this is too much please help - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Sep 6^th, 2008, 11:30pm

   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   this is too much please help

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: this is too much please help (Read 707 times)

jhg
Newbie

Posts: 3

this is too much please help
« on: Nov 13^th, 2007, 9:29pm »

Quote

Modify

I have reloaded o/s several times including low level format
I could not access my DDO to install, reinstall, or uninstall.
O/S is smart capable but unable to enable smart on Hdd
attempted to use recovery console to use chkdsk and my administrator password doesn't work.
chkdsk finds errors while running from windows but is unable to repair from windows.

trojan hunter finds an ntsf alternate data stream on every downloaded file.

panda firewall, antivirus, and antispam turn off by them selves.

I have an empty autoexec.bat and config.sys Huh

?

unfortunatly, I dont' know what else to tell u except I lose my internet connection often and it take about 10 min for the syystem to start up and allow access to the control panal.

this is an updated fresh load of win xp
here are my logs

hijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:41 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/clien t/wuweb_site.cab?1194741227734
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55D85088-8471-432F-90E2-D90954796A49} : NameServer = 64.250.192.64 64.250.192.65
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe

--
End of file - 6297 bytes

Trojan Hunter log
TrojanDownloader.Zlob.661 found in;
c:programfiles\panda security\panda internet security 2008\clsends.dll
63953 objects
2151 folders
3 boot sectors
archives 1078
packed files 2623
1 virus, 1 infected file
0 suspect,0disinfected,0 deleted.
I accedentaly closed TH5.0 b4 I saved the first scan report. the repport is the second scan.

TrojanHunter Scan Report - Saved 2007-11-12 22:44

Found NTFS alternate data stream: C:\Documents and Settings\Joe Sr\Favorites\BitDefender Free Online Virus Scan.url:favicon:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Joe Sr\Favorites\Malware Removal and Prevention Overview - CastleCopsWiki.url:favicon:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Joe Sr\Favorites\Seagate Technology - SeaTools for Windows.url:favicon:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Joe Sr\Favorites\trojan hunter initial prep for malware removal.url:favicon:$DATA
Warning: Executable file with double extensions found: C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\MshConf\sc12.bin.tmp
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11 d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Micro soft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.X ML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f 11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Mic rosoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System .XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_2144413c\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.d ll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa. dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll

superantispyware log

***sorry couldn't see a way to save the log but nothing found***

Bit Defender log

BitDefender Online Scanner

Scan report generated at: Tue, Nov 13, 2007 - 17:41:55

Scan path: A:\;C:\ Grin

:\;E:\;

Statistics

Time
00:21:51

Files
64720

Folders
2164

Boot Sectors
3

Archives
1080

Packed Files
2660

Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0

Engines Info

Virus Definitions
870829

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Program Files\Panda Security\Panda Internet Security 2008\pskahk.dll
Infected with: Generic.Malware.SIMDWYNVdprn.172A39DE

C:\Program Files\Panda Security\Panda Internet Security 2008\pskahk.dll
Disinfection failed

C:\Program Files\Panda Security\Panda Internet Security 2008\pskahk.dll
Delete failed

blacklight log

Scanning Report
Tuesday, November 13, 2007 19:39:29 - 20:26:43
Computer name: PAPA
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\

------------------------------------------------------------------------ --------

Result: 4 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System

------------------------------------------------------------------------ --------

Statistics
Scanned:
Files: 21352
System: 3116
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 3
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{77E8A71E-AC88-4A97-9B34-1208 9C97AEED}.BIN

------------------------------------------------------------------------ --------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-11-12
F-Secure AVP: 7.0.171, 2007-11-14
F-Secure Orion: 1.2.37, 2007-11-14
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-10-30
F-Secure Pegasus: 1.19.0, 2007-10-12
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

------------------------------------------------------------------------ --------

Copyright � 1998-2006 Product support |Send virus sample to F-Secure

Platform: Windows XP SP2 (WinNT 5.01.2600) Huh

what

dual O/S?

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5603

Re: this is too much please help
« Reply #1 on: Nov 14^th, 2007, 2:17am »

Quote

Modify

Welcome to the forum jhg Cheesy

First of all, your HJT scan log is not showing any infections on your system. That does not necessarily mean that something is not still lurking on your system, but it's a good sign.

