# Delay on reboot (15 mins)



## LM79 (May 1, 2007)

Hi there,

Compaq Presario P4 2ghz laptop
XP, IE6, AVG, Adaware
15 min delay upon reboot to XP.

Sigh~ this is a pain in the @rse. after the symptoms disappear... laptop is pretty much normal... please help me????

Upon turning it on/rebooting: applications take 15mins to load after clicked (eg MS Outlook).
While waiting for this to happen there is absolutely no Hard drive movement and/or sound from laptop. Cntrl+Alt+Del does nothing (although would be useful to see what apps are running!)
Mouse is able to be moved, but clicking only works on certain things:
*I can highlight icons, open Jpegs, browse folders, view recycle bin etc.
*I cannot use the start button, open IE, MS Outlook, click on any apps in my quicklaunch task bar, right click the task bar.... importantly, I cannot use cntrl+alt+del.

15-20 mins later (no exaggeration), all the key strokes and mouse clicks start working:
outlook and/or IE load up, my docs load up, MSN msgnr loads, the start button spings up my apps, and the task manager shows up, once, twice (depending on how many times I pressed cntrl+alt+del!!!)

To avoid this situation, I just "sleep"/hibernate my laptop instead of completely turning it off everytime.
When I wake it up, it is fine.

Note that during the 15 min period, there is no noise of harddrive movement or egg timer on the mouse/cursor. 
--------------------------
HJT log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 12:18:05 a.m., on 2/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq\My Documents\Downloads\Appns\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LCIDConfig] C:\WINDOWS\lcidchng.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150717858126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150717836665
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)


----------



## John McKenna (May 1, 2007)

That will probably be down to the nasty Backdoor and probable rootkit infection present.



> O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)



If a Moderator approves my suggestion, I suggest you run a tool called SDFix which covers this nasty.


Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## LM79 (May 8, 2007)

Hi there,
here is my SDFIX report
I waited a while for a moderator to confirm you suggestion - no-one came to the party so I proceeded anyway. Please have a look below?
====================
SDFix: Version 1.83

Run by Compaq - Tue 08/05/2007 - 21:56:14.13

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services: 

Name:
Windows Spool Service

ImagePath:
"C:\WINDOWS\wdfmgr.exe" 

Windows Spool Service - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\DQB1L3~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\KVCAHA~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\IZKN632H\CA0723ST.HTM - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\o - Deleted
C:\WINDOWS\system32\TFTP2548 - Deleted
C:\WINDOWS\system32\TFTP2576 - Deleted
C:\WINDOWS\system32\TFTP472 - Deleted
C:\WINDOWS\system32\TFTP620 - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder 
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Documents and Settings\\Compaq\\Desktop\\BlueSoleil\\BlueSoleil.exe"="C:\\Documents and Settings\\Compaq\\Desktop\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT10.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT11.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT12.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT13.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT14.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT15.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT16.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT17.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT18.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT1C.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT22.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT25.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT53.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BIT8A.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BITC.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BITD.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BITE.tmp
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\BITF.tmp
C:\WINDOWS\system32\ttsut.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

                                 Finished
------------------------------------------------
And now the HJT report

Logfile of HijackThis v1.99.1
Scan saved at 10:44:40 p.m., on 8/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LCIDConfig] C:\WINDOWS\lcidchng.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150717858126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150717836665
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

-----------------------------
please advise??

Thanks,
LM


----------



## Buzz1927 (May 8, 2007)

> I waited a while for a moderator to confirm you suggestion - no-one came to the party so I proceeded anyway.


Sorry about that, I should have messaged you. Are things any better now?

Edit: scrap that, more to do...


----------



## John McKenna (May 8, 2007)

That went well 

As Buzz says though, more to do!!

Please start by uninstalling Ewido anti-spyware. The new version has been relabelled AVG Anti-Spyware and has much better removal capabilities. 

Copy the rest of these instructions to notepad for easy reference and perform all steps in the order they're listed. This will give the machine a thoroughly good cleanup from all angles.




Step # 1

Download and install the trial version of AVG Anti-Spyware.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the "*Update*" icon then select the "*Update now*" link.
Next select the "*Start Update*" button, the update will start and a progress bar will show the updates being installed.
Once updated, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*", select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"
Close AVG Anti-Spyware for use later.


Step # 2

Please download ATF Cleaner by Atribune.

Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main menu to close the program.


Step # 3

Download ComboFix from either of these links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click Combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

*Note:*
Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Please tell me if you get the following error message:

"Unable to run com files !! Possible rootkit inteference. Tell this to the forum helper. Combofix will now exit"

The above message is very important!!!


Step # 4

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware and select the "*Scanner*" icon at the top.
Then select the "*Scan*" tab and click on "*Complete System Scan*".
AVG Anti-Spyware will now begin the scanning process, be patient as it may take a while to complete.
A prompt will appear if any infections are found: please select "*Apply all actions*".
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower left of the screen and save it to your desktop as text file. 
Close AVG Anti-Spyware and reboot your system.


Step # 5

Lastly, use the Kaspersky On-line Scanner
Accept the Active X object and download the latest definitions.
When the scanner is ready, click *Scan Settings*.
Select the *Extended* anti-virus database.
Select *Scan Archives* & *Scan Mail Bases* and then *ok*.
Click *My Computer* to run a full system scan.
When complete, choose *Save as Text* and save the log file to your desktop ready for posting.


Step # 6

Please post the following in your next reply:
ComboFix log.
AVG Report-Scan.txt.
Kaspersky results.
New HijackThis log.
Any problems you encountered.


----------



## LM79 (May 12, 2007)

Hi John,

as per your instructions:

ComboFix log.

"Compaq" - 2007-05-12  1:30:16    Service Pack 2  
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Compaq\My Documents\Downloads\Appns\"


((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\winserv.dat
C:\install.log
C:\WINDOWS\hosts


(((((((((((((((((((((((((((((((   Files Created from 2007-04-05 to 2007-05-12  ))))))))))))))))))))))))))))))))))


2007-05-10 23:08	3,968	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-21 01:33	<DIR>	d--------	C:\Program Files\Common Files\Canon
2007-04-21 01:33	<DIR>	d--------	C:\Program Files\Canon
2007-04-12 22:22	<DIR>	d--------	C:\Program Files\RarZilla Free Unrar


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-25 00:52:49	--------	d-----w	C:\Program Files\BitComet
2007-04-25 00:52:19	2,560	----a-w	C:\WINDOWS\system32\BitCometRes.dll
2007-04-09 04:34:28	--------	d-----w	C:\Program Files\Common Files\InstallShield
2007-04-09 04:34:22	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-03-17 13:43:01	292,864	----a-w	C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28	577,536	----a-w	C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28	40,960	----a-w	C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28	281,600	----a-w	C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48	1,843,584	----a-w	C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02	185,344	----a-w	C:\WINDOWS\system32\upnphost.dll


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}"="C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"CARPService"="carpserv.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Display Settings"="C:\\Program Files\\HPQ\\Notebook Utilities\\hptasks.exe /s"
"QT4HPOT"="C:\\PROGRA~1\\HPQ\\ONE-TO~1\\OneTouch.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"LCIDConfig"="C:\\WINDOWS\\lcidchng.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DataLayer"="C:\\PROGRA~1\\COMMON~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\TRAYAP~1.EXE"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
   Authentication Packages	msv1_0\0\0
   Security Packages	kerberos\0msv1_0\0schannel\0wdigest\0\0
   Notification Packages	scecli\0\0


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	DnsCache\0\0
rpcss	RpcSs\0\0
imgsvc	StiSvc\0\0
termsvcs	TermService\0\0
HTTPFilter	HTTPFilter\0\0
DcomLaunch	DcomLaunch\0TermService\0\0
Usnsvc	usnsvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_DRIVER
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_GUARD


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 01:35:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?9?0?8??P???? ?X#B?????????????l|B? ?????? 

scanning hidden files ...

C:\system.sav\CTO.TXT 4096 bytes
C:\system.sav\CTOHW.TXT 16 bytes
C:\system.sav\DAYLGSAV.reg 320 bytes
C:\system.sav\FAVTOOL.LOG 696 bytes
C:\system.sav\INFO.BOM 8192 bytes
C:\system.sav\INFO2.BOM 8192 bytes
C:\system.sav\ISLOGCHK.LOG 472 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGDEV.LOG 40 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RegionCF
C:\system.sav\RegionCF\euro.reg 216 bytes
C:\system.sav\RegionCF\SFr.reg 232 bytes
C:\system.sav\RmDev.log 16384 bytes
C:\system.sav\T55XGB.B22 4096 bytes
C:\system.sav\TNXHLC.002 4096 bytes
C:\system.sav\TNXHLC.AC1 4096 bytes
C:\system.sav\TNXXIN.B22 4096 bytes
C:\system.sav\TNXXPS.AC1 4096 bytes
C:\system.sav\TNXXPS.B22 4096 bytes
C:\system.sav\util
C:\system.sav\util\adobe.log 160 bytes
C:\system.sav\util\AppEvBk1.old 65536 bytes
C:\system.sav\util\AppEvBk2.old 65536 bytes
C:\system.sav\util\ATIRES.EXE 69632 bytes
C:\system.sav\util\bootldr.flg 0 bytes
C:\system.sav\util\BOOTSEC.NT4 512 bytes
C:\system.sav\util\CDDMA.REG 4096 bytes
C:\system.sav\util\CHECKLOG.EXE 98304 bytes
C:\system.sav\util\CIA.INI 69632 bytes
C:\system.sav\util\ClassMnu.log 72 bytes
C:\system.sav\util\CMDOOBE.CMD 72 bytes
C:\system.sav\util\COMPNAME.EXE 32768 bytes
C:\system.sav\util\cpqsm.exe 86016 bytes
C:\system.sav\util\DEFUSER.REG 320 bytes
C:\system.sav\util\deldir.log 4096 bytes
C:\system.sav\util\delmodem.bat 160 bytes
C:\system.sav\util\delmodem.ini 184 bytes
C:\system.sav\util\grnscrn.bto 552 bytes
C:\system.sav\util\grnscrn.exe 49152 bytes
C:\system.sav\util\infobomg.exe 102400 bytes
C:\system.sav\util\INSTALL.LOG 380928 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\MKBSDAT.EXE 16384 bytes
C:\system.sav\util\NbUtil.log 184 bytes
C:\system.sav\util\oca.reg 352 bytes
C:\system.sav\util\oca_mrk.bat 120 bytes
C:\system.sav\util\oobe.min 136 bytes
C:\system.sav\util\oobe.wpe 184 bytes
C:\system.sav\util\osexclude.txt 224 bytes
C:\system.sav\util\PININST.INI 48 bytes
C:\system.sav\util\PININST.LOG 0 bytes
C:\system.sav\util\POSTOOBE.CMD 280 bytes
C:\system.sav\util\postproc.ini 4096 bytes
C:\system.sav\util\Powerset.log 96 bytes
C:\system.sav\util\random.ini 32 bytes
C:\system.sav\util\SecEvBk1.old 65536 bytes
C:\system.sav\util\SecEvBk2.old 65536 bytes
C:\system.sav\util\SETNAME.EXE 32768 bytes
C:\system.sav\util\SRCPATH.REG 432 bytes
C:\system.sav\util\SysEvBk1.old 65536 bytes
C:\system.sav\util\SysEvBk2.old 65536 bytes
C:\system.sav\util\sysrstr
C:\system.sav\util\touchpad.log 184 bytes
C:\system.sav\util\WINDVD.LOG 176 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 65


********************************************************************

Completion time: 2007-05-12  1:35:35
C:\ComboFix-quarantined-files.txt ... 2007-05-12 01:35
 ------------------------------------------------------

AVG Report-Scan.txt.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:	10:45:19 a.m. 12/05/2007

 + Scan result:	



C:\COMPAQ\APIsp\mfu\Carepaq.exe -> Logger.Age.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Compaq\Cookies\compaq@apnonline.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Compaq\Cookies\compaq@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.


::Report end

-----------------------------------------------------------

Kaspersky results.

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Saturday, May 12, 2007 3:22:28 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update: 12/05/2007
 Kaspersky Anti-Virus database records: 317847
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: extended
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	A:\
	C:\
	D:\
	E:\

Scan Statistics:
	Total number of scanned objects: 49772
	Number of viruses found: 3
	Number of infected objects: 8 / 0
	Number of suspicious objects: 0
	Duration of the scan process: 02:44:41

Infected Object Name / Virus Name / Last Action
C:\AVG7QT.DAT	Infected: Trojan.Win32.Qhost	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped
C:\Documents and Settings\Compaq\Application Data\Microsoft\Outlook\Outlook.srs	Object is locked	skipped
C:\Documents and Settings\Compaq\Application Data\Microsoft\Templates\Normal.dot	Object is locked	skipped
C:\Documents and Settings\Compaq\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq\Local Settings\Application Data\Microsoft\Outlook\archive.pst	Object is locked	skipped
C:\Documents and Settings\Compaq\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst	Object is locked	skipped
C:\Documents and Settings\Compaq\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Compaq\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Compaq\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq\Local Settings\History\History.IE5\MSHist012007051220070513\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq\Local Settings\Temp\~DF7542.tmp	Object is locked	skipped
C:\Documents and Settings\Compaq\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq\My Documents\Downloads\Appns\SmitfraudFix.zip/SmitfraudFix/Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\Compaq\My Documents\Downloads\Appns\SmitfraudFix.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\Compaq\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\Compaq\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\QooBox\Quarantine\C\WINDOWS\hosts.vir	Infected: Trojan.Win32.Qhost	skipped
C:\SDFix\backups\backups.zip/backups/i	Infected: Trojan-Downloader.BAT.Ftp.ab	skipped
C:\SDFix\backups\backups.zip	ZIP: infected - 1	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP190\change.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{BAC64EB9-17ED-4A16-A046-028D30F93ABC}.bin	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060820-190336.backup	Infected: Trojan.Win32.Qhost	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.
---------------------------------------------------------------

New HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 6:42:12 p.m., on 12/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Compaq\My Documents\Downloads\Appns\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LCIDConfig] C:\WINDOWS\lcidchng.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150717858126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150717836665
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

-------------------------------------------------------------

Any problems you encountered

Still same on reboot.. 15 mins before I can do anything...
In fact - had to wait 15 for the HJT programme to start up!!!
And when I rebooted (per your instructions) and the start up screen stuck there for 15 mins approx ["welcome..... loading your personal settings"]


Your thoughts please?
THat was a lot of work! =)


----------



## John McKenna (May 13, 2007)

Does it take the same amount of time to boot if you restart into Safe Mode?


----------



## LM79 (May 15, 2007)

in safe mode everything seems to work ok... but the PC remains offline from the internet.
things seem to load ok.
When I resumed a normal session it was still the same old story.

Please advise,
LM


----------



## John McKenna (May 15, 2007)

There may be a possible software issue here as well. Although the next process may be tedious, it may well expose the problem. Can I suggest you go to Start > Run and type *msconfig* > OK to open the System Configuration Utility. Once open, click the Startup tab to reveal all the programs you have configured to load at startup. Remove the check from the box before each entry listed and OK out of the Utility. Restart the machine when prompted.

If the machine boots up normally you know it's software related. It's then a process of adding each startup entry back via *msconfig* one by one (rebooting between each addition) to see which is causing the problem.

Let me know how you get on.


----------



## LM79 (May 16, 2007)

Ok. will give it a shot this weekend.
I have heard of this method before - but have managed to avoid until now!

I thought it could be a MS Outlook problem. often it is very slow to respond when I hit "reply" or fwd" etc. I thought it could be becuase it uses MS Word as the email editor, but it is still slow if I elect not to use Word. Sometimes, when I open MS outlook and it is DLing messages, the screen freezes - I can use other windows/apps in the meantime but have to wait several minutes before I can read messages.
Another problem (sometimes occurs) is when I have say 5 unread emails - I click on 1 of them to read and the Outlook screen freezes. Again, this does not seem to effect other apps running.

Also, thought I should confirm that I have approx 3/30GB free HD - should be sufficient.

Not sure if above info helps you or not??? 

Will take your recommended action in the next few days.

Thanks again,
LM


----------



## John McKenna (May 16, 2007)

No worries.


----------



## LM79 (May 27, 2007)

Hi John,
actually, removing ALL start up apps as suggested makes little difference to my system. Windows appears to load up faster before the HD stops moving... I open up MS outlook and looks fine... then I open IE and have to wait 10-15mins before I can use the PC. the mouse moves, and I cannot hear any HD movement neither can I see the HD indicator flashing on the laptop. 

Format and start over?

Please advise,
LM


----------



## John McKenna (May 27, 2007)

A few posts ago you said that everything worked in Safe Mode. Can you go into Safe Mode (with networking) and launch Internet Explorer to test if it causes the same problem.


