1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

End Task: Hidden Window

Discussion in 'Virus & Other Malware Removal' started by lord0din69, Feb 13, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. lord0din69

    lord0din69 Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    12
    This just occurred recently when I shut down my computer I get the End Task pop up for "Hidden Window"

    I googled it and got results on shellcon hidden window
    a lot of the results says to uninstall Music Match, which I don't even have
    on top of that the results i'm getting are about two years old...

    I popped up msconfig to see if any fishy things were running, but found nothing
    I ran hijackthis and skim the log to see if anything is unusual, but nothing found
    and I ran virus and anti-spyware on safemode just to be sure, but that didn't fix it

    I'm not even sure if it is shellcon hidden window or something else

    I noticed the problem when I finally shutdown my computer. I haven't really installed anything recently besides Dark Messiah.

    any ideas how i should approach this problem?
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,331
    Hi and welcome to TSG,


    Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


    Also do this please:

    Open HijackThis and click on the Open Misc Tools section button. Click on the Open Uninstall Manager button. Click the Save List button. Save the list then copy and paste it here.
     
  3. lord0din69

    lord0din69 Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    12
    Logfile of HijackThis v1.99.1
    Scan saved at 5:44:11 AM, on 2/20/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\FileZilla Server\FileZilla Server.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://helpdesk.cc.binghamton.edu/magictsd/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKCU\..\Run: [Synergy Server] "C:\Program Files\Synergy\synergys.exe" --no-daemon --debug WARNING --name 52h --address :24800
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
    O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156039435531
    O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://resnet.verify.binghamton.edu:8443/registration/CAT/CNICAT.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{05901CDA-5560-4AD3-BD0E-20D63C3C8944}: NameServer = 85.255.114.25,85.255.112.69
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8D801E09-9351-4555-997A-9FD2F463A4BA}: NameServer = 128.226.1.11,128.226.1.18
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.25 85.255.112.69
    O17 - HKLM\System\CS1\Services\Tcpip\..\{05901CDA-5560-4AD3-BD0E-20D63C3C8944}: NameServer = 85.255.114.25,85.255.112.69
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.25 85.255.112.69
    O17 - HKLM\System\CS2\Services\Tcpip\..\{05901CDA-5560-4AD3-BD0E-20D63C3C8944}: NameServer = 85.255.114.25,85.255.112.69
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.25 85.255.112.69
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,331
    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

    Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

    O17 - HKLM\System\CCS\Services\Tcpip\..\{05901CDA-5560-4AD3-BD0E-20D63C3C8944}: NameServer = 85.255.114.25,85.255.112.69

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.25 85.255.112.69

    O17 - HKLM\System\CS1\Services\Tcpip\..\{05901CDA-5560-4AD3-BD0E-20D63C3C8944}: NameServer = 85.255.114.25,85.255.112.69

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.25 85.255.112.69

    O17 - HKLM\System\CS2\Services\Tcpip\..\{05901CDA-5560-4AD3-BD0E-20D63C3C8944}: NameServer = 85.255.114.25,85.255.112.69

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.25 85.255.112.69


    Click FIX CHECKED. Close HijackThis.

    Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.

    Now we will flush DNS:

    In the windows control panel, if you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.

    Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be available on some systems


    Next Go start run type cmd and hit OK and type:

    ipconfig /flushdns

    Then hit enter, type exit and hit enter again. (The space between g and / is needed).


    Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
     
  5. lord0din69

    lord0din69 Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    12
    I downloaded and ran FixWareout and it did its thing
    Good news is that then it shutdown to reboot it doesn't have the "End Task - Hidden Window" anymore

    So after the reboot I ran hijackthis and deleted the O17 items you've listed
    and then flushed my dns

    It was going well till I went back to set my static ip
    Oddly it did not allow me to set a static. On top of them it asked me to OK the reboot in order for the changes to occur, which normally it never ask. Now I can't even boot up the OS, not even in safe mode.