Would you please do the following:

1. Send in the following 2 files to Mischel Internet Security for analysis. I think they are both False Positives, but need to confirm this.

clsends.dll
pskahk.dll

The link below describes how to send in files.

http://www.misec.net/forum/board/FAQ/1139308293

2. Address issues in TH scan

- Files with Double Extensions

Example: Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll

a. Please open TH scanner GUI
b. Click on the Options icon on the left icon bar.
c. Uncheck the very last option which is "Warn on executable files with double extensions"

- NTSF alternate data streams (ADS)

Under XP, files that are downloaded from the internet will contain an alternate data stream that is the Zone Identifier.

a. Run a Full Scan of your system using TH.
b. After the scan is completed, right click on each one of the items with an ADS and select Delete Alternate Data Stream. Confirm and let TH delete the ADS. You have to do this one item at a time. Once the ADS is deleted, it will no longer show up in a TH scan.

3. CHKDSK problem.

Quote:

chkdsk finds errors while running from windows but is unable to repair from windows.

This is NOT a good sign. It indicates that your hard disk may be failing. Go to the Maxtor website and see if they have any software tools that you can download to diagnose your hard drive.

Quote:

it take about 10 min for the syystem to start up and allow access to the control panal.

This is another indication that you may be having hard drive problems.

4. Autoexec.bat & config.sys

Quote:

I have an empty autoexec.bat and config.sys

I'm running Vista; however, if my memory serves me correctly, under XP these two files are 0 bytes unless you have a third party program that loads something in them.

5. Slow reboot problem.

I see you are running SuperAntiSpyware. You should try turning off First Chance Prevention under Realtime Protection and see if this improves your reboot time. First Chance could be conflicting with something.

6. Run a Remote Scan with Kaspersky.

Please run a remote scan with Kaspersky. BE SURE to deactivate Panda's anti-virus component before running this scan. If Kaspersky comes up clean, you are most likely not infected. Be sure to scan your entire disk.

http://www.kaspersky.com/virusscanner

Please post back here your findings so we can assist further if needed.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

jhg
Newbie

Posts: 3

Re: this is too much please help
« Reply #2 on: Nov 14^th, 2007, 7:56pm »

Quote

Modify

on Nov 14^th, 2007, 2:17am, siliconman01 wrote:

.

Would you please do the following:

1. �Send in the following 2 files to Mischel Internet Security for analysis. �I think they are both False Positives, but need to confirm this.

clsends.dll
pskahk.dll

I was able to send in pskahk.dll but CISends.dll is missing from the directory. I searched mycomputer for it and found nothing.

on Nov 14^th, 2007, 2:17am, siliconman01 wrote:

.

2. �Address issues in TH scan

- �NTSF alternate data streams (ADS)

Under XP, files that are downloaded from the internet will contain an alternate data stream that is the Zone Identifier.

a. �Run a Full Scan of your system using TH.
b. �After the scan is completed, right click on each one of the items with an ADS and select Delete Alternate Data Stream. �Confirm and let TH delete the ADS. �You have to do this one item at a time. �Once the ADS is deleted, it will no longer show up in a TH scan.

ran trojanHunter full scan and found TrojanDownloader.Zlob.661 but this time it was quarantined to c:\program files\Trojan hunter 5.0\Quarantine\HMV.dat & nMD.dat

on the log tab many files were not scanned due to read access denied.

I removed the alternate datastreams that trojan hunter would allow me to but several entrys had the remove alternate data stream grayed out on the right click menu. Most of the alternate data streams gave error code "list out of index(12)" when I right clicked them.

�on Nov 14^th, 2007, 2:17am, siliconman01 wrote:

.

3. �CHKDSK problem.

This is NOT a good sign. �It indicates that your hard disk may be failing. �Go to the Maxtor website and see if they have any software tools that you can download to diagnose your hard drive. �

all the scans i have done using seatools and maxblast have passed. I did a low level format with maxblast and wanted to reinstall my DDO but was unable to.

I have recovery console installed as a startup option but my administrator password doesn't allow access. Are the windows xp administrator passwords stored in cmos? would shorting the cmos allow me to reset the password?

on Nov 14^th, 2007, 2:17am, siliconman01 wrote:

.

�

4. �Autoexec.bat & config.sys

I'm running Vista; however, if my memory serves me correctly, under XP these two files are 0 bytes unless you have a third party program that loads something in them. �

all I can say is I wish I knew xp better.

on Nov 14^th, 2007, 2:17am, siliconman01 wrote:

.

5. �Slow reboot problem.

I see you are running SuperAntiSpyware. �You should try turning off First Chance Prevention under Realtime Protection and see if this improves your reboot time. �First Chance could be conflicting with something.
�

I checked and first chance was already off.

on Nov 14^th, 2007, 2:17am, siliconman01 wrote:

.