----------



## LM79 (Jun 6, 2007)

Hi John,
seems to be much faster now, although still now what it used to be.
MSN messenger takes ages to load (again without making any noises) and also, "locking" the workstation/laptop takes 2-3 mins too.

Please advise,
LM


----------



## John McKenna (Jun 9, 2007)

John McKenna said:


> A few posts ago you said that everything worked in Safe Mode. Can you go into Safe Mode (with networking) and launch Internet Explorer to test if it causes the same problem.



Did you test this?


----------



## LM79 (Jun 10, 2007)

Hi J,
Yes - in safe mode - everything works ok - and with good response times.


----------



## John McKenna (Jun 10, 2007)

Can you have a look at your Event Viewer logs please to see if there are any clues. 

Go to Start > Run and type *eventvwr* to open the Event Viewer.

Look in the *Application* and *System* logs for errors (signified by a red circle with a white cross).

Double-click each of these error symbols to reveal more information. 

You should find an *Event ID* number and *Source* information.

Check out these Event ID errors and related sources here.

Further info on the Event Viewer can be found here.


----------



## LM79 (Jun 10, 2007)

Most of the App errors are 
 - "MsiInstaller" where they are updates from the internet that have failed for MS Outlook and Office. 
 - Also a few "application hangs".

Under system error:
 -  Dhcp : Your computer has lost the lease to its IP address 10.1.1.6 on the Network Card with network address 00028A99C531.
- Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Office 2003 (KB920813).
- Timeout (30000 milliseconds) waiting for the Ati HotKey Poller service to connect.

I cannot understand that website that you gave me... when I enter in the event id and the source I cannot make head or tails out of the page... tells you the same as above more or less.

Please advise,
LM


----------



## John McKenna (Jun 10, 2007)

Do you have automatic updates enabled on this machine?


----------



## LM79 (Jun 11, 2007)

yes there are ON.


----------



## John McKenna (Jun 11, 2007)

Can you disable them and let me know if there's any change please.


----------



## LM79 (Jun 18, 2007)

Yes, things are a little better now with auto-updates off!
strange, but now the system seems a little unstable.

I get the blue screen from time to time - Beginning dump of physical memory.

It is at least in a productive state now... still not up to speed but SOOO much better than before.

Please advise,
LM


----------



## John McKenna (Jun 18, 2007)

If the blue screen disappears before you have time to note down the crash info, do the following:
Click *Start* > right-click on *My Computer* > *Properties*.
Click the *Advanced* tab.
Under *Startup and Recovery*, click the *Settings* button
Under *System Failure*, UNCHECK "Automatically Restart" > OK > OK.
Post back with the exact error message either way please.

I'm glad it's better for you. It's taken us long enough!


----------



## LM79 (Jun 18, 2007)

Hi J,
I am not sure that my blue screen is the "blue" screen that you are talking about... this one looks like the OLD DOS type screen with loads of white writing. Looks like it's unloading all the memory. sometimes it restarts on its own accord - othertimes I have to unplug my laptop!
I have actioned your recommendations...  so now you want me to copy down the error message next time it happens? or is there a log somewhere?

LM


----------



## LM79 (Jun 18, 2007)

Further... my outlook *.pst file has gone astray - cannot find sent items or corresspondence that I have kept. sadness. does this give you any clues as to what disease my laptop has?!!?!?


----------



## LM79 (Jun 18, 2007)

ok, so it IS the blue screen:: here is a message from "sending an error message" - could be b/c of my usb hard drive... playing a video.
Q322205

Problem caused by Device Driver

You received this message because a device driver installed on your computer caused the Windows operating system to stop unexpectedly. This type of error is referred to as a "stop error." A stop error requires you to restart your computer.

More information

--------------------------------------------------------------------------------


Problem report summary

Problem type
 Windows stop error (a message appears on a blue screen with error code information)

Solution available?
 No 

What does this problem mean?
 Windows has encountered a problem it cannot recover from and it needs to be restarted

Cause
 Unknown

Computer symptoms
 A message appears on a blue screen with error code information (for example: 0x0000001E, KMODE_EXCEPTION_NOT_HANDLED)

Additional steps for you to take
 Please continue to send problem reports so analysts at Microsoft can study and try to correct the problem as quickly as possible


----------



## John McKenna (Jun 19, 2007)

Is this any use to you?

http://support.microsoft.com/kb/275678/EN-US/


----------