    Running on Windows XP Pro
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,331
    Exactly what happens when you try to boot the computer. Is it in a loop of restarting? Is there an error message on the screen?
     
  7. lord0din69

    lord0din69 Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    12
    Its a loop of restarting, no error messages
    It doesn't even reach the stage where you see the Windows XP loading image
    As for safe mode, it doesn't get pass even half way of prepping safe mode
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,331
    Do you have your XP CD?
     
  9. lord0din69

    lord0din69 Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    12
    Okay, stupid me I forgot to try the last good Windows boot option, which worked.
    After finishing boot it complained about a bad registry file it had to remove.

    Anyhow here is the report.txt from fixwareout

    Fixwareout Last edited 2/11/2007
    Post this report in the forums please
    ...
    »»»»»Prerun check
    HKLM\SOFTWARE\~\Winlogon\ "System"="kdjmp.exe"

    »»»»» System restarted

    »»»»» Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "system"=""
    ....
    ....
    »»»»» Misc files.
    ....
    »»»»» Checking for older varients.
    ....

    Search five digit cs, dm, kd, jb, other, files.
    The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



    Click browse, find the file then click submit.
    http://www.virustotal.com/flash/index_en.html
    Or http://virusscan.jotti.org/

    »»»»» Other
    C:\WINDOWS\Temp\kdjmp.ren 63213 08/04/2004



    »»»»» Current runs
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
    "nwiz"="nwiz.exe /install"
    "NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
    "McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
    "Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\tbmon.exe\""
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
    "SoundMan"="SOUNDMAN.EXE"
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synergy Server"="\"C:\\Program Files\\Synergy\\synergys.exe\" --no-daemon --debug WARNING --name 52h --address :24800"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
    "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it
    »»»»» End report »»»»»


    And the hijackthis file
    Logfile of HijackThis v1.99.1
    Scan saved at 4:48:42 PM, on 2/21/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\FileZilla Server\FileZilla Server.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Synergy\synergys.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://helpdesk.cc.binghamton.edu/magictsd/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKCU\..\Run: [Synergy Server] "C:\Program Files\Synergy\synergys.exe" --no-daemon --debug WARNING --name 52h --address :24800
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156039435531
    O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://resnet.verify.binghamton.edu:8443/registration/CAT/CNICAT.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8D801E09-9351-4555-997A-9FD2F463A4BA}: NameServer = 128.226.1.11,128.226.1.18
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,331
    Download AVG Anti-Spyware from HERE and save that file to your desktop.

    When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


    1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
    2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
    4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
    1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
    2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. AVG will now begin the scanning process. Please be patient as this may take a little time.
      Once the scan is complete, do the following:
    5. If you have any infections you will be prompted. Then select "Apply all actions."
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower left-hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
    8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • You need to use IE to run this scan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.
     
  11. lord0din69

    lord0din69 Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    12
    It fails to boot up in safe mode

    Here is the error

    STOP: c000021a
    Fatal System Error
    Session Manager Initialization system process terminated unexpectedly with a status of 0x0000009a (0x000000000 x00000000)
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,331
    Then run it in normal mode please. We'll look into the safe mode problem later.
     
  13. lord0din69

    lord0din69 Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    12
    Okay I fixed the safe mode
    I noticed when I booted up normally that daemon tools virtual drive has trouble loading
    In this case the error given in safe mode was about a bad device, so I just figured it was probably complaining about the bad virtual drive, so I uninstalled daemon tools

    However, I get blue screen on safe mode when scanning with AVG anti-spyware
    It blue screen too when running on normally on Windows

    Here is the error code
    STOP: 0x0000008E (0xC0000005, 0x8059E7A5, 0xB9F6E964, 0x00000000)
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,331
    Sounds like possibly bad RAM or a driver issue. How much RAM do you have?
     
  15. lord0din69

    lord0din69 Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    12
    2 sticks of 1 gigs
    google PDC2G3200LLK if you want more info
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/543867

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice