AVG - Windows Conflict

Last Friday my computer froze out of the blue on the black screen - last known configuration - and I performed several steps offered in another thread to try and figure out a solution . . . eventually, I have narrowed the problem down to my AVG 7.1 Network antivirus . . . and have been working with the technicians to resolve the issue. However, I believe they are stuck as I have not had a response the the latest tasks I performed in over 24 hours . . . so I thought I would pick your brains.

My desktop computer (I am on my son's laptop)will not run in anything but safe mode right now . . . because the last tack they had me perform automatically causes Windows XP to BOSD. Even though the STOP message is 0x00000007 this is not right because I checked the video adapter driver etc. by troubleshooting following microsofts instructions.

I have uninstalled and reinstalled AVG several times. When the program is not installed the computer runs great, reboots etc. However, with AVG, which I have been running successfully for about 10 years, the computer now crashes. I have sent event logs etc a couple of times and we are now at the stage where I performed a surface check and scanned for an attempt to recover bad sectors, which came up with nothing. I also used the REGEDIT tool to set the registry key: [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/CrashControl] to values:
"AutoReboot"=dword:00000000
"CrashDumpEnables"=dword:00000002
which denied automatic system reboot after BSOD and was suppose to create a Kernel Dump File, but never did. I performed this several times in safe mode under Administrator and my personal account and neither one provided the dump. I was instructed to go into System and change the settings to complete the Dump File and received an error message stating:
If the page file on Volume C: has an initial size of less than 253mb, then the system may not be able to create a debugging information file if a STOP error occurs.
So I was not able to send the techs the memory.dmp but have sent them a file in Windows called minidump.

The techs also had me download and open a sysdump file and send them the results (sysdump.tar) however while performing this task I received a Windows Installer message:

The feature you are trying to use is on a CD_ROM or other removable disc that is not available. Insert the 'VBA (3821h)' disc and click ok.

But I finished the task and emailed them the sysdump.tar twice. The first one was corrupted. They had me retry the memory.dmp task another time but the comp never provided the file they were after . . .

So, I am still in safe mode wondering whether these guys know what they are doing . . . I emailed them yesterday, after 24 hours without any response and have been told that my situation has been sent to "developers for further analysis" . . .

So, does anyone have any suggestions? I am somewhat computer literate, but not a whiz by any means . . . but I can send whatever logs or files from my computer via safe mode to this forum if need be. I just want to get life back to normal as my business is down without my desktop . . .

Thanks in advance

 

While awaiting some input, I have unstalled AVG 7.1 and am now back on line in Windows XP unprotected . . . I have decided to go through the steps mentioned in this thread to clean the system up and remove adware etc . . . I already have Ewido . . . but still await advice. I'll post any logs from Hijack as soon as they are available.

 

I am trying to perform the tasks listed under the thread "Problems with Malware . . . " but the downloads are taking forever. Forunately, I already had Hijackthis from an email sent by AVG. So I opened the .exe and below is the log. Perhaps this will help:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:41 AM, on 9/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sddosh.tripod.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\SHANNO~1.DOS\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125319698508
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4363/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BE678E3-5C48-4723-AF53-8A33B0B78FD8}: NameServer = 204.117.214.10,199.2.252.10
O20 - Winlogon Notify: GuardianNOFUL - ðì.
(file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

 

Hello shawanba,

You've got something, but it's unknown to me. Never seen this before.

Go here and download SmitFraudFix.zip to the desktop.
Extract all the files.
Open the created folder.
ouble-click smitfraudfix.cmd
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Please do not run other options unless instructed.

Post the contents of rapport.txt

 

I hope I did this right . . . thanks for the help Niobis

SmitFraudFix v2.101

Scan done at 21:07:04.96, Thu 09/28/2006
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Shannon D. Dosh


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Shannon D. Dosh\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SHANNO~1.DOS\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Good work, unfortunately no use. This may be hardware related, but I suspect malware. Can you boot in normal mode?

I'm still trying to find out what this is...

O20 - Winlogon Notify: GuardianNOFUL - ðì.
(file missing)

Do you know anything about "GuardianNOFUL"?

If you can, go here and click Kaspersky Online Scanner.
Accept the terms.
After downloading, click My Computer.
After scanning click "Save report as".
Save as a text file.

 

I've encountered a problem when trying to load the scanner. An error message appears:

Failed to load Keapersky Online Scanner Active X Control. You must
have administrative rights on this computer; you must also have IE security settings to the Medium level.

I checked the user accounts in control panel and I am the only one listed with administrative rights. The only place I can find that differentiates my name and administrator is in System - Advanced - User Profile settings - there is an administrative profile set and on with my name. What should I do to correct this conflict? IE is set on medium.

 

Open IE > Tools > Internet options > Privacy tab > under settings set bar to Medium and try again.

 

edited by ddp

 

Read the rules! A member like your self should know there's no talk of piracy!

Edit: and your sig is too big.

