0

Yesterday, My Dad tried to get a program he purchased for $400 installed on his computer. We could not even begin the install because of crashes. So I shut down the computer for the night.

This morning, the computer was very very VERY slow. Programs kept crashing over and over, but finally we were able to get the start menu to open and shut it down. It froze at the "Windows is shutting down screen". My Dad needs this computer for his job, so this is a serious problem. The computer is an HP Pavilion (our last pre-built computer before we realized that customs are better).

The computer is too unstable to run Hijack this in regular mode, so I can only start the computer in safe mode. Safe mode seems to be running the computer at 10% of it's pre-infected speed, which is fast enough to work with. Because safe mode too is acting funny, I thought a hijackthis log would be worth posting.

Logfile of HijackThis v1.99.1
Scan saved at 4:04:16 PM, on 2/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/main/Install/CentraDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I also noticed that the ETrust Antivirus could not scan several files, here is the virus scanning log if it is of any help:

eTrust EZ Antivirus Version 6.2.1.1
Started scanning: 1:12:35 PM, 2/17/2005
Dat file v8938

Scanning boot sectors...
C:\ Master Boot Record is unknown but seems OK.
C:\ Partition Boot Record is OK: standard Win2000 (2).

Scanning file(s)...
C:\Documents and Settings\Administrator\Cookies\index.dat - unable to open file - not scanned.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - unable to open file - not scanned.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - unable to open file - not scanned.
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat - unable to open file - not scanned.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat - unable to open file - not scanned.
C:\Documents and Settings\Administrator\NTUSER.DAT - unable to open file - not scanned.
C:\Documents and Settings\Administrator\ntuser.dat.LOG - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\NTUSER.DAT - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - unable to open file - not scanned.
C:\Jason\Jason's Backup 122504\DOS Partition\Dooma5\DOOM1_0.1 - scan incomplete.
C:\Jason\Jason's Backup 122504\DOS Partition\Doominstall\DOOM1666.1 - scan incomplete.
C:\Jason\Jason's Backup 122504\DOS Partition\RECYCLED\Dc39.exe - scan incomplete.
C:\Jason\Jason's Backup 122504\DOS Partition\RECYCLED\Dc40.rar - scan incomplete.
C:\Jason\Jason's Backup 122504\Mozilla Profiles\Mozilla\Firefox\Profiles\wn5jk857.default\Cache\0755A880d01>humans.part2.rar - scan incomplete.
C:\Jason\Jason's Backup 122504\Mozilla Profiles\Mozilla\Firefox\Profiles\wn5jk857.default\Cache\0755A880d01>humans.part1.exe - scan incomplete.
C:\Jason\Jason's Backup 122504\Mozilla Profiles\Mozilla\Firefox\Profiles\wn5jk857.default\Cache\0755A880d01 - scan incomplete.
C:\pagefile.sys - unable to open file - not scanned.
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VIRUSLOG.TXT - unable to open file - not scanned.
C:\Program Files\RecordNow!\Tutorial\ENU\TutorialENU.exe - scan incomplete.
C:\Program Files\RecordNow!\Tutorial\Movies\movies.exe - scan incomplete.
C:\Program Files\Symantec\LiveUpdate\Lusetup-lt.exe - scan incomplete.
C:\WINDOWS\Debug\PASSWD.LOG - unable to open file - not scanned.
C:\WINDOWS\I386\WBCACHE.DE_ - scan incomplete.
C:\WINDOWS\I386\WBCACHE.EN_ - scan incomplete.
C:\WINDOWS\I386\WBCACHE.ES_ - scan incomplete.
C:\WINDOWS\I386\WBCACHE.FR_ - scan incomplete.
C:\WINDOWS\I386\WBCACHE.IT_ - scan incomplete.
C:\WINDOWS\I386\WBCACHE.NL_ - scan incomplete.
C:\WINDOWS\I386\WBCACHE.SV_ - scan incomplete.
C:\WINDOWS\system32\config\AppEvent.Evt - unable to open file - not scanned.
C:\WINDOWS\system32\config\default - unable to open file - not scanned.
C:\WINDOWS\system32\config\default.LOG - unable to open file - not scanned.
C:\WINDOWS\system32\config\SAM - unable to open file - not scanned.
C:\WINDOWS\system32\config\SAM.LOG - unable to open file - not scanned.
C:\WINDOWS\system32\config\SecEvent.Evt - unable to open file - not scanned.
C:\WINDOWS\system32\config\SECURITY - unable to open file - not scanned.
C:\WINDOWS\system32\config\SECURITY.LOG - unable to open file - not scanned.
C:\WINDOWS\system32\config\software - unable to open file - not scanned.
C:\WINDOWS\system32\config\software.LOG - unable to open file - not scanned.
C:\WINDOWS\system32\config\SysEvent.Evt - unable to open file - not scanned.
C:\WINDOWS\system32\config\system - unable to open file - not scanned.
C:\WINDOWS\system32\config\system.LOG - unable to open file - not scanned.
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR - unable to open file - not scanned.
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP - unable to open file - not scanned.
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER - unable to open file - not scanned.
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP - unable to open file - not scanned.
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP - unable to open file - not scanned.
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA - unable to open file - not scanned.
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP - unable to open file - not scanned.

Finished scanning: 3:08:25 PM, 2/17/2005
Number of files scanned: 352018.
Number of files that could not be scanned: 34
No file viruses detected.

2
Contributors
1
Reply
2
Views
12 Years
Discussion Span
Last Post by DMR
0

1. Your log is clean except for the following "loose end", which you can have HiajckThis fix:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

2. I'm not familiar with the eTrust AV program, but almost all of the files that it could not scan (or finish scanning) are pretty low-level Winodws system files; EZ might not have permission to access them.

From the info you've given, the crashes don't really look the result of malicious infections. Can you give more detail and/or history of the problems please?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.