Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Spybot won't update, suspect Rootkit, RootAlyzer

  1. #1
    Junior Member
    Join Date
    May 2009
    Location
    Atlanta
    Posts
    7

    Arrow

    I've been a happy user of Spybot for years (thank you! wonderful product!). But now my Spybot (and AVG too) seem to only do 'fake' updates - they look like they go through the motions but don't really seem to update, because now they never detect anything at all that isn't ok (which I know isn't right). So I uninstalled and reinstalled, still no luck. Jochen kindly sent an email with a link to RootAlyzer and suggested I run it and paste the log here, plus pack the suspicious files. I'm not too technical (just enough to be dangerous) but I can follow most directions I packed the suspicious files but can't figure out how to attach them (suggestions?). Here are the deep scan results. Thank you so much!

    // info: Rootkit removal help file
    // copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"No admin in ACL","C:\WINDOWS\Internet Logs\dumpIndex"
    File:"No admin in ACL","C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_10_17_04_45_small.dmp.zip"
    File:"No admin in ACL","C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_16_11_22_27_small.dmp.zip"
    File:"No admin in ACL","C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_29_19_25_14_small.dmp.zip"
    File:"No admin in ACL","C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_08_21_16_46_small.dmp.zip"
    File:"No admin in ACL","C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_21_11_18_12_small.dmp.zip"
    File:"No admin in ACL","C:\WINDOWS\Internet Logs\vsmon_on_demand_thread_2008_12_15_21_51_06_full.dmp.zip"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\Contents.dat"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\global.js"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\HpuFunction.dll"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\main.hta"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\SoftwareUpdate.dll"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\unicows.dll"
    File:"No admin in ACL","C:\Documents and Settings\All Users\DRM\drmv2.lic"
    File:"No admin in ACL","C:\Documents and Settings\All Users\DRM\drmv2.sst"
    Directory:"No admin in ACL","C:\WINDOWS\Internet Logs"
    Directory:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update"

    Tried again to attach the suspicious files, but couldn't (clicked on Manage Attachments, browsed, selected file and clicked on upload). First I got a message that a security token is missing. Then it's taking forever to upload files but Task Mgr shows that there's very low CPU utilization ... kinda like running fast but getting nowhere.

    I feel like the malware is somehow infected into my wireless network and causes me to get false readings and/or to interfere with what I'm trying to do. Whenever I logon to my home network (a-network) via 'Wireless Connection 4' another network shows up that has all weird symbols for its name. It seems like that network is somehow 'piggybacked' or attached to my a-network. By the way my laptop is XP.

    Here's my HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:20:45 AM, on 5/12/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\PROGRA~1\MICROS~4\rapimgr.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgfws8.exe
    C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\AVG\AVG8\avgtray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.localendar.com/elsie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O4 - Global Startup: officejet 6100.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://content.ancestry.com
    O15 - Trusted Zone: http://imageservice.ancestry.com
    O15 - Trusted Zone: http://www.ancestry.com
    O15 - Trusted Zone: http://*.ancestry.com
    O15 - Trusted Zone: http://www.ticketmaster.com
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01...s/MSNPUpld.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5483.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1192195126528
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...Detection2.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSC...ws-i586-jc.cab
    O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - https://wimpro.cce.hp.com/ChatEntry/...ds/sysinfo.cab
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
    O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
    O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O24 - Desktop Component 0: (no name) - http://groups.msn.com/isapi/fetch.dl...dqKTJyY2fK81mI

    --
    End of file - 10534 bytes
    Last edited by tashi; 2009-05-13 at 07:34. Reason: Merged 3 posts

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    we can get another look for malware with MBAM:

    Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

    http://www.malwarebytes.org/mbam.php

    Double-click mbam-setup.exe and follow the prompts to install the program.

    Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    If an update is found, it will download and install the latest version.

    Once the program has loaded, select Perform FULL SCAN, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.