6. �Run a Remote Scan with Kaspersky. �

Please run a remote scan with Kaspersky. �BE SURE to deactivate Panda's anti-virus component before running this scan. �If Kaspersky comes up clean, you are most likely not infected. �Be sure to scan your entire disk. �

http://www.kaspersky.com/virusscanner

Please post back here your findings so we can assist further if needed.

no viruses found with kaspersky but many skipped files.
here is the scan report:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 14, 2007 7:47:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/11/2007
Kaspersky Anti-Virus database records: 459674

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 35947
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:33:27

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\sentinel\2.1\gwhashs.dat Object is locked skipped

C:\Documents and Settings\Joe Sr\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped

C:\Documents and Settings\Joe Sr\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Joe Sr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Joe Sr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Joe Sr\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Joe Sr\Local Settings\Temp\~DF71BC.tmp Object is locked skipped

C:\Documents and Settings\Joe Sr\Local Settings\Temp\~DF71C9.tmp Object is locked skipped

C:\Documents and Settings\Joe Sr\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Joe Sr\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Joe Sr\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\MshConf\scoffset.bin.incr Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\f4d4851e8935eebef0f2eb52b3212bc9PSK_NAMES Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\f4d4851e8935eebef0f2eb52b3212bc9PSK_NAMES2 Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{9D82EE3A-3E1F-47C1-BD03-6428333D87E1}\RP19\change.l og Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\pfirewall.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{77E8A71E-AC88-4A97-9B34-1208 9C97AEED}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5603

Re: this is too much please help
« Reply #3 on: Nov 15^th, 2007, 2:20am »

Quote

Modify

Quote:

I was able to send in pskahk.dll but CISends.dll is missing from the directory. I searched mycomputer for it and found nothing.

The name is CLSends.dll, not CISends.dll

Quote:

It is not uncommon for a scanner to have access denied if the parent program is running.

Quote:

I removed the alternate datastreams that trojan hunter would allow me to but several entrys had the remove alternate data stream grayed out on the right click menu. Most of the alternate data streams gave error code "list out of index(12)" when I right clicked them.

Would you please post examples of these...both the grayed out and the ones that gave "list out of index(12).

Quote:

I have recovery console installed as a startup option but my administrator password doesn't allow access. Are the windows xp administrator passwords stored in cmos? would shorting the cmos allow me to reset the password?

I am not sure, to be honest. You could give it a try.

Quote:

all the scans i have done using seatools and maxblast have passed. I did a low level format with maxblast and wanted to reinstall my DDO but was unable to.

What is DDO?

Quote:

no viruses found with kaspersky but many skipped files.
here is the scan report:

The skipped files are normal..they are busy and Kaspersky cannot access them. The fact that Kaspersky scanned clean strongly implies that you are not infected.

Did the slow reboot problem start when you upgraded to Panda 2008? You might check the Panda forums and see if others are having problems.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

jhg
Newbie

Posts: 3

Re: this is too much please help
« Reply #4 on: Nov 15^th, 2007, 8:00pm »

Quote

Modify

on Nov 15^th, 2007, 2:20am, siliconman01 wrote:

The name is CLSends.dll, not CISends.dll

I searched for both spellings. I don't have a qlue what happened to that file.

Quote:

It is not uncommon for a scanner to have access denied if the parent program is running.

�

Is there a list of processes and their functions available somewhere that I could end all processes that I do not need.

Quote:

Would you please post examples of these...both the grayed out and the ones that gave "list out of index(12).

I had to run a new scan but here are examples of what Im talking about. I didn't have any items that the options were greyed out on the right click menu. �I have to type these manualy because of right click errors.

Not scanning file c:\Documents and Settings \Joe Sr \Local Settings \Application Data\Microsoft\windows \UsrClass.dat: Read access denied
right click error: out of bounds(1)

Not scanning file c:\Documents and Settings \Joe Sr \Local Settings \Application Data\Microsoft\windows \UsrClass.dat.LOG: Read access denied
right click error: out of bounds(2)

Not scanning file c:\Documents and Settings\Joe Sr\Local settings\Temp\~DFC8E8.tmp: read access denied
right click error: out of bounds(3)

Not scanning file c:\Documents and Settings\Joe Sr\Local settings\Temp\~DFC945.tmp: read access denied
right click error: out of bounds(4)

Not scanning file c:\Documents and Settings \Joe Sr \NTUSER.DAT:Read access denied
right click error: out of bounds(5)

Not scanning file c:\Documents and Settings \Joe Sr \ntuser.dat.LOG:Read access denied
right click error: out of bounds(6)

Not scanning file c:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft \windows\UsrClass.dat: Read access denied
right click error: out of bounds(7)

Not scanning file c:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft \windows\UsrClass.dat.LOG: Read access denied
right click error: out of bounds(8)

Not scanning file c:\Documents and Settings \LocalService \NTUSER.dat: Read access denied
right click error: out of bounds(9)

Not scanning file c:\Documents and Settings \LocalService \NTUSER.dat.LOG: Read access denied
right click error: out of bounds(10)

not scanning file c:\documents and settings \networkService \local Settings \application Data \microsoft \windows \UsrClass.dat: Read access denied
right click error: out of bounds(11)

not scanning file c:\documents and settings \networkService \local Settings \application Data \microsoft \windows \UsrClass.dat.LOG: Read access denied
right click error: out of bounds(12)

not scanning file c:\Documents and Settings \NetworkService \NTUSER.DAT: Read access denied
right click error: list index out of bounds(13)

not scanning file c:\Documents and Settings \NetworkService \ntuser.dat.LOG: Read access denied
right click error: list index out of bounds(14)

not scanning file c:\pagefile.sys: Read access denied
right click error: list index out of bounds(15)

not scanning file c:\windows\system32\CatRoot2\edb.log: Read access denied
right click menu error: list index out of bounds(16)

not scanning file c:\windows\system32\CatRoot2\tmp.edb: Read access denied
right click menu error: list index out of bounds(17)

not scanning file c:\WINDOWS\System32\CatRoot2 \ {127DOA1D-4EF2-11D1-8608-00C04FC295EE}\catdb: Read access denied
right click menu error: List index out of bounds(18)

not scanning file c:\WINDOWS\System32\CatRoot2 \ {F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb: Read access denied
right click menu error: List index out of bounds(19)

not scanning file c:\windows\system32\config\default: Read access denied
right click error: list index out of bounds(20)

not scanning file c:\windows\system32\config\default.LOG: Read access denied
right click error: list index out of bounds(21)

not scanning file c:\windows\system32 \config \SAM: Read access denied
right click error: list index out of bounds(22)

not scanning file c:\windows\system32 \config \SAM.LOG: Read access denied
right click error: list index out of bounds(23)

not scanning file c:\windows\system32 \config \SECURITY: Read access denied
right click error: list index out of bounds(24)

not scanning file c:\windows\system32 \config \SECURITY.LOG: Read access denied
right click error: list index out of bounds(25)

not scanning file c:\windows\system32 \config \software: Read access denied
right click error: list index out of bounds(26)

not scanning file c:\windows\system32 \config \software.LOG: Read access denied
right click error: list index out of bounds(27)

not scanning file c:\windows\system32 \config \system: Read access denied
right click error: list index out of bounds(28)

not scanning file c:\windows\system32 \config \system.LOG: Read access denied
right click error: list index out of bounds(29)

�

Quote:

�
What is DDO? �

DDO is Direct Drive overlay. I think that if I could reinstall my DDO I could restore the MBR to factory settings. I believe that the MBR has been modified because prior to reloading the O/S I found a hidden file on the desktop called %userprofile%~. inside the folder it appeared to be windows NT system files. I also found winnt.gif and the picture was the windows xp loading screen. I think that the mbr may have been modified because I am unable to restore it and the problems are returning after a low level format.

I think I have heard that nt is embedded in win xp but no other xp computer I have access to had this folder hidden on their desktops. lol it makes me miss pure dos

should I have a hidden folder in documents and settings named default user?

Quote:

Did the slow reboot problem start when you upgraded to Panda 2008? �You might check the Panda forums and see if others are having problems. �

No the slow reboot problem started prior to the instalation of panda and after the first connection to the internet after O/S reload. I went to microsoft update and b4 I was finished downloading and updating xp I was only getting around 38 kbps. When I first started downloading I was getting above 600kbps.

My fear is that this computer has been compromised by No_exploit or something like that.

I have to manualy download the security updates for ms07-016, ms07-027, ms07-033, and ms07-045. I attemped to deploy these updates and windows explorer stops responding. I have already downloaded all the updates and removed the ads's so that I don't have to connect to the internet until the os is updated, should I need to reload again.

« Last Edit: Nov 15^th, 2007, 8:04pm by jhg »

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5603

Re: this is too much please help
« Reply #5 on: Nov 16^th, 2007, 3:51am »

Quote

Modify

You are experiencing a lot of issues that are beyond my level of expertise to assist you with. �Personally, I'm still thinking you have a disk problem or some other hardware problem or conflict that is causing some or all of these issues. �Or you have hardware drivers that are out-of-date. �

If it were me, I'd
- �run memcheck to determine if there is a memory problem
- �ensure that fans on the computer are running and that the ventilation is clean
- �re-seat all the cards
- check all cabling
- �perform a full/thorough format of the main hard drive,
- �re-install Windows XP
- �upgrade all hardware drivers directly from the manufacturer's websites
- �perform a complete update via Windows Update
- �see if CHKDSK /r /f runs to completion. �

I've contacted Magnus via the right click issue with TH. �He is trying to reproduce it. �You are the first to report this issue with TH.

« Last Edit: Nov 16^th, 2007, 3:58am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register