Computer Hope
Software => Computer viruses and spyware => Topic started by: icyboyedy on September 02, 2006, 03:34:31 PM
-
Weird thing is happening on my PC and nothing has worked so far. I am running Windows XP. I have run Trendmicro virus and spyware scans and nothing has been found. Same with Ad-Aware and Ewido spyware scanners. This is what happens; I'll be on the computer and then the START button menu pops up by itself, then wherever I move the mouse, a left click menu pops up and sometimes it closes IE windows and will freez for a minute or two. What could this be?
-
icyboyedy..... Is this something which just started ?
What hapened just prior to that ......... any indication of bugs ?
How about we start with a hijackthis logfile ......... get hijackthis at ....... http://www.majorgeeks.com/download3155.html ...... once you have , do a scan, save the scan to your desktop and post it here ...use as many posts as necessary to get it all in .
dl65 ::)
-
Logfile of HijackThis v1.99.1
Scan saved at 11:14:33 AM, on 09/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Netscape Internet Service\NSClient.exe
C:\Program Files\Common Files\ISPCOMP\SystemTrayIcon.exe
C:\Program Files\Netscape Internet Service\_NSWatchman.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {86AA461F-2A5B-4889-B543-E1BBA6746D61} - (no file)
O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\System32\safeie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126385425662
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D05705C-B4C3-4C13-B6E1-6947C4F58DEE}: NameServer = 205.188.146.145
O20 - Winlogon Notify: st3d - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O2
-
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
-
This problem has been occurring once or twice a month since about January or so, but this week it has occurred multiple times a day. This is really the only problem I have on my PC, the above mentioned tools usually keep my machine running very well. I am stumped as to what it could be.
-
try backing your computer up and reformatting that will solve the problem..
-
what are your hardware specs on your computer & cpu ?
Can you monitor the temperatures inside the case?
-
I'm running Windows XP on a 800mhz Pentium 3 with 384mb of RAM. I do not know the temps of the cache, but the fans are working.
While running the Ewido and other programs in safe mode I noticed that the problem also occurred. So I ran MSCONFIG to see what programs ran on startup and I found one with no name Software\Microsoft\Windows\Current Version\Run that looks very suspicious. Any clue?
-
can you gives the .exe file name
-
Can you borrow a mouse & keyboard to swap out as a test?
One at a time of course. ;)
-
lol is anyone going to look at the log??
-
Switched the mouse, why would that cause problems? The file in question is blank, just as written above. I had a chat with a tech from my Isp to verify the Isp files that looked suspicious.
-
can you gives the .exe file name
^^
-
Checked the file again. There is a new entry, it is blank, but checked off, and the old one is also there, not checked, interesting.
HKLM/Software/Microsoft/Windows/Current Version/Run
-
http://www.iss.net/security_center/advice/Reference/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/default.htm
http://www.google.com/search?hl=en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=HKLM/Software/Microsoft/Windows/CurrentVersion/Run+&spell=1
these might help but im not sure
-
The last time I had a mouse fail because the lead was faulty it caused all sorts of erratic behaviour as you described, most people have a spare mouse & keyboard lying around & thought it would be a very quick & easy way to eliminate these a being a cause.
I notice your problem has been getting progressively worse which is another hint.
It's a matter for you wether you swap out the keyboard too.
-
So far so good with the new (old) mouse. Will give it a few days more to be sure.
I recently received one of those anti-trust lawsuit vouchers from Microsoft so I'll use the 35$ on a new wireless one. All that drama possibly from a faulty mouse, incredible.
I really appreciate everyone helping me through this. As I've said before, my pc runs fine all of the time with the help of the above mentioned tools, so this crazy behaviour really stumped the heck outta me.
Edy
-
anti-trust lawsuit vouchers from Microsoft
You don't suppose this may be related to the problem, do you...?
-
Nah, remember how MS had to go to court for the whole monopoly thing, they gave money and computers to schools and for those who took the time to send the paperwork got vouchers, free $$$.
My PC still has not acted up, but I'm gettin carpal tunnel with this old crappy mouse. I guess thats life.
-
So now you have only these blank entries propagating in your registry?
HKLM/Software/Microsoft/Windows/Current Version/Run
Compare your msconfig startup list with your following HJT entries...
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
-
The first one is Direct cd from Roxio
The second is unknown to me and is not running in msconfig
The third is for nvidia video card
Fourth is for quicktime player
The fifth is for my printer
The sixth is for the java auto update
The seventh is from my ISP, netscape
Last one is AVG Antivirus
HKLM/Software/Microsoft/Windows/Current Version/Run shows up blank under startup item and command
-
Download 'Autoruns' from http://www.sysinternals.com find the blank entry and look for the red delete button.
-
Download 'Autoruns' from http://www.sysinternals.com find the blank entry and look for the red delete button.
where do you fond all of these programs?
-
I don't specifically seach them out, they're just found over time from other links I guess.
Sysinternals also has a companion program to Autoruns, it's called Procexp and if you install them in the same directory they work together with each other.
-
whats the other one do?
-
Download it and see. :)
-
i will when i get home
-
Got the program, but it was not able to delete it. The files underneath it are the above mentioned. So I think it is safe. Second full day and the PC has not flipped out in any way and all programs are running fast as usual. Guess it was the faulty mouse after all.
-
Concerning AUTORUNS, is it okay to delete entries under "IMAGE PATHS" that say "File not found"?
-
The files underneath it are the above mentioned. So I think it is safe.
Yes, that one is OK, don't delete it.
The entry we are looking for should be underneath HKLM/Software/Microsoft/Windows/Current Version/Run
Do you have any blank entries there?
Can you atke a screenshot of the autoruns screen in the area of question?
-
There are no blank entries under that one. This is what is under it:
c:\program files\grisoft\avgfree\avgcc.exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
c:\program files\common files\ispcomp\installservice.exe
c:\windows\system32\nwiz.exe
-
Under HKLM\Software\Microsoft\ActiveSetup\Installed Components
there is DUN-RNA File Not Found: rnasetup.dll
and Power Policy Settings File Not Found: setupx.dll
that seems to be it
Thanks for the help
Edy