33 replies to this topic

[Staci]

I tested my computer from last night to this morning..and I'm still getting the errors and freezes in regular mode. When I go into safe mode it runs just fine (although not having sound is annoying )

[little eagle]

Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.

Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.sysintern...itRevealer.html
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.

Save your Log File
Copy/Paste the contecnts of that logfile into your next reply

NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

That way you should have a much simpler and clearer log file in which to peruse and evaluate.

[Staci]

Ok...fast user switching is already unchecked. When I reboot, do I need to run in regular mode or safe mode before running RootkitRevealer?

[little eagle]

regular mode

[Staci]

Here is the log I didn't touch anything until it was done hehe. I had a problem saving it though, it was giving me some errors at first trying to save on desktop, I had to look around until it let me get into My Documents to save. HKLM\SYSTEM\ControlSet001\Services\sysbus32 2/20/2006 12:00 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\sysbus32 2/20/2006 12:00 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 12/6/2005 8:03 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cartoonnetwork.com 11/3/2005 7:24 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cartoonnetwork.com\settings.sol 11/3/2005 7:24 PM 88 bytes Hidden from Windows API. C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.nick.com 12/6/2005 8:03 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.nick.com\settings.sol 12/6/2005 8:03 AM 82 bytes Hidden from Windows API. C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 12/6/2005 8:03 AM 400 bytes Hidden from Windows API. C:\Documents and Settings\Kids\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 2/12/2006 10:44 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Kids\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 2/12/2006 10:44 AM 348 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 2/9/2006 11:46 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#aolcdn.com 2/2/2006 5:33 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#aolcdn.com\settings.sol 2/2/2006 5:33 AM 80 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#battleon.com 2/3/2006 11:23 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#battleon.com\settings.sol 2/3/2006 11:23 PM 82 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#carlsjr.com 12/7/2005 10:13 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#carlsjr.com\settings.sol 12/7/2005 10:13 PM 81 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everquest2.station.sony.com 11/25/2005 11:32 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everquest2.station.sony.com\settings.sol 11/25/2005 11:32 PM 97 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#hquass.de 1/28/2006 6:51 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#hquass.de\settings.sol 1/28/2006 6:51 AM 79 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iprom.net 2/9/2006 11:46 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iprom.net\settings.sol 2/9/2006 11:46 AM 79 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local 1/17/2006 3:28 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol 1/17/2006 3:28 AM 75 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#mediaiprom.com 2/9/2006 11:46 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#mediaiprom.com\settings.sol 2/9/2006 11:46 AM 84 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#rr.com 10/28/2005 11:11 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#rr.com\settings.sol 10/28/2005 11:11 PM 76 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#starwarsgalaxies.station.sony.com 11/27/2005 9:38 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#starwarsgalaxies.station.sony.com\settings.sol 11/27/2005 9:38 PM 103 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ugo.com 11/26/2005 1:35 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ugo.com\settings.sol 11/26/2005 1:35 PM 77 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.google.com 1/8/2006 5:39 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.google.com\settings.sol 1/8/2006 5:39 PM 86 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#warnerbros.com 11/21/2005 6:58 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#warnerbros.com\settings.sol 11/21/2005 6:58 PM 84 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.nick.com 12/4/2005 11:49 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.nick.com\settings.sol 12/4/2005 11:49 AM 82 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.purevolume.com 1/14/2006 7:06 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.purevolume.com\settings.sol 1/14/2006 7:06 AM 88 bytes Hidden from Windows API. C:\Documents and Settings\Stacy\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 2/9/2006 11:46 AM 625 bytes Hidden from Windows API.

[little eagle]

Looks clean

[Staci]

Hmmm... In the past two hours of running in regular mode, I've had about 6 errors pop up and the taskbar has disappeared and come back 3 times. However, it hasn't frozen completely and required a reboot yet. Also, it's loading a lot faster when I first log in. It only takes about 5-10 seconds and then the hourglass disappears and an arrow comes up. About 5-10 seconds later it will let me click on the Quick Launch and Start button. Running in safe mode this morning I had no errors or problems at all, and it loaded the screen right away and let me click on the QL and SB immediately. Do I still need to run the sfc /scannow? I haven't done that yet since I didn't have the WinXP CD hehe

Edited by Staci, 20 February 2006 - 01:38 PM.

[little eagle]

Do I still need to run the sfc /scannow? I haven't done that yet since I didn't have the WinXP CD

Yes when you can find it.

Looking for a tool I would like you to run but I have to find the linke going off line for a day.
I'll post soon.

[Staci]

My brother-in-law is apparently using Linux now (according to my sister). Hopefully he still has the WinXP cd If not I'll try around and see if I can find it elsewhere. Is it ok if I post the logs from my mom's computer too? (She uses her own downstairs from mine). I can post them in a different post if I need to. Hers is running fairly well since I ran all the different anti-spywares and such on hers...but I'd like to have someone check it over and help me get it set up so it will be safe too if that's possible Thank you so much for all your help Little Eagle. It's still having problems but at least it's somewhat useable now. I really appreciate all the time you've taken to help me

[little eagle]

Download AproposFix by Swandog46
Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

When the tool is finished, reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file that has been created in the aproposfix folder.

[little eagle]

Is it ok if I post the logs from my mom's computer too?

Yes but start another thread. Makes it easier

[Staci]

Ok I followed the instructions exactly. Just to let you know, when I rebooted back in regular mode and opened up the folder to get the log for AproposFix, it gave me the error that Windows Explorer had to shut down..then again gave me the Dr. Watson Postmortem Debugger error. In order to proceed I had to open up Task Manager and close the drwatson.exe process twice. It was totally locked up on me otherwise.

Here are the results of AproposFix:

Log of AproposFix v1.1

************
Running from directory:
C:\Documents and Settings\Stacy\Desktop\Computer Fixes\aproposfix\aproposfix

************
Registry entries found:

************
No service found!

Removing hidden folder:
No folder found!

Deleting files:

Backing up files:
Done!

Removing registry entries:

REGEDIT4

Done!

Finished!


And here are the logs of Hijackthis (run in regular mode after I'd run AproposFix in safe mode and rebooted):

Logfile of HijackThis v1.99.1
Scan saved at 7:42:42 AM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Stacy\Desktop\Computer Fixes\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PD - {7102B1F9-B771-4C7B-A864-6166A3BD6E56} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9C3E8350-5873-4D8E-A1D4-DCB9E885E86D} - http://www.cybersitt...vex/AXSnoop.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

[little eagle]

Run cleanup and then defragment your PC.

[Staci]

Ok did both and computer seems to be running faster now. It really needed to be defragmented, and the cleanup got rid of about 300MB of junk I think I trakced down a WinXP CD I can use..so once I do that and use the repair function, I will let you know how it's running..unless there's anything else you need me to do in the meantime. Errors still happening in regular mode too.

[little eagle]

What are the errors that you are getting?