XP and Office misbehaving

First of all thanks for your help, I've followed the Read and run (I think) but I'm still having the same problem. Excel, and outlook will freeze quite frequently and I have to shut them down with the task manager. But more suspiciously any time I reboot my PC before the desktop will shutdown I get an End Program message. the program name always has three characters and they are always different, the latest one was End Program - b48.

I've attached the mg logs

 

Hi thecrofter,
Welcome to the Malware Forum!

What happened to the rest of the logs? The program you describe looks like malware, so it would be worth your time to follow all the instructions in the READ & RUN ME FIRST and attach the logs which we request. When you run the other scans, beginning with CCleaner and Spybot and then the SuperAntiSpyware, Combofix and Malwarebytes, the removal of malware will change your files so you will need to run the MGTools again. Since you've already installed them, when you get to that point to run them, please go to C:\MGTools\GetLogs.bat and double-click on the file and let it run to completion when it will tell you to hit any key. In the instructions you'll find the location of all the logs along with their names so when you upload them here, you'll know where to look. The MGtools logs are called MGlogs.zip and are located directly under C.

Thanks.
abri

 

Sorry about that, I had run through all the stages and have the rest of the logs. Here they are.

 

Hi thecrofter,

I would like for you to do several things.

1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) I can see entries in your HijackThis log from different antivirus companies. Is Avira your current resident antivirus? What are you using the other entries for?

While we are working on your computer, please disable Windows Defender.


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.24.250.250:3128
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


Did you set the following restriction? If not, please fix it.

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Do all of the following programs need to be in the trusted zone? If not, please fix them as well.

O15 - Trusted Zone: *.ednet.co.uk
O15 - Trusted Zone: *.pinewood.net
O15 - Trusted Zone: *.pinnacledms.met
O15 - Trusted Zone: *.graemepchatham.pinnacledms.net


After you click fix, just close hijackthis.

4) Now, please upload the file C:\WINDOWS\JcAdmin32.ini to anyone of the following sites and have it scanned. Let me know the results.

VirusTotal or virus.org, Kaspersky


5) Download and install Erunt. Use it to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

7) Now I would like for you to go to Running BitDefender Online Scan and run this scan and let me know what it finds. It is a lengthy scan and you will need to run it using Internet Explorer with Active X enabled. At this page of instructions you will see how to produce the log so we end up with information we can use.

8) Now run CCleaner at the default setting with the Windows tab as the top one.

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the information on that one file I had you scan, the BitDefender log and answers to any questions I may have asked.

Let me know how things are running now?

abri

 

OK, I've switched off Tea Timer.

Avira is my current anti-virus, the other entries must be left over from previous installs.

Windows defender is off.

I've run analyse. The 172 proxy is known to me. I've removed the Quick Time Task. I have no idea where the IE restriction came from, I've removed it.

I've taken out a couple of the trusted sites which were unnecessary.

I've uploaded the JcAdmin file to Virus Total it came back clean (0 out of 32)

I've downloaded and installed and run erunt.

I've copied and run the registry key, it seemed to take with no problem.

I am currently running Bit defender, it looks like it might take about 5 hours so I'll complete the other steps and let you know how they go later.

Excel and the rest of Office does seem to be running better, because I'm running Bit defender I can't reboot at the moment, but we definately seem to have improved things already.

 

good.
I'll wait to hear back from you.
And yes, BitDefender takes a long time. That's why it's not a regular part of the procedures anymore.

 

OK finally finished all the scans and here are the results.

BitDefender didn't give me the option to save the log as a text file, only as html. Which then wouldn't upload unless I zipped it. I hope this is OK.

Excel and the rest of Office seems to have settled down, but I'm still getting the End Program error at system shutdown.

 

Hi thecrofter,

What BitDefender found were old entries for Quarantines you have somewhere on your computer. Please look through your add/remove programs for any antivirus programs you're not using that may still be installed on your computer. If you find them, uninstall them.

After that, look for the following folders and if found, delete them and then run CCleaner.

C:\Documents and Settings\Administrator\.housecall\Quarantine
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition classic\

Do you know if the following folder is from the Kaspersky online scan? Look what's in it.
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

Now run HijackThis (C\MGTools\analyse.exe) by double-clicking on it and have it do a system scan. Then put a checkmark next to the following and after you close all your browser windows, click FIX.

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)

When you finish, just close the program.

After doing the above, I would like for you to see if your Office is still giving you the same shutdown message. If so, I would like for you to go to Start/Run and type in msconfig and click on okay. In the Window that opens up select Diagnostic Startup and then click on the Systemstart tab. See if Office and Excel are set to load at startup. If so, uncheck them and see if this changes anything.

Finally, please run C:\MGTools\GetLogs.bat and attach a fresh set of logs with your next post.

Thanks.
abri

 

OK ran through the various steps. the only problem was O23 - Service: Norman API - thingy would not remove.

I'm still getting the end program message when I shutdown windows in normal start-up...it doesn't happen in Diagnostic mode, as you would expect. I checked if Excel or any other Office app was set to load at startup and they were not.

I've attached two sets of logs, the first one is in Normal Startup, the second in Diagnostic, I've also attached ascreen shot of the error message.

 

Hi thecrofter,

The message you're getting at system shutdown generally occurs because some program that is quite complex can't shut down quickly enough. When you put your computer in diagnostic mode, I want you to work through the list with most of the programs checked, in particular those you need to have loading at startup, and see if your unchecking one particular one has any effect on this error message. I recommend starting by making sure everything is checked except for ctfmon. See if that allows you to shut down without getting the error.

Let me know if this does anything.
abri

 

OKAY, ran through the start up items and narrowed it down to one service that was running VNC Server, which is part of a program that allows remote access to my PC. With this service enabled at startup I get the error, with it disabled - no error. Looks like we've cracked. Thanks very much for your help.

 

You're so welcome!

Now that you know which program it is, you can remove it from your startup items, so that you can return your computer to normal startup mode rather than diagnostic. Please see this link: How to deal with startup processes And now that we've finished that, please run the final cleanup instructions (except you may want to leave HijackThis in for now - i.e. move it out of the MGTools folder before you delete the folder) so we can get rid of all the tools and logs we installed. If you need them again, you know where to find them.

abri