Help persistant XZ.exe

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

CossieSpawn

Thread Starter
Joined
Jul 8, 2005
Messages
9
Hi flrman1,

I too am experiencing the same problem as porscheman. Everytime my computer starts up, Symantec detects and quarantines xz.exe. As well, I have noticed that I cannot run regedit anymore without receiving a "16 bit MS-DOS Subsystem" error indicating "The NTVDM CPU has encountered an illegal instruction. CS:0000 IP:0077 OP:f0 37 05 0c 02". I also receive the same error message if I just try to run "cmd".

Can you please have a look through my Hijackthis log and let me know what I need to do to resolve this issue?

Thanks!
 

Attachments

Joined
Jul 26, 2002
Messages
46,349
Hi CossieSpawn

Welcome to TSG! :)

I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It get's too confusing trying to address two different people's problem in the same thread and you may get overlooked.

Please continue in this thread.
 
Joined
Jul 26, 2002
Messages
46,349
Logfile of HijackThis v1.99.1
Scan saved at 8:01:53 AM, on 7/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
c:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
c:\Program Files\blackice\blackd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\TriActive\MicroAgent\Bin\ma.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Fiberlink\Extend360\ServiceMgr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINNT\system32\DSentry.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\PKWARE\PKZIPO\PKTray.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\MDM.EXE
D:\Transfer\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINNT\system32\SCTOOL~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [MA] C:\Program Files\TriActive\MicroAgent\Bin\ma_helper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Xfire.lnk = D:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPO\PKTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://infrastructure.home.ge.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - http://indiagecismeeting01c.ge.com/sametime/STMeetingRoomClient/STJNILoader.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Dwf Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - http://3.112.80.53/WFC/plugins/j2re-1_3_1_02-win.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: OdysseyClient - C:\WINNT\SYSTEM32\odyEvent.dll
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - c:\Program Files\blackice\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: TriActive MicroAgent (MA) - TriActive, Inc. - C:\Program Files\TriActive\MicroAgent\Bin\ma.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - c:\Program Files\blackice\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\ServiceMgr.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
 
Joined
Jul 26, 2002
Messages
46,349
Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

Post a new HiJackThis log along with the report from the Housecall scan
 

CossieSpawn

Thread Starter
Joined
Jul 8, 2005
Messages
9
flrman1,

Here are the files that you asked me to provide. I ran through the Trend Micro Housecall, and as you will see it was unable to delete a few things.

Hopefully you can help me out with all of this. It is very frustrating to not be able to delete these things, and still not have the functionality of cmd.com and regedit.com.
 

Attachments

Joined
Jul 26, 2002
Messages
46,349
** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.

  • Open MS Anti-Spyware and click on Options > Settings.
  • Click on "Realtime Protection" in the left pane.
  • Remove the check by these:
    • Enable the Microsoft Security Agents on startup (recommended)
    • Enable real-time spyware threat protection (recommended)
  • Click "Save"
  • Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
  • Leave it disabled until we are finished here.


* Go to Add/Remove programs and uninstall ErrorGuard.


*Download Cleanup from Here
If that link is down, you can get Cleanup Here.
  • Save the Cleanup40 file to your desktop.
  • On your desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • DO NOT RUN IT YET


* Click Here and download Killbox and save it to your desktop.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Mouse Button Monitor.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.


* Run Hijack This again and put a check by this entry. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto


* Next in Hijack This click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Copy and paste the following line in that box:

mousebm

Click OK.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINNT\system32\mousebm.exe

C:\Program Files\winupdate\winupdate.exe


Exit the Killbox.


* Delete this folder:

C:\Program Files\winupdate


* Run Cleanup:
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
 

CossieSpawn

Thread Starter
Joined
Jul 8, 2005
Messages
9
flrman1,

I managed to get down to the part where I need to boot into Safe Mode, however, when I enter my password it tells me that it is incorrect. This is my laptop from work, and I know that when I logon to the computer it has my username, my password and a domain name which didn't show up in safe mode. I'm a remote user for work, so I am not actually connected into a work network, so I'm not sure if the domain has any affect on me not being able to start safe mode.

