locks up when running Anti-Virus, anti Spyware

**unclejohn** · 2007-08-30, 21:22

Part 5

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LGYTSB5B\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IJAQDW6N\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KA06XCON\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W48R3CQT\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VQL6B41L\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JTI2SRMK\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VSCSUE9B\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\93682PM0\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\UBAI18WL\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\EIKTRB0D\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\6BEQYKLH\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\5B9XDA6J\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\N-GNIRSPPZIR9VF\ASPNET\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\N-GNIRSPPZIR9VF\ASPNET\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\N-GNIRSPPZIR9VF\ASPNET\Local Settings\Temporary Internet Files\Content.IE5\U31UV6HM\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\N-GNIRSPPZIR9VF\ASPNET\Local Settings\Temporary Internet Files\Content.IE5\FP9SC0J8\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\N-GNIRSPPZIR9VF\ASPNET\Local Settings\Temporary Internet Files\Content.IE5\1JL8SQ5O\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\N-GNIRSPPZIR9VF\ASPNET\Local Settings\Temporary Internet Files\Content.IE5\VX85MDSY\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

D: (no DLL launch points found)

E: (no DLL launch points found)

F: (no DLL launch points found)

Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS]
"NkvMon.exe" -> shortcut to: "C:\Program Files\Nikon\NkView5\NkvMon.exe" ["Nikon Corporation"]

Enabled Scheduled Tasks:
------------------------

"RegCure Program Check" -> launches: "C:\Program Files\RegCure\RegCure.exe ShowReminders" [null data]
"RegCure" -> launches: "C:\Program Files\RegCure\RegCure.exe -t" [null data]
"Spybot - Search & Destroy - Scheduled Task" -> launches: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33}"
-> {HKLM...CLSID} = "NETSCAPE"
\InProcServer32\(Default) = "C:\WINDOWS\DOWNLO~1\netscape.dll" ["Visicom Media"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33}" = (no title provided)
-> {HKLM...CLSID} = "NETSCAPE"
\InProcServer32\(Default) = "C:\WINDOWS\DOWNLO~1\netscape.dll" ["Visicom Media"]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
"{F8AD5AA5-D966-4667-9DAF-2561D68B2012}" = "Viewpoint Toolbar"
-> {HKLM...CLSID} = "Viewpoint Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll" ["Viewpoint Corporation"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\(Default) = (no title provided)
-> {HKLM...CLSID} = "File Search Explorer Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{EFA24E64-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Explorer Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4D5C8C25-D075-11D0-B416-00C04FB90376}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Tip of the Day"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = "IE Search Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Classes\CLSID\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}\(Default) = "Favorites Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}\(Default) = "History Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@C:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@C:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Internet Explorer Address Prefixes:
-----------------------------------

Prefix for bare domain ("domain-name-here.com")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
(Default) = "http://"

Prefix for specific service (i.e., "www")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\
"ftp" = "ftp://"
"gopher" = "gopher://"
"home" = "http://"
"mosaic" = "http://"
"www" = "http://"

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = (no title provided)
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
"NavigationFailure" = "res://ieframe.dll/navcancl.htm" [MS]
"DesktopItemNavigationFailure" = "res://ieframe.dll/navcancl.htm" [MS]
"NavigationCanceled" = "res://ieframe.dll/navcancl.htm" [MS]
"OfflineInformation" = "res://ieframe.dll/offcancl.htm" [MS]
"Home" = hex:0x0000010E
"blank" = "res://mshtml.dll/blank.htm" [MS]
"PostNotCached" = "res://ieframe.dll/repost.htm" [MS]
"NoAdd-ons" = "res://ieframe.dll/noaddon.htm" [MS]
"NoAdd-onsInfo" = "res://ieframe.dll/noaddoninfo.htm" [MS]
"SecurityRisk" = "res://ieframe.dll/securityatrisk.htm" [MS]
"Tabs" = "res://ieframe.dll/tabswelcome.htm" [MS]

HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
"DataBasePath" = "C:\WINDOWS\System32\drivers\etc"

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
and this is the localhost IP address

**unclejohn** · 2007-08-30, 21:23

Part 6

All Running Services (Display Name, Service Name, Path {Service DLL}):
----------------------------------------------------------------------

Application Layer Gateway Service, ALG, "C:\WINDOWS\System32\alg.exe" [MS]
Automatic Updates, wuauserv, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wuauserv.dll" [MS]}
Background Intelligent Transfer Service, BITS, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\qmgr.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\browser.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\cryptsvc.dll" [MS]}
DCOM Server Process Launcher, DcomLaunch, "C:\WINDOWS\system32\svchost -k DcomLaunch" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\trkwks.dll" [MS]}
Distributed Transaction Coordinator, MSDTC, "C:\WINDOWS\System32\msdtc.exe" [MS]
DNS Client, Dnscache, "C:\WINDOWS\System32\svchost.exe -k NetworkService" {"C:\WINDOWS\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
FTP Publishing, MSFtpsvc, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
Help and Support, helpsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
IIS Admin, IISADMIN, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
Internet Connection Sharing, SharedAccess, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipnathlp.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dmserver.dll" [MS]}
Message Queuing, MSMQ, "C:\WINDOWS\System32\mqsvc.exe" [MS]
Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\System32\mqtgsvc.exe" [MS]
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
NT LM Security Support Provider, NtLmSsp, "C:\WINDOWS\System32\lsass.exe" [MS]
OneCare AntiSpyware and AntiVirus, OneCareMP, ""C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"" [MS]
OneCare Firewall, msfwsvc, ""C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"" [MS]
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss" {"C:\WINDOWS\System32\rpcss.dll" [MS]}
Remote Registry, RemoteRegistry, "C:\WINDOWS\system32\svchost.exe -k LocalService" {"C:\WINDOWS\system32\regsvc.dll" [MS]}
Secondary Logon, seclogon, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
Server, lanmanserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Simple Mail Transfer Protocol (SMTP), SMTPSVC, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
SNMP Service, SNMP, "C:\WINDOWS\System32\snmp.exe" [MS]
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\ssdpsrv.dll" [MS]}
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
System Restore Service, srservice, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srsvc.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS\System32\svchost -k DComLaunch" {"C:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Universal Plug and Play Device Host, upnphost, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\upnphost.dll" [MS]}
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
WebClient, WebClient, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\WINDOWS\System32\svchost.exe -k imgsvc" {"C:\WINDOWS\system32\wiaservc.dll" [MS]}
Windows Live OneCare, winss, "C:\Program Files\Microsoft Windows OneCare Live\winss.exe" [MS]
Windows Management Instrumentation, winmgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]
Windows Time, W32Time, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\w32time.dll" [MS]}
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
Workstation, lanmanworkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wkssvc.dll" [MS]}
World Wide Web Publishing, W3SVC, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]

Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = "kbdclass" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor\Driver = "cnbjmon.dll" [MS]
BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
Local Port\Driver = "localspl.dll" [MS]
LPR Port\Driver = "lprmon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PDF995 Monitor\Driver = "pdf995mon.dll" [null data]
PJL Language Monitor\Driver = "pjlmon.dll" [MS]
Standard TCP/IP Port\Driver = "tcpmon.dll" [MS]
USB Monitor\Driver = "usbmon.dll" [MS]

-- (total run time: 438 seconds)
<<!>>: Suspicious data at a malware launch point.

**Mr_JAk3** · 2007-08-31, 19:36

Hello

Ok so still freezes...Hmm all the logs are clean so I don't think that this is a malware issue...

Might be overheating...

Please install the free version of Everest

Run the program.

On the left pane under "Computer" click on "Sensor"

Now take some notes on the temperature readings.

Then start a virus scan. Let it run for a while (maybe 30 min) and check the temperature.

Let me know the results

**unclejohn** · 2007-09-01, 20:49

Installed and ran Everest along with Windows OneCare two times. Results shown below. It looks like with your help I have in the past removed some malware, but as you suggested it looks like the main problem was caused by overheating.
Current Everest shows MB 35C AUX 31C Maxtor 27C

Here is a listing of the results.

August 31, 2007

Everest Run and Windows OneCare Complete System Scan
All temp. recordings are in degrees.

Mother Aux Maxtor HD
Board

Start 57C 40C 48C
Scan
Start 54C 40C 50C
2 Min 57C 40C 51C
5 Min 62C 40C 51C
10 Min 66C 41C 52C
15 Min 69C 42C 53C
20 Min 83C 43C 51C
25 Min 82C 44C 53C
30 Min 83C 44C 54C
40 Min 78C 44C 55C
50 Min 83C 44C 54C

54 Min 87C 45C 55C
Locked Up at htis point

September 1, 2007

Removed side cover and added external fan to cool computer.
Everest Run and Windows OneCare Complete System Scan
All temp. recordings are in degrees.

Mother Aux Maxtor HD
Board

Start 50C 31C 34C
Scan
Start 49C 31C 31C
5 Min 57C 31C 30C
10 Min 61C 31C 31C
15 Min 64C 32C 30C
20 Min 69C 32C 29C
30 Min 67C 32C 29C
45 Min 62C 32C 29C
60 Min 67C 32C 30C
75 min 74C 32C 28C
90 Min 69C 32C 31C
105 Min 76C 32C 28C
114 Min 51C 32C 29C
Scan Completed

ONECARE LIVE ANTISPYWARE/ANTIVIRUS RESULTS

9/1/2007 2:09 PM Virus and spyware scan was completed

Scanned Items: C:\
D:\
E:\
F:\

Scan Type: Complete Scan
Scan StartTime: 9/1/2007 12:15 PM
Scan EndTime: 9/1/2007 2:09 PM
Total Number of Files Scanned: 408905
Total Number of Files Not Scanned: 1503
Total Number of Threats Found: 0
Total Number of Threats Cleaned: 0
Total Number of Threats Removed: 0
Total Number of Threats Quarantined: 0
Total Number of Threats Still Present But Suspended: 0

**Mr_JAk3** · 2007-09-02, 14:07

Hello

Yes definately overheating - you could cook eggs on your motherboard

No wonder the system locks up.

Ok you've added the fan & removed the pane but about 70 degrees is still pretty high temperature...maybe one more fan + some cleaning of dust etc would help.

So any other issues now or is the computer running ok?

**unclejohn** · 2007-09-02, 23:49

I had the system run Windows OneCare Performance Plus scan early the morning. It completed it's run with no apparent problems. I have listed an extract from that run below.

Later this morning I ran Kaspersky Online Scanner. It also completed it's run, but it claimed to have found 13 Viruses . I located those items and have deleted them. Mostly obsolete files /programs which are no longer in use. Kaspersky also said it had found 33 infected objects but thos were files that it could not open to check. Extract from that run is also attached below.

The last two items in the Kaspersky extract are examples of what it claimed were infected objects.

WINDOWS ONECARE PERFORMANCE PLUS SCAN EXTRACT

9/2/2007 5:29 AM Virus and spyware scan was completed

Scanned Items: C:\
D:\
E:\
F:\

Scan Type: Complete Scan
Scan StartTime: 9/2/2007 4:00 AM
Scan EndTime: 9/2/2007 5:29 AM
Total Number of Files Scanned: 416765
Total Number of Files Not Scanned: 1504
Total Number of Threats Found: 0
Total Number of Threats Cleaned: 0
Total Number of Threats Removed: 0
Total Number of Threats Quarantined: 0
Total Number of Threats Still Present But Suspended: 0

I THEN RAN KASPESKY ONLINE SCANNER

<head>
<title>KASPERSKY ONLINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
</head>

<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>

<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ONLINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Sunday, September 02, 2007 2:20:53 PM<br>
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)<br>
Kaspersky Online Scanner version: 5.0.93.0<br>
Kaspersky Anti-Virus database last update: 2/09/2007<br>
Kaspersky Anti-Virus database records: 377918<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>standard</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
A:\<br>
C:\<br>
D:\<br>
E:\<br>
F:\<br>
G:\<br>
H:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>137222</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>13</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>33</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>2</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>03:06:40</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='200'><b>Virus Name</b></td>
<td width='100'><b>Last Action</b></td>

<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software.LOG </td>
<td>Object is locked </td>
<td>skipped </td>

**unclejohn** · 2007-09-02, 23:59

I plan to reinstall Ad-Aware and SpyBot in the near future and will run those programs to see if they work okay. I'll post the results.

In the meantime thank you very much for all your help and assistance.

I would never have thought about the system running too hot as being the primary cause of the lockups, especially since it only happened when I was trying to run anti-spyware or anti-virus programs.

Now I have to find some internal fans that will keep the system properly cooled down.

Again, Thank You,

John

**Mr_JAk3** · 2007-09-03, 19:01

Hello

Total Number of Threats Found: 0
Total Number of Threats Cleaned: 0
Total Number of Threats Removed: 0
Total Number of Threats Quarantined: 0
Total Number of Threats Still Present But Suspended: 0

This means that there is no malware on your system. The files listed in kaspersky log were skipped just because the scan wasn't able to check them. So they're not viruses, Kaspersky lists also good files. I hope you weren't able to remove any important files....

It is looking clean now

You can remove the tools we used.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

Clear your system restore
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Install SpywareBlaster
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file
This prevents your computer from connecting to harmful sites.
Use Firefox browser
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date
Visit Windows Update regularly. How to enable Automatic Updates?
Keep your antivirus and firewall up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein
So how did I get infected in the first place?
Stand Up and Be Counted !
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

**unclejohn** · 2007-09-09, 02:36

Hi:
I reinstalled Ad-Aware and Spybot and ran both. Ad-Aware found 4 items one classified as TIA-7, one as TIA-3 and two as TIA-0. Quarantined all 4. SpyBot ran and found 70 tracking cookies, and I fixed those. Have also rerun Windows OneCare in both Full Performance Plus along with a Full Syatem Scan with antivirus/antispyware with no problems found.

Still using the external fan. Ran the above programs with Everest running also and on the Ad-Aware and Windows OneCare the motherboard temp showed between 50 to 68 degrees Celcius. However the run of SpyBot had temperatures as high as 82 degrees Celcius.

Have also installed Syywareguard and SpywareBlaster. Windows OneCare is updated almost daily and Windows is on automatic downloads for updates.

Thanks again,

John

**Mr_JAk3** · 2007-09-09, 16:36

Hi

Nice to hear that things are running ok now...

Still pretty high temperatures...

Thread: System locks up when running Anti-Virus, anti Spyware

Thread Tools

Display

Update

Update

Summary.

Update

Posting Permissions