 

No matter what, Niobis, I cannot complete the download because of the error message mentioned above. I emailed the company, but must register a product to get support. I have logged onto safe mode as administrator with the hope of getting some satisfaction, but alas no such luck. Since I have uninstalled AVG I can start Windows normally but the pages load extremely slow. I left the housecall scanner running all night and the page never loaded. Several times I tried the bitdenfender program but keep getting an Active X control message. I sat in front of the computer for over 30 minutes waiting for something to appear so I could click on acceptance for Active X Control, but nothing ever did.

Yesterday, I contacted Embarq (formerly Sprint) about the DSL connection. I have 5.0 and pay through the nose. The tech guy tried several tricks and ended up giving me an 800 number to Windows because of the problems between them and several anti-virus programs? The phone number has been disconnected. I think the guy was ready to go home!

I appreciate your assistance, but don't know what to do. I was abot to download the cccleaner only because I had my son email it to me as the download would have taken about 3 days. I performed this action, but cannot continue with the others on the list because of the pages hanging and not loading properly or something.

Can you suggest something that I can purchase at Office Max (the only store in town) . . . or another avenue of assistance? After 8 days of dealing with this mess I am at the end of my rope . . .

 

Sorry to hear things aren't working out for you. I'm still currently searching to find out what these entires in the log are. I have suggested this problem to others, but haven't recieved a reply. I have searched everywhere I know for this 020 entry. The two letters it is showing are "di.", but there is a letter after the "." Best I can find out, after decoding the letters is, "di.a", but there's no information about it. If and when I hear something I will get back to you. If no replys or no found solutions within another day, I'll suggest you to remove the entries with HijackThis and see what happens. Backups are made so you can restore them if needed. For now, leave AVG uninstalled.

Until then, please post the following:
Open HijackThis.
Click "Open the misc tools section".
Click "Generate Startup list log".
Click "Yes".
Save the log and post it.

Open HijackThis.
Click "Open the misc tools section".
Click "Open Uninstall Manager".
Click "Save list".
Save the lost and post it.

Post those two with a new HijackThis log.

Those may show me something.

I know loading is slow, but if at all possible try to get Spybot Search and Destroy. If downloading is too slow, don't worry about it until we get some anwsers.

Also, is Ewido detecting anything? After posting the logs I requested scan in safe mode if you can. If anything other than cookies is found post that log here also.

Hopefully, we'll get this solved soon.

 

Hello shawanba, I'm sorry to say that I have still not found out what the bad entries in are in your log. Pesonally, I think the 020 entry is a hook and that is what causing slow loading.

Let's give it a try. First, please post a fresh HijackThis log.

Edit: oh, and if you could, also post the other lists I asked for.

 

Okay, Niobis, I am back! My Sprint DSL has been down due to some line that needed fixing in the field . . . which has also solved my slow download problem . . . so I have installed a trial version of Kaspersky and below is the .txt file as requested:

Protection
----------
Total scanned: 235473
Detected: 8
Untreated: 0
Start time: 10/2/2006 2:11:50 PM
Duration: 06:36:30


Detected
--------
Status Object
------ ------
deleted: adware not-a-virus:AdWare.Win32.Sahat.a File: C:\WINDOWS\system32\sahagent1020.exe/data0002
deleted: adware not-a-virus:AdWare.Win32.Sahat.a File: C:\System Volume Information\_restore{87976CB7-58B6-4F87-AC67-9A4ED8915937}\RP216\A0023590.exe/data0002
deleted: adware not-a-virus:AdWare.Win32.Sahat.a File: C:\System Volume Information\_restore{87976CB7-58B6-4F87-AC67-9A4ED8915937}\RP227\A0028584.exe/data0002
deleted: adware not-a-virus:AdWare.Win32.Sahat.a File: C:\System Volume Information\_restore{87976CB7-58B6-4F87-AC67-9A4ED8915937}\RP232\A0047935.exe/data0002
deleted: adware not-a-virus:AdWare.Win32.Sahat.a File: C:\System Volume Information\_restore{87976CB7-58B6-4F87-AC67-9A4ED8915937}\RP227\A0028584.exe
deleted: adware not-a-virus:AdWare.Win32.Sahat.a File: C:\System Volume Information\_restore{87976CB7-58B6-4F87-AC67-9A4ED8915937}\RP232\A0047935.exe
deleted: adware not-a-virus:AdWare.Win32.Sahat.a File: C:\System Volume Information\_restore{87976CB7-58B6-4F87-AC67-9A4ED8915937}\RP243\A0062633.exe/data0002
deleted: virus Email-Worm.Win32.NetSky.c Mail attachment: Microsoft Outlook Internet Settings\Personal Folders\Top of Personal Folders\Spam\[From:flyboydec25@juno.com][Subject:Message is infected : my advice....][Time:2004/03/07 20:30:22]\part2_wife.zip\part2_wife.scr


Events
------
Time Event
---- -----
10/2/2006 2:00:47 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
10/2/2006 2:04:56 PM Update completed successfully.
10/2/2006 2:11:22 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
10/2/2006 2:36:23 PM File C:\WINDOWS\system32\sahagent1020.exe/data0002: detected adware not-a-virus:AdWare.Win32.Sahat.a
10/2/2006 2:36:23 PM Security threats have been detected. You are advised to neutralize them immediately.
10/2/2006 2:36:24 PM File C:\WINDOWS\system32\sahagent1020.exe/data0002: is not disinfected, postponed


