Reporting in for sick call

TCO · Jul 20, 2005

Am I a malingerer?

Problems: Loud beeping noise during black screen part of startup (new to me). Several minute startup, with services.exe and reg.exe consuming CPU during that time (and a few come and go processes). Crashes every couple hours of use, to a BSOD. IE crashes where the IE windows dissapear, every hour or so. System also seems to run a little slow (pulling up a Word document say).

Self-help results: Ran through the exhaustive list of steps in self-help guide. Unable to get Symantics scan to work; however I do have paid version of Norton and it never shows anything. Stinger.exe found and removed W32blaster worm. HSremover said it found and removed 8 files, but I wonder if that means anything as it says that even if you rerun the program (again and again). Adaware found two noncritical objects (an hkey and list of documents used). FYI: I have now deleted MS Java and installed Sun Java (which stops me from playing pogo bridge...sigh).

System: 3y/o Dell Inspiron 2650 Laptop, Windows XPSP2, recently added and running Norton antivirus, free zonelabs firewall, MS antispyware (including instant scanning), Spybot with teatimer (kind of annoying since windows are not really visible and I don't understand the alerts on the registry and such).

Suggestions?

chaslang · Jul 21, 2005

You must be looking at an old version of the READ ME FIRST. Running Symantec is no longer in the required steps neither is Trend Micro. Now BitDefender and RavAntivirus are in the required online scans. Please make sure you run them and then if you still have a problem follow the steps below exactly:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

TCO · Jul 23, 2005

1. I did the additional scans. The RAV showed 3 instances of flash worm and 2 of an irc worm. (files deleted).

2. I wonder if this is the problem site: skmovies.com (paid porn site). Should I avoid it, avoid all sites that are questionable? Expecially while troubleshooting?

3. Spybot has some sort of process blocked that has a bunch of numbers and then "defrag.exe". I think I blocked it when I got one of the alerts. Should I leave blocked or unblock?

4. Still getting very frequent crashes. Basically can't surf except in safe mode. Attached is the hijackthis file:

TCO · Jul 23, 2005

I can't get windows update to display either. Page says it won't display [Error number: 0x8007043C]

chaslang · Jul 23, 2005

Stay away from porn sites period.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O1 - Hosts: 66.159.18.187 www.n69.com
O1 - Hosts: 66.159.18.187 www.pillscash.com
O1 - Hosts: 66.159.18.187 cart.penispill.com
O1 - Hosts: 66.159.18.187 www.pillsmoney.com
O1 - Hosts: 66.159.18.187 www.pillmedics.com
O1 - Hosts: 66.159.18.187 www.big-penis.com
O1 - Hosts: 66.159.18.187 www.pluspills1.com
O1 - Hosts: 66.159.18.187 www.morepenis.com
O1 - Hosts: 66.159.18.187 www.1shoppingcart.com
O1 - Hosts: 66.159.18.187 www.herbalo.com
O1 - Hosts: 66.159.18.187 www.penilesecrets.com
O1 - Hosts: 66.159.18.187 www.penispill.com
O1 - Hosts: 66.159.18.187 penismedical.net
O1 - Hosts: 66.159.18.187 www.penismedical.net
O1 - Hosts: 66.159.18.187 www.herbalbucks.com
O1 - Hosts: 66.159.18.187 www.tv69.com
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

After clicking Fix, exit HJT.
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

TCO · Jul 23, 2005

Attached is new Hijackthis in normal mode. Still having some BSOD problems. Sometimes a lighter blue, complete screen blue; sometimes a darker blue, center-screen.

A couple of the faults: (complete screen) IRQL_NOT_LESS_OR_EQUAL, ***STOP: 0X0000000A, (58F4E, 0x000000FF, 0x00000000, 0x804D93BE)

(smaller screen) PAGE_FAULT_IN_NONPAGED_AREA

Some of the BSODS are in operation, some are at startup. For some BSODS, I have to pull the battery to shut the machine down.

Startup remains long, maybe slightly faster. I still have a beeping noize before the Windows splash screen and a white bar that moves accross the bottom of the screen.

I made all the IE changes you said. My spybot gave several alerts which I accepted. One that I wasn't sure about was changing start page of browser page to about:blank from hsremovedone. (but I thought we had made a change there so I allowed it.)

My link to notepad is not working now. Word is very slow.

chaslang · Jul 23, 2005

Something just broke Spybot's SDhelper on you. Notice your BHO is broken now:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

It was fine in your previous log. You should uninstall Spybot, reboot and then reinstall.

As far as your other problems are concerned, they are more than likely issues for the Software Forum. You HJT log is clean (other than the broken Spybot). You could run a few additional scans if you want to check for other possible hidden malware problems. You could try using the below:

- Download this trial version of Ewido Security Suite for instructions on using this and getting a log see message # 47 in the following thread:

http://forums.majorgeeks.com/showthread.php?t=67068

You could also try the below.

You may need your Windows XP CD when doing the below. It will prompt you if necessary to put it in the drive (so it would not hurt to start with it in the drive).

We are now going to run a System File Check (sfc) to look for missing/damage system files.
Click Start, Run, and enter cmd and click OK. This will open up a command prompt. At the command prompt type the below command followed by the enter key.

sfc /scannow

Let me know what happens!

TCO · Jul 25, 2005

1. I ran the file scan (in run) and it didn't say anything. (Didn't say I was clean, didn't say something wrong.)

2. I will try out that other scan you suggested, then go research if there is something wrong with the puter or the OS.

3. I'm still getting some puter problems. Just now (after the windows scan, I had some misstarts, and then my mouse (or touchpad) were not working. I went to task master and found an unfamiliar process (msmgr.exe) which I killed and then I could move the mouse!

4. Thanks for your kind help, spy doc!

TCO · Jul 25, 2005

Actually I think it is msmsgs.exe which is supposed to be some sort of windows messenger. (has a worm that has a similar name) I don't rememeber having this process before. Maybe it is from resetting to defaults on IE. I will try to get rid of it.

I think I got rid of it by disabling the "web browser add on"

chaslang · Jul 25, 2005

TCO said:

Actually I think it is msmsgs.exe which is supposed to be some sort of windows messenger. (has a worm that has a similar name) I don't rememeber having this process before. Maybe it is from resetting to defaults on IE. I will try to get rid of it.
"
Click to expand...

Yes you did have it before. It was in your HJT log.

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

It is Windows Messenger. It is not a worm. But most people do not use it either.

Log in or Sign up

Reporting in for sick call

TCO Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

TCO Private E-2

Attached Files:

hijackthis23JUL05.log

TCO Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

TCO Private E-2

Attached Files:

3hijackthis23JUL05.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

TCO Private E-2

TCO Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member