    Be sure that everything is checked, and click **Remove Selected.**

    **A restart of your computer most likely will be required to remove some items.**

    When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

    post the MBAM log in reply:
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    May 2009
    Location
    Atlanta
    Posts
    7

    Arrow MBAM logs after removing SpyBot and AVG paid version

    Shelf life, your help is appreciated very much. I ran MBAM a couple times, but here's the last time, after I had uninstalled both Spybot and AVG (the paid version which I recently purchased). AVG was crashing my system each time I tried to scan with it, so MBAM's results make sense. I allowed MBAM to fix the registry keys in conflict with Windows Security Center. There appear to be compatibility issues between the new Windows security center functions and AVG, so probably with Spybot too. I don't really know what to do now for ongoing protection. My computer seems to be running smoothly (except for the piggyback network trojan I suspect), but now I'm not protected. I had turned the Windows firewall on, but then turned it off since it seemed to be preventing me from getting to safe websites I use all the time (like Ticketmaster). I'm thinking of reinstalling Spybot first and then seeing how that goes. If that works ok, then maybe I'll try one of the lighter versions of AVG again - I had used the free version for years but lately it got weird and took 4 hours for scans, so I was hoping the paid version would work better. I'm sorry if I shouldn't talk about AVG here in SpyBot but those two programs always seemed to 'play well' together before. My laptop is older and only has 1mg memory so it can't handle these protection programs that bring all else to a halt.

    My gut also tells me I have some kind of 'piggyback' trojan whenever I sign on to my wireless network, as mentioned earlier. I think I need to figure out how to completely delete the existing wireless network configuration and create a clean one from scratch (I didn't set up the original one because I didn't know how, but with a little coaching I think I could do it now). Any advice/help is greatly appreciated. You people are so wonderful to help poor ignorants like moi.

    Malwarebytes' Anti-Malware 1.36
    Database version: 2139
    Windows 5.1.2600 Service Pack 2

    5/16/2009 5:33:33 PM
    mbam-log-2009-05-16 (17-33-33).txt

    Scan type: Full Scan (A:\|C:\|)
    Objects scanned: 173021
    Time elapsed: 58 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

  4. #4
    Junior Member
    Join Date
    May 2009
    Location
    Atlanta
    Posts
    7

    Default MS Security update deleted 22 updates per Belarc Advisor

    Well I guess I screwed up. After uninstalling Spybot and AVG I double-checked to see that all my windows patches were up to date and Belarc said I was missing only one. So I decided to install that one (maybe it was SP3? 4?). But now I ran Belarc again and it's tells me that now I'm missing 22 updates??? Here's what BelArc says (without the SW program key info!). I'm confused by this. Thanks.

    Operating System System Model
    Windows XP Home Edition Service Pack 3 (build 2600) Hewlett-Packard Pavilion ze5400 (DC964A) KH.F.08
    System Serial Number: CNF3240HKZ
    Enclosure Type: Notebook
    Processor a Main Circuit Board b
    2.40 gigahertz Intel Pentium 4
    8 kilobyte primary memory cache
    512 kilobyte secondary memory cache Board: Hewlett-Packard 0850 NS570 Version PQ1B56
    BIOS: Phoenix Technologies Ltd. KF_KH.F.08 06/06/2003
    Drives Memory Modules c,d
    40.05 Gigabytes Usable Hard Drive Capacity
    17.55 Gigabytes Hard Drive Free Space

    TOSHIBA DVD-ROM SD-R2312 [CD-ROM drive]
    3.5" format removeable media [Floppy drive]

    SAMSUNG MP0402H [Hard drive] (40.06 GB) -- drive 0, s/n S03WJ20XB65141, rev UC100-14, SMART Status: Healthy 960 Megabytes Installed Memory

    Slot 'J400' has 512 MB
    Slot 'J401' has 512 MB
    Local Drive Volumes


    c: (NTFS on drive 0) 40.05 GB 17.55 GB free
    Network Drives
    None detected
    Users (mouse over user name for details) Printers
    local user accounts last logon
    Administrator 8/27/2008 8:01:05 AM (admin)
    Owner 5/17/2009 9:31:26 AM (admin)
    local system accounts
    Guest 2/12/2009 7:07:57 PM
    HelpAssistant never
    SUPPORT_388945a0 never
    SUPPORT_b326ad0c never

    DISABLED Marks a disabled account; LOCKED OUT Marks a locked account

    eFax 4.2 on eFax_4_2_Port
    HP DeskJet 890C on LPT1:
    HP DeskJet 890C on LPT1:
    hp officejet 6100 series on USB001
    HP Officejet Pro L7600 S... fax on USB002
    HP Officejet Pro L7600 Series on USB002
    Microsoft XPS Document Writer on XPSPort:
    Controllers Display
    Standard floppy disk controller
    ALi M5229 PCI Bus Master IDE Controller
    Primary IDE Channel [Controller]
    Secondary IDE Channel [Controller] RADEON IGP 345M [Display adapter]
    Digital Flat Panel (1024x768) [Monitor] (19.7"vis)
    Bus Adapters Multimedia
    O2Micro OZ6912 CardBus Controller
    VIA Rev 5 or later USB Universal Host Controller (2x)
    VIA USB Enhanced Host Controller Conexant AC-Link Audio
    Unimodem Half-Duplex Audio Device
    Communications Other Devices
    Conexant 56K ACLink Modem


    1394 Net Adapter
    LAN-Express IEEE 802.11 PCI Adapter
    primary Auto IP Address: 10.0.0.2 / 24
    Gateway: 10.0.0.1
    Dhcp Server: 10.0.0.1
    Physical Address: 00:02:8A:99:E5:64
    National Semiconductor Corp. DP83815/816 10/100 MacPhyter PCI Adapter
    Dhcp Server: 192.168.1.254
    Physical Address: 00:0B:CD:A8:E3:48

    Networking Dns Server: 10.0.0.1
    Texas Instruments OHCI Compliant IEEE 1394 Host Controller
    Microsoft AC Adapter
    Microsoft ACPI-Compliant Control Method Battery
    ALi Fast Infrared Controller
    Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    Synaptics PS/2 Port TouchPad [Mouse]
    USB Root Hub (3x)
    Virus Protection [Back to Top]
    No details available
    Missing Microsoft Security Hotfixes [Back to Top]
    These required security hotfixes (using the 05/12/2009 Microsoft Security Bulletin Summary) were not found installed. Note: CIS benchmarks require that Critical and Important severity security hotfixes must be installed.
    KB954459 - Important (details...)
    KB923561 - Important (details...)
    KB946648 - Important (details...)
    KB950762 - Important (details...)
    KB950974 - Important (details...)
    KB951066 - Important (details...)
    KB951376 - Critical (details...)
    KB951376-V2 - Critical (details...)
    KB951748 - Important (details...)
    KB952004 - Important (details...)
    KB952954 - Critical (details...)
    KB956572 - Important (details...)
    KB956802 - Critical (details...)
    KB957097 - Important (details...)
    KB958644 - Critical (details...)
    KB958687 - Critical (details...)
    KB958690 - Critical (details...)
    KB959426 - Moderate (details...)
    KB960225 - Important (details...)
    KB960803 - Critical (details...)
    KB961373 - Critical (details...)
    Q960003 - Important (details...)
    Installed Microsoft Hotfixes [Back to Top]
    .NETFramework
    1.0
    no verification data S867461 on 2/9/2005 (details...)
    no verification data M928367 on 7/12/2007 (details...)
    1.1
    no verification data S867460 on 11/13/2008 (details...)
    no verification data M928366 on 11/18/2008 (details...)
    CAPICOM
    no verification data KB931906 on 10/12/2007 (details...)
    Compatibility Pack for the 2007 Office system
    no verification data KB940289[SP] on 3/2/2009 (details...)
    no verification data KB951550 on 3/2/2009 (details...)
    no verification data KB951944 on 3/2/2009 (details...)
    no verification data KB954326 on 3/2/2009 (details...)
    no verification data KB956828 on 3/2/2009 (details...)
    no verification data KB958439 on 3/2/2009 (details...)
    no verification data KB969618 on 5/14/2009 (details...)
    MSXML 6 Service Pack 2 (KB954459)
    no verification data KB954459 on 11/13/2008 (details...)
    MSXML4SP2
    no verification data KB927978 on 11/16/2006 (details...)
    no verification data KB936181 on 8/15/2007 (details...)
    no verification data KB954430 on 11/13/2008 (details...)
    Office XP Standard for Students and Teachers
    no verification data KB904018 on 10/12/2007 (details...)
    no verification data KB905649 on 10/12/2007 (details...)
    no verification data KB905758 on 10/12/2007 (details...)
    no verification data KB910619 on 2/27/2007 (details...)
    no verification data KB911701 on 10/12/2007 (details...)
    no verification data KB913471 on 10/12/2007 (details...)
    no verification data KB920816 on 10/12/2007 (details...)
    no verification data KB921596 on 8/15/2008 (details...)
    no verification data KB932031 on 3/13/2008 (details...)
    no verification data KB933399 on 5/3/2009 (details...)
    no verification data KB944423 on 2/14/2008 (details...)
    no verification data KB946985 on 3/13/2008 (details...)
    no verification data KB950129 on 5/15/2008 (details...)
    no verification data KB953405 on 9/11/2008 (details...)
    no verification data KB956329 on 12/30/2008 (details...)
    no verification data KB956464 on 10/16/2008 (details...)
    no verification data KB957781 on 5/14/2009 (details...)
    no verification data KB959988 on 5/3/2009 (details...)
    Step By Step Interactive Training
    SP2
    passed verification KB898458 on 6/15/2005 (details...)
    passed verification KB923723 on 2/16/2007 (details...)
    WGA
    SP0
    passed verification KB892130 on 10/12/2007 (details...)
    Windows Media Format 11 SDK
    no verification data KB929399 (details...)
    SP0
    passed verification KB929399 on 4/8/2008 (details...)
    Windows Media Player 10
    no verification data KB936782_WMP10 (details...)
    SP2
    passed verification KB936782_WMP10 on 8/17/2007 (details...)
    Windows Media Player 11
    no verification data KB936782_WMP11 (details...)
    no verification data KB939683 (details...)
    no verification data KB954154_WM11 (details...)
    no verification data KB959772_WM11 (details...)
    SP0
    passed verification KB939683 on 4/8/2008 (details...)
    passed verification KB954154_WM11 on 9/11/2008 (details...)
    passed verification KB959772_WM11 on 4/1/2009 (details...)
    SP2
    passed verification KB936782_WMP11 on 4/8/2008 (details...)
    Windows Media Player 6.4
    no verification data KB925398_WMP64 (details...)
    SP0
    passed verification KB925398_WMP64 on 12/14/2006 (details...)