Reports
-------
Task Status Start Finish Size
---- ------ ----- ------ ----
Proactive Defense running 10/2/2006 2:11:50 PM 0 bytes
File Anti-Virus running 10/2/2006 2:11:50 PM 108.4 KB
Mail Anti-Virus running 10/2/2006 2:11:50 PM 0 bytes
Scan Critical Areas completed 10/2/2006 2:12:26 PM 10/2/2006 2:42:38 PM 1 MB
Scan My Computer completed 10/2/2006 2:12:26 PM 10/2/2006 5:29:49 PM 1.5 MB
Web Anti-Virus running 10/2/2006 2:11:50 PM 0 bytes
Scan Startup Objects completed 10/2/2006 2:14:05 PM 10/2/2006 2:31:07 PM 761.5 KB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
Infected: adware not-a-virus:AdWare.Win32.Sahat.a C:\System Volume Information\_restore{87976CB7-58B6-4F87-AC67-9A4ED8915937}\RP232\A0047935.exe 53.9 KB
Infected: adware not-a-virus:AdWare.Win32.Sahat.a c:\system volume information\_restore{87976cb7-58b6-4f87-ac67-9a4ed8915937}\rp216\a0023590.exe 53.9 KB
Infected: adware not-a-virus:AdWare.Win32.Sahat.a c:\windows\system32\sahagent1020.exe 53.9 KB
Infected: adware not-a-virus:AdWare.Win32.Sahat.a C:\System Volume Information\_restore{87976CB7-58B6-4F87-AC67-9A4ED8915937}\RP227\A0028584.exe 53.9 KB
Infected: adware not-a-virus:AdWare.Win32.Sahat.a c:\system volume information\_restore{87976cb7-58b6-4f87-ac67-9a4ed8915937}\rp243\a0062633.exe 53.9 KB

 

Terrific! Looks like Kaspersky took care of 'em too.

What lines?

 

Meanwhile I finally heard from AVG too. The program is still uninstalled and this is their response:

According to the all diagnostic files you sent, it seems that some of the components in your computer went wrong. Especially, your hard disk drive seems to contain some bad blocks and this failure may be responsible for all the issues you have with your computer.

None of the crashes or problems were caused by AVG. Any connection to AVG is just a coincidence.

I recommend to contact a computer specialist and let him diagnose your computer to prevent data loss.

Feel free to contact us again if you have any viral problem or issue with AVG. The Hijack texts are posted below beginning with the Start List Log:

StartupList report, 10/2/2006, 9:12:00 PM
StartupList version: 1.52.2
Started from : C:\unzipped\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\WallMaster\wallmast.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Shannon D. Dosh\Start Menu\Programs\Startup]
Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
CorelCENTRAL 10.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
QuickFinder Scheduler = "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
!ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
kav = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\Program Files\aim\aim.exe -cnetwait.odl
googletalk = "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
PeerGuardian = C:\Program Files\PeerGuardian2\pg2.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\greenday.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Microsoft PID Sniffer]
InProcServer32 = C:\WINDOWS\system32\odc.dll
CODEBASE = https://support.microsoft.com/OAS/ActiveX/odc.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe

[EPUImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EPUWalcontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125319698508

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[SassCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.com/security/controls/SassCln.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}]
CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4363/mcfscan.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,647 bytes
Report generated in 0.828 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

Below is the Uninstall List:

Add/Remove Pro
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 7.0
Adobe Photoshop v4.0
Adobe Reader 7.0.8
AOL Instant Messenger
ArcSoft PhotoImpression
BitComet 0.73
CCleaner (remove only)
Codec Pack - All In 1 6.0.3.0
Conexant SoftK56 Modem(M)
DivX 5.0.2 Bundle
Easy Thumbnails (Remove only)
EPSON Copy Utility
EPSON PERF 1670 Guide
EPSON Photo Print
EPSON Scan
EPSON Smart Panel
ewido anti-spyware 4.0
Google Talk (remove only)
HijackThis 1.99.1
hp deskjet 930c series (Remove only)
Intel(R) 810/810E/815/815E/815EM Chipset Graphics Driver Software
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment Standard Edition v1.3.1_02
Kaspersky Anti-Virus 6.0
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Press Interactive Training
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 2000
Mozilla Firefox (1.0.7)
Mozilla Thunderbird (1.0.7)
Nic's XviD Decoder
Panda ActiveScan
PeerGuardian 2.0
QuickTime
RealPlayer
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB925486)
Shockwave
Sony Picture Utility
Sony USB Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB922582)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WallMaster
Winamp (remove only)
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB898549
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
WordPerfect Office 2002

 

New HijackThis log?

 

Logfile of HijackThis v1.99.1
Scan saved at 9:33:31 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\WallMaster\wallmast.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sddosh.tripod.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125319698508
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4363/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BE678E3-5C48-4723-AF53-8A33B0B78FD8}: NameServer = 204.117.214.10,199.2.252.10
O20 - Winlogon Notify: GuardianNOFUL - ðì.
(file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe