caught a bug

[gwilym]

I think I've got a bug. When I run a program nero for example it seems to be doing the job but very slowly. I eventualy give up and try to end task but have trouble doing it. I dont know very much about computers but when I press ctr alt del it shows 100% cpu usage I dont know if it should or nort.
When I manage to shut dowmn the program it goes to about 2%.
I,ve just been trying to update spybot for an hour it seem to be working bur very very slowly, I gave up and it wouldent close down.
I recon I've caught something nasty. Can someone please look at log. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 22:21:27, on 29/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WIND0WS.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WIND0WS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKCU\..\Run: [SpySweeper] "G:\SpySweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Presario\XPHWWRF4\plugin\bin\ PCHButton.exe
O4 - Startup: WIND0WS.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WIND0WS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/supergerball...GameLoader.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126896845515
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[Autodad]

Hi gwilym,


Disable your antivirus program and go here (http://www.bitdefender.com/scan8/ie.html) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

And/or ...


Please run Kaspersky online virus scan: http://www.kaspersky.com/virusscanner

When the scan is finished, save the results from the scan, and please post the results from Kaspersky scan here.


I see that you have ewido....
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful").

Then, reboot to Safe mode (tap F8 while restarting).

Run ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to you next reply.
After you reboot normally, also post a new HJT log.

[gwilym]

Hi Autodad, I ran bitdefender which I have it came up clean.
I no longer have ewido the trial period ran out and I deleted it.
I ran kasperky and it found some stuff I couldent see a way of deleting it though. Probably missing something, anyway here,s the report from Kaspersky:

KASPERSKY ON-LINE SCANNER REPORT
Friday, March 31, 2006 7:20:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 31/03/2006
Kaspersky Anti-Virus database records: 174098


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 106126
Number of viruses found 4
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 01:22:02

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Identities\{7D26A908-66FA-4E57-B22B-082BEFD65E52}\Microsoft\Outlook Express\Deleted Items.dbx/[From AlexJWalls1@aol.com][Date Sat, 19 Feb 2005 12:34:29 EST]/inst_AUTOMINER.exe/rinst.exe Infected: Trojan.Win32.KillAV.ef skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Identities\{7D26A908-66FA-4E57-B22B-082BEFD65E52}\Microsoft\Outlook Express\Deleted Items.dbx/[From AlexJWalls1@aol.com][Date Sat, 19 Feb 2005 12:34:29 EST]/inst_AUTOMINER.exe Infected: Trojan.Win32.KillAV.ef skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Identities\{7D26A908-66FA-4E57-B22B-082BEFD65E52}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped

C:\Program Files\Hijackthis\backups\backup-20060129-100219-951 Infected: Trojan.Win32.Qhost.a skipped

C:\WINDOWS\AuHCcup1.ini:gqpgt:$DATA Infected: Trojan-Downloader.Win32.Agent.bq skipped

C:\WINDOWS\AuHCcup1.ini:npzbv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\WINDOWS\GetServer.ini:bkgsif:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\WINDOWS\KB896423.logjzny:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\WINDOWS\KB896423.logjznyh:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\WINDOWS\msdfmap.ini:whjahv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\WINDOWS\Prairie Wind.bmp:nsbco:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\WINDOWS\setuperr.logtquyl:$DATA Infected: Trojan-Downloader.Win32.Agent.bq skipped

C:\WINDOWS\VGAsetup.ini:unalbu:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\WINDOWS\_default.pif:couid:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

Scan process completed.

[Autodad]

Hi,

These are infected e-mails:
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Identities\{7D26A908-66FA-4E57-B22B-082BEFD65E52}\Microsoft\Outlook Express\Deleted Items.dbx/

Did you delete what's in your "Deleted" folder in Outlook Express?


Then for the others... Try this:

Please download the latest version of CWShredder here: CWShredder.exe .
Save it to your desktop.
Then check it for any updates, but don't run it yet.
_ _ _ _

Next, please download About:Buster from the following link. Extract it from zip to your desktop.

http://www.malwarebytes.org/AboutBuster.zip


Open it and check for updates, but don't run it yet.
_ _ _ _

To clean your temp folder, recycle bin, etc..please download this free tool:
CCleaner
Don't install any Toolbars, or other programs, should it ask you!
It will put a shortcut on your Desktop, but don't run it yet.
_ _ _ _

Finally, please get AdAware SE
Install The Program.
Make sure that you update it, but we will use it later, so just close Ad-aware after it's set up and updated.



Now, reboot to Safe mode by tapping F8 while restarting.


Close any open Windows.
Then open and run CWShredder.
Run it, then click "Fix" (not Scan only) and let it fix all the variants it finds.
_ _ _ _

Close CWShredder and open Ad-Aware se.

Perform a full system scan with Ad-Aware, and let it fix all it finds.
_ _ _ _ _

Open AboutBuster
Click "Begin Removal". Allow it to close explorer during the scan, if it needs to. If it asks to do a second scan allow it to do so. When the scan is complete save the log and close the program.


Then open CCleaner. Click on CCleaner to start it. Then click "Run Cleaner".
Then Reboot (Exit).

Reboot normally.


Then run Kaspersky again and please post that log, and your about:buster log here.

[gwilym]

Hi Autodad, thanks for your help. I think I did everything you asked.
CWS said 'infection found would you like to reset your internet explorer settings' I pressed yes. Wasent sure though.
Anyway here's the logs:

AboutBuster 6.01
Scan started on [01/04/2006] at [15:51:08]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\AuHCcup1.ini:gqpgt
Removed Stream! C:\WINDOWS\AuHCcup1.ini:npzbv
Removed Stream! C:\WINDOWS\GetServer.ini:bkgsif
Removed Stream! C:\WINDOWS\msdfmap.ini:whjahv
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:nsbco
Removed Stream! C:\WINDOWS\tsc.ini:gmxosh
Removed Stream! C:\WINDOWS\VGAsetup.ini:unalbu
Removed Stream! C:\WINDOWS\_default.pif:couid
-------------------------------------------------------------
Removed File! : C:\WINDOWS\qtlyv.txt
Removed File! : C:\WINDOWS\system32\frinh.txt
Removed File! : C:\WINDOWS\system32\qfhrj.log
Removed File! : C:\WINDOWS\system32\wkmjq.dat
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 15:54:02


AboutBuster 6.01
Scan started on [01/04/2006] at [15:58:13]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 16:00:36

KASPERSKY ON-LINE SCANNER REPORT
Saturday, April 01, 2006 5:42:27 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 1/04/2006
Kaspersky Anti-Virus database records: 174237


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 106472
Number of viruses found 3
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 01:26:16

Infected Object Name Virus Name Last Action
C:\Program Files\Hijackthis\backups\backup-20060129-100219-951 Infected: Trojan.Win32.Qhost.a skipped

C:\System Volume Information\_restore{F23DFDA3-AF73-4E6B-8CAD-9DE464787739}\RP55\A0021471.ini:gqpgt:$DATA Infected: Trojan-Downloader.Win32.Agent.bq skipped

C:\System Volume Information\_restore{F23DFDA3-AF73-4E6B-8CAD-9DE464787739}\RP55\A0021471.ini:npzbv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\System Volume Information\_restore{F23DFDA3-AF73-4E6B-8CAD-9DE464787739}\RP55\A0021472.ini:bkgsif:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\System Volume Information\_restore{F23DFDA3-AF73-4E6B-8CAD-9DE464787739}\RP55\A0021473.ini:whjahv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\System Volume Information\_restore{F23DFDA3-AF73-4E6B-8CAD-9DE464787739}\RP55\A0021475.ini:unalbu:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

C:\System Volume Information\_restore{F23DFDA3-AF73-4E6B-8CAD-9DE464787739}\RP55\A0021476.pif:couid:$DATA Infected: Trojan-Downloader.Win32.Agent.bc skipped

Scan process completed.

[Autodad]

Hi gwil,

You did everything correctly.... Good job!

Your Kaspersky scan looks good now.
This is a backup file in HijackThis:
C:\Program Files\Hijackthis\backups\backup-20060129-100219-951 Infected: Trojan.Win32.Qhost.a skipped

And these are in your System Restore (more on that in a bit)..
C:\System Volume Information\_restore{F23DFDA3-AF73-4E6B-8CAD-9DE464787739}\RP55\A0021471.ini:gqpgt:$DATA Infected: Trojan-Downloader.Win32.Agent.bq skipped

Just don't use System restore for now (unless you have no other choice).


Let's just see a new HJT log (after you reboot), and let us know if you have any problems....

[gwilym]

Hi, I remember from previous problems that shutting down 'system restore' and rebooting clears it. So I,ve done that.
When I was doing it and pressed apply it just hung there doing nothing and I had to end program. I just mention this as it seems to be happening a lot, not being able to shut things down. When I say a lot I mean now and again.
I,ve just had a thought, I recently downloaded Netguard from NTL my cable provider could this be causing problems?
Mind you the kids are on here a lot downloading allsorts thats more likely to be the cause. Thanks again for all your help. Here,s HighJack Log:

Logfile of HijackThis v1.99.1
Scan saved at 21:16:35, on 01/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WIND0WS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WIND0WS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKCU\..\Run: [SpySweeper] "G:\SpySweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Presario\XPHWWRF4\plugin\bin\ PCHButton.exe
O4 - Startup: WIND0WS.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WIND0WS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/supergerball...GameLoader.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126896845515
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[Autodad]

Hi,

One thing to remember about cleaning your System Restore, is to make a new restore point...


Open Hijackthis, click Scan, then put a check next to the following entries:

O4 - Startup: WIND0WS.EXE

O4 - Global Startup: WIND0WS.EXE


Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".


Then reboot.
And please post a new HJT log.


Did the shutdown problems start when you got Netguard?

See if these links help with your shut down problems:

http://aumha.org/win5/kbshtdwn.php
http://aumha.org/win5/a/shtdwnxp.htm
http://www.theeldergeek.com/shutdown_issues_in_xp.htm

http://search.microsoft.com/results....n-US&FORM=SSME

[gwilym]

Hi there Autodad, I had trouble getting rid of WINDOWS.EXE it woudent let me fix it, I went to device maneger and shut it down but it still wouldent do it then I tried it in safe mode and I think that got it.
I,ve had that one before, if I ever see that am I safe to get rid of it with highjack whenever it shows up.
Thanks for the websites I just havent had time to study them yet, I will.
Here,s the log:

Logfile of HijackThis v1.99.1
Scan saved at 09:15:45, on 02/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\HPZipm12.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKCU\..\Run: [SpySweeper] "G:\SpySweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Presario\XPHWWRF4\plugin\bin\ PCHButton.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/supergerball...GameLoader.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126896845515
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[Autodad]

Hi gwil,

Good thinking to go into Safe mode!

Looks OK.
If you're not having any problems, then here are some suggestions to clean/protect your PC:
(Some may be redundant, so only use those that apply...)

I recommend that you get AdAware SE
Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan.
Do a scan with AdAware and Remove Everything it suggests.

Then, also get Spybot: Search and Destroy
Check for Updates first, download ALL Updates and Do a Scan.
When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

Keep them updated, and run them periodically.
_ _ _ _ _

Then click Start | Run (type) cleanmgr
Select the following:
1) Temporary Internet Files
2) Recycle Bin
3) Temporary Files

When completed Reboot.
_ _ _ _ _

Also go to Windows Update to keep up on all the latest security patches that apply to your PC.
Check Windows' Update site frequently, as new patches come out often. You don't need to install all the updates offered, but ALWAYS get the latest security updates available.
_ _ _ _ _

Then, it is not an option these days to be on the internet without and Updated Anti-Virus. If you have one, check it for updates frequently (or set it to "Auto" update). If you don't have one, or can't afford one, a good free one to use is AVG .
Have a look at this link: http://www.mvps.org/winhelp2002/avg7.htm

Just as it is important to have an updated Anti-virus, it's equally important to have a Firewall these days. Again, if you can't afford one, this is a good free one:

Kerio Personal Firewall.
_ _ _ _ _

Then I recommend you clean out your System Restore
Doing this will remove all your restore points, and any infections that might be hanging in there.

Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives".
Click Apply.
Click Yes to do this.
Click OK.
Then Restart your computer.

After you have restarted, turn System Restore back on:
Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
Click Apply, and then click OK.

Then create a new restore point once you have System Restore back on.
To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.
When the System Restore Utility opens, click "Create a Restore Point" then click Next.
Enter a name for this Restore Point, and click Create.
_ _ _ _ _

Here is a link that explains how to Clear Out Forgotten Programs, Free Up Wasted Space, Defragment Your Computer, etc...

http://www.microsoft.com/windowsxp/u...storeperf.mspx
_ _ _ _ _

Here are some good links to follow to make your Internet Explorer more secure:

http://www.mvps.org/winhelp2002/restricted.htm
http://mvps.org/winhelp2002/unwanted.htm
_ _ _ _ _

Here is some free protection you should also consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies.

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Check them for updates occasionally.


And also see Tony Klein's fine article:
So how did I get infected in the first place?


Let us know if you have any concerns,

Stay safe!

[gwilym]

I,ve just had another blip dont know if it,s connected to what we,ve just done. The screen broke up and message came up: 'The ialmrnt5 display driver has stopped working normally Reboot the system.
I,ve rebooted and things seem ok.
I did have another pop up earlier: IEXPLORE.EXE The instruction referenced memory at oxo34154ed. The memory could not be read. Click ok to terminate.
As I said I dont know if this is conected but it's never happened before.

[Autodad]

What were you doing/playing when it happened?

[gwilym]

I was on a poker site.

[Autodad]

Hi,

I'm not really sure.
Do you have an Intel Graphics Card or Intel Graphics Controller?

You might ask here:
http://www.cybertechhelp.com/forums/...splay.php?f=18
or here:
http://www.cybertechhelp.com/forums/...splay.php?f=16

[gwilym]

Hi Autodad, things seem fine now, I,ve been back on that poker site no problems. I,ll study all the websites you,ve given me over the next week.
I finaly managed to update Spybot, I,ve been tring for weeks. It found a ' coolweb search installer' I,ll run all the various machines regularly to keep this comp clean.
Thanks a lot for your help CTH is as brilliant as ever.