Any ideas?
 
Joined
Jul 26, 2002
Messages
46,349
You probably do not have suffucient privileges to boot to safe mode. When you boot to safe mode do you only have the choice to boot to safe mode using the "Administrator" account or is your profile listed there as an option?

Do you have Admin priveleges?
 

CossieSpawn

Thread Starter
Joined
Jul 8, 2005
Messages
9
I do have admin privileges as far as I know, as I've been able to install software without having to change accounts. I didn't happen to see if there was any option to boot to safe mode with different accounts. I do recall that after pressing F8, I had three different Safe Modes. One was just Safe Mode, the other was Safe Mode with Networking, and there was another Safe Mode with something else. I selected simply Safe Mode, and then it went to another DOS style menu that I always see where I can select between Win 2000 Pro, or Win 2000 recovery (something like that). I selected the default option of Win 2000 Pro. I then eventually got to the login screen, and my username was already in place, but it wouldn't take my password. Hopefully this helps somewhat.
 
Joined
Jul 26, 2002
Messages
46,349
Let's try this without safe mode.

** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.

  • Open MS Anti-Spyware and click on Options > Settings.
  • Click on "Realtime Protection" in the left pane.
  • Remove the check by these:
    • Enable the Microsoft Security Agents on startup (recommended)
    • Enable real-time spyware threat protection (recommended)
  • Click "Save"
  • Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
  • Leave it disabled until we are finished here.


* Go to Add/Remove programs and uninstall ErrorGuard.


*Download Cleanup from Here
If that link is down, you can get Cleanup Here.
  • Save the Cleanup40 file to your desktop.
  • On your desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • DO NOT RUN IT YET


* Click Here and download Killbox and save it to your desktop.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Mouse Button Monitor.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.


* Run Hijack This again and put a check by this entry. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto


* Next in Hijack This click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Copy and paste the following line in that box:

mousebm

Click OK.

* Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINNT\system32\mousebm.exe

C:\Program Files\winupdate\winupdate.exe


Exit the Killbox then restart your computer.


* Delete this folder:

C:\Program Files\winupdate


* Run Cleanup:
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
 

CossieSpawn

Thread Starter
Joined
Jul 8, 2005
Messages
9
Here are the results as attachments.

In addition, I had also posted this issue in another thread, and I have a feeling that they are related: http://forums.techguy.org/t398953.html This was actually how I first noticed that I was having problems. When I tried running regedit it wouldn't work. I then tried running cmd, but got the same results. Could these somehow be related?
 

Attachments

Joined
Jul 26, 2002
Messages
46,349
Have you ever been able to run regedit on this computer? If this is a laptop that belongs to the company you work for, you probably do not have admin rights and therefore you cannot run regedit.
 

CossieSpawn

Thread Starter
Joined
Jul 8, 2005
Messages
9
flrman1,
Yes, I have been able to run regedit on this computer before, as well as cmd. What seems a little strange to me is that I am able to simply open a command prompt through the Accessories, yet not by just typing in cmd through Run. As well, I have noticed that when I am in the command prompt, I have been able to run ipconfig to see my settings, yet I cannot ping another computer. Once I type in the ping command along with the IP, I receive the same error as with regedit and cmd. What does NTVDM stand for? Perhaps there is a physical problem with this component of the laptop?
 

CossieSpawn

Thread Starter
Joined
Jul 8, 2005
Messages
9
flrman1,

One extra thing that I have noticed is that if I am to type in regedit.exe versus just regedit, or cmd.exe versus cmd, I am able to open both. So obviously it is somehow related to the regedit.com and cmd.com files. I would imagine this is also true for the ping command. Does this help any?
 
Joined
Jul 26, 2002
Messages
46,349
* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\CMD.COM

C:\WINDOWS\system32\netstat.com

C:\WINDOWS\system32\ping.com

C:\WINDOWS\system32\regedit.com

C:\WINDOWS\system32\tasklist.com

C:\WINDOWS\system32\taskkill.com

C:\WINDOWS\system32\tracert.com


Exit Killbox and restart your computer.

Now try regedit, cmd and ping.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top