    Windows Media Player 9
    no verification data KB917734_WMP9 (details...)
    no verification data KB936782_WMP9 (details...)
    SP0
    passed verification KB911565 on 2/17/2006 (details...)
    passed verification KB917734_WMP9 on 6/19/2006 (details...)
    SP2
    passed verification KB936782_WMP9 on 8/15/2007 (details...)
    Windows Media Player
    no verification data KB952069_WM9 (details...)
    SP0
    passed verification KB911564 on 2/17/2006 (details...)
    passed verification KB952069_WM9 on 12/30/2008 (details...)
    Windows XP
    no verification data KB923689 (details...)
    no verification data KB941569 (details...)
    SP-1
    passed verification KB909520 on 11/13/2008 (details...)
    SP0
    passed verification KB923689 on 12/14/2006 (details...)
    passed verification KB929969 on 1/12/2007 (details...)
    passed verification KB933566-IE7 on 6/14/2007 (details...)
    passed verification KB938127-IE7 on 8/15/2007 (details...)
    passed verification KB938127-V2-IE7 on 1/22/2009 (details...)
    passed verification KB941569 on 12/15/2007 (details...)
    passed verification KB944533-IE7 on 2/28/2008 (details...)
    passed verification KB950759-IE7 on 6/12/2008 (details...)
    passed verification KB958215-IE7 on 12/30/2008 (details...)
    passed verification KB960714-IE7 on 1/22/2009 (details...)
    passed verification KB961260-IE7 on 2/17/2009 (details...)
    passed verification KB963027-IE7 on 5/3/2009 (details...)
    SP10
    passed verification MSCOMPPACKV1 on 4/6/2008 (Microsoft Compression Client Pack 1.0 for Windows XP)
    SP2
    no verification data KB811113[SP] on 2/9/2005 (details...)
    SP3
    no verification data KB936929[SP] on 5/17/2009 (details...)
    SP4
    passed verification KB915800-V4 on 5/17/2009 (details...)
    passed verification KB923561 on 5/3/2009 (details...)
    no verification data KB938464 on 11/3/2008 (details...)
    failed verification KB946648 on 11/3/2008 (details...) Reinstall!
    no verification data KB950760 on 6/12/2008 (details...)
    passed verification KB950762 on 6/12/2008 (details...)
    passed verification KB950974 on 11/3/2008 (details...)
    passed verification KB951066 on 11/3/2008 (details...)
    passed verification KB951376 on 6/12/2008 (details...)
    passed verification KB951376-V2 on 6/20/2008 (details...)
    passed verification KB951698 on 6/12/2008 (details...)
    passed verification KB951748 on 1/24/2009 (details...)
    passed verification KB952004 on 5/3/2009 (details...)
    passed verification KB952287 on 11/3/2008 (details...)
    passed verification KB952954 on 11/3/2008 (details...)
    passed verification KB954211 on 11/3/2008 (details...)
    passed verification KB954600 on 12/30/2008 (details...)
    passed verification KB955069 on 11/13/2008 (details...)
    passed verification KB955839 on 12/30/2008 (details...)
    no verification data KB956391 on 11/3/2008 (details...)
    passed verification KB956572 on 5/3/2009 (details...)
    passed verification KB956802 on 12/30/2008 (details...)
    passed verification KB956803 on 1/24/2009 (details...)
    passed verification KB956841 on 11/3/2008 (details...)
    passed verification KB957095 on 11/3/2008 (details...)
    passed verification KB957097 on 11/13/2008 (details...)
    passed verification KB958644 on 11/3/2008 (details...)
    passed verification KB958687 on 1/22/2009 (details...)
    passed verification KB958690 on 4/1/2009 (details...)
    passed verification KB959426 on 5/3/2009 (details...)
    passed verification KB960225 on 4/1/2009 (details...)
    no verification data KB960715 on 2/17/2009 (details...)
    passed verification KB960803 on 5/3/2009 (details...)
    passed verification KB961373 on 5/3/2009 (details...)
    passed verification KB967715 on 3/2/2009 (details...)
    Windows
    SP1
    passed verification IDNMITIGATIONAPIS on 1/9/2007 (Microsoft Internationalized Domain Names Mitigation APIs)
    passed verification NLSDOWNLEVELMAPPING on 1/9/2007 (Microsoft National Language Support Downlevel APIs)
    XML Paper Specification Shared Components Pack 1.0
    no verification data XPSEPSC (XML Paper Specification Shared Components Pack 1.0)

    Click here to see all available Microsoft security hotfixes for this computer.

    [installed security hotfix] Marks a security hotfix (using the 05/12/2009 Microsoft Security Bulletin Summary)
    [failing installed security hotfix] Marks a security hotFix that fails verification (a security vulnerability)
    verifies OK Marks a hotfix that verifies correctly
    fails verification Marks a hotfix that fails verification (note that failing hotfixes need to be reinstalled)
    Unmarked hotfixes lack the data to allow verification

  5. #5
    Junior Member
    Join Date
    May 2009
    Location
    Atlanta
    Posts
    7

    Thumbs up Installed all missing MS updates and clean copy of Spybot

    ... and all seems to be running pretty well Spybot updated properly (I didn't activate teatimer or the other realtime feature). The scan seemed to work properly as well. I'm going to live with this for a couple days and then see about reinstalling AVG. Maybe it was AVG causing compatibility problems. Thank you!

  6. #6
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    ok good. Unless you practice 'safe hex' you really should have a AV solution on your machine. I would get AVg re-installed and updated and see how things go from there-- like you said maybe a compatibility thing. did you have tea timer or the immunization feature turned on before? You could try turning tea timer back on after avg is installed to narrow things down. You must have a router. Is your network password protected? This would be done to ensure nobody else with in the signal range of your router could join/use it. Other computers, if any are in range could 'see' your network but not be able to join or use your connection if your router is password protected.
    How Can I Reduce My Risk?

  7. #7
    Junior Member
    Join Date
    May 2009
    Location
    Atlanta
    Posts
    7

    Default Reinstalled AVG 8.5, Crashed with IRQL message

    OK, here's where I'm at. Spybot was running smoothly. I've never used teatimer and not using it now either, on the advice of a friend (resource intensive and my old laptop only has 1mg memory). I have immunized my system now, although I didn't used to use that feature either. I did notice the following messages in the 'Ignore System Internals' area of Spybots settings - am including them in case they're meaningful to you:

    %JavaDir%\QTJava.zip Missing Shared DLL
    install.exe Wrong app path
    MsoHtmEd.exe Wrong app path
    winnt32.exe Wrong app path

    The MS updates for XP to SP3 seemed to be running smoothly also (I think these included some compatibility updates for my Outlook2002 which helps it work with Hotmail's latest version that is made for only Outlook2003 and 2007). Since all seemed smooth I reinstalled AVG 8.5. Decided not to install the Firewall part because it turns off the MS firewall and I don't want the nasty red warning sign on my screen all the time. I was able to get through the first full scan on AVG smoothly, so that was encouraging because I couldn't do that before without a crash. The results were good and all seemed to be well. And then last night my system crashed with a white error message on a black screen that said something about an IRQ L error? The message was kinda fast so I couldn't read it very well, but that's the type of crash message I was getting before, when all this started. I googled on that and read where that kind of message usually refers to drivers that are out of date. HP indicates that all my drivers are up to date. This morning I ran an MBAM Quickscan, results below. I did notice the following messages in the 'Ignore System Internals' area of Spybots settings - am including them in case they're meaningful to you:

    %JavaDir%\QTJava.zip Missing Shared DLL
    install.exe Wrong app path
    MsoHtmEd.exe Wrong app path
    winnt32.exe Wrong app path

    Any ideas what I should do to identify and resolve the cause of the crash? I assume it's going to keep crashing until I figure it out. Regarding my networking: yes I have a wireless router Netgear WPN824 on my DSL line and it's password protected. I still feel that it's been hacked somehow which is why I think I need to 'wipe the slate clean and start from scratch to define a new user network, but I don't know how. If there's a site you can suggest that explains how to do that I would be grateful for a referral. I'm afraid to delete the existing one and risk not being able to get online, because I have to be able to. Thank you so much for helping me!

    Malwarebytes' Anti-Malware 1.36
    Database version: 2162
    Windows 5.1.2600 Service Pack 3

    5/21/2009 9:08:20 AM
    mbam-log-2009-05-21 (09-08-20).txt

    Scan type: Quick Scan
    Objects scanned: 90660
    Time elapsed: 9 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

  8. #8
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi DreamCatcher8,

    Ignore System Internals'
    i believe these are just inconsistencies in the registry. you can ignore them.

    it turns off the MS firewall
    installing a third party firewall will turn off the MS firewall. you shouldnt be getting any warning signs. The windows firewall is sufficient for the purpose it was intended for--blocking unsolicited incoming traffic.

    there can be many reasons for crashes or BSOD, malware may not be responsible for this. there are web sites dedicated to BSODs

    http://www.updatexp.com/stop-messages.html
    http://aumha.org/a/stop.htm


    Is your network password protected?
    i didnt mean a password to log in to your routers web interface using http://192.168... what i should have asked is you router using WEP or WPA.
    a good place to start would be the routers manuf. web page;

    http://kb.netgear.com/app/home
    look on the right under 'most popular answers'

    http://www.practicallynetworked.com/...ess_secure.htm

    http://www.microsoft.com/windowsxp/u.../wireless.mspx
    Last edited by shelf life; 2009-05-23 at 03:11. Reason: removed link
    How Can I Reduce My Risk?

  9. #9
    Junior Member
    Join Date
    May 2009
    Location
    Atlanta
    Posts
    7

    Default Regalyzer finds vsmon files

    hi shelf life, thank you for the links (which educate me) and your patience. it's very helpful to know what is and isn't important.

    regarding firewalls, i was a happy user of zonealarm for a long time but i uninstalled it after compatibility issues arose with avg some time ago (on the advice of the guy who used to take care of my system for me). i understand i need a better firewall than the basic ms one, so i can monitor outgoing traffic as well as incoming. i purchased the fullblown avg 8.5 version with the firewall for that reason. the 'warning' message i was referring to is the resident MS 'shield' on the bottom right bar of my screen - the shield is usually yellow but turns to red when it senses a problem (such as the MS firewall being turned off, or no antivirus installed, or MS updates need to be installed). for example, if I turn off the Link Scanner or Resident Shield modules of AVG I have to live with the annoying MS red shield (i do practice 'safe hex' LOL and wanted to improve my system performance by turning off those features). i guess i'll have to learn to live with that and will reinstall the avg firewall module after i get the current crash problem resolved. i don't want to disable that feature entirely because it does prompt me when there are system updates i need to perform.

    last night i had another crash, but i think it was a black screen crash instead of a blue screen. it happened so fast i couldn't read what it said (is that recorded somewhere?) but it definitely was not saying the same thing as the BSOD message. i did observe that i was playing spider solitaire (giggle) each time the crashes happened but that's probably coincidence? this morning i ran the RegAlyzer tool again, results below. i read that vsmon files are from zonealarm so i'm thinking maybe the crashes are being caused by a compatibility issue between them and the MS firewall and/or the avg firewall. any thoughts on this? maybe deleting them will resolve? i have no clue what to do with the results ... suggestions welcome.

    File:"No admin in ACL","C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_08_21_16_46_small.dmp.zip"
    File:"No admin in ACL","C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_21_11_18_12_small.dmp.zip"
    File:"No admin in ACL","C:\WINDOWS\Internet Logs\vsmon_on_demand_thread_2008_12_15_21_51_06_full.dmp.zip"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\Contents.dat"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\global.js"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\HpuFunction.dll"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\main.hta"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\SoftwareUpdate.dll"
    File:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update\unicows.dll"
    File:"No admin in ACL","C:\Documents and Settings\All Users\DRM\drmv2.lic"
    File:"No admin in ACL","C:\Documents and Settings\All Users\DRM\drmv2.sst"
    Directory:"No admin in ACL","C:\WINDOWS\Internet Logs"
    Directory:"No admin in ACL","C:\Program Files\Hewlett-Packard\HP Software Update"

    yes i do have a wep key on my wireless router. i think my wireless network may have some kind of configuration problem and might be related to me having xp home edition instead of pro (maybe something to do with IPsec?). i'll see if i can figure out how to delete my current config and create a fresh one, based on the links you provided. my other wireless network problem started quite some time ago after the (paid) guy who used to take care of my computer had done maintenance work on it (like some windows updates) ... but after that visit my network never worked right again - it would disconnect me after a few minutes for a reason we could never figure out. hp gave me a net bios update but that didn't work. i finally figured out a work-around myself: after i'm on the wireless network i go into Services and turn off WZC and that solves it, though it's annoying to have to do that all the time. (back then i didn't know i could've just done a system restore, if he set a restore point). so i've learned to live with it, but would still like to solve the root cause of the problem someday because my wireless network used to work flawlessly once-upon-a-time. but that experience taught me that i should rely on myself and learn to take care of my own computer, trying to get smarter about these things, slowly but surely. it also taught me that MS updates are not always a good thing, which is why i had uninstalled SP3 after i experienced constant crashes from it the first time i installed. but these recent updates were SP2 to SP3 and it is running better this time, if i can just figure out how to eliminite these crashes now. there are fewer of them than before at least. hope you're having a good day shelf life. people like you are such a blessing to people like me.

  10. #10
    Junior Member
    Join Date
    May 2009
    Location
    Atlanta
    Posts
    7

    Default got crash codes

    hey. just crashed again but got error codes ... can you decipher?

    BCCode : 100000d1 BCP1 : 00000000 BCP2 : 000000FF BCP3 : 00000001
    BCP4 : 8638555C OSVer : 5_1_2600 SP : 3_0 Product : 768_1

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •