Solved

Computer has slowed down in operations

Posted on 2006-11-07
32
3,773 Views
Last Modified: 2009-01-31
Last week, my computer showed signs of slowing down.  Programs, when double-clicked, would take a minute or two to open.  Whenever I would go into my hard drive, the cursor would turn into an hourglass and the flashlight icon would appear, indicating that it was looking for my hard drive.  And whenever my screen saver would start, the cursor would turn into an hourglass again and then the screen would turn black for a couple of minutes before the screen saver would appear (My screen saver is a My Pictures slideshow).  Within the last couple of days, all these symptoms have gotten worse: Sometimes it's minutes before I can get into my hard drive, and a lot of my programs don't come up for a long time -- at least 20 minutes in some cases -- after I have double-clicked on them.  I am running Windows XP with Service Pack 2, I have 2 hard drives (C:, 250 GB, and D:, 80 GB), and I have an Intel Celeron processor (2.6 Ghz) with 1.5 GB RAM.  I have run Norton Antivirus 2006, Panda Online Software Scan, and Spybot for viruses and spyware and Registry Mechanic and PC Pitstop for performance issues.  Nothing seems to have worked.  Does anyone have any idea what could be happening here?

Thanks,

Stacy
0
Comment
Question by:sborah99
  • 16
  • 8
  • 7
  • +1
32 Comments
 
LVL 21

Expert Comment

by:briancassin
Comment Utility
Several possibilities exist....

Viruses, Spyware and the like

Bloated temporary files and or damaged profile.

Driver / hardware or software issue.



First off we need to get a picture of what is going on in your pc could you please post a HIJACK THIS logfile go to http://tomcoyote.org/hjt and download and run hijack this select to save a log file and post it up here.

Once that is done the first tool I need you to download and run is CCLEANER
you can get it from http://www.ccleaner.com download it and run it select analyze then when it is done hit run cleaner... DO NOT RUN ANY OTHER PART OF THE PROGRAM...
Once that is done please report how much it removed in MB or GB...

Then you can follow my post after this one
0
 
LVL 21

Expert Comment

by:briancassin
Comment Utility
I want to get some further information this is sort of like a witch hunt for the problem... so it is a few steps but we will find a way to resolve the issue


Go to start run and type TASKMGR then go to the "Processes" Tab see if anything is using a high % of CPU you can double click on CPU to sort the highest using items to the top. Please post the name of these.

next go to start run and type EVENTVWR
look under applications and system to see if their has been any warnings or errors reported if so you can double click on the event listed it will open up that specific event and at the lower right hand corner you will see two pieces of paper click that to copy the error to the clipboard and then either right click in your response area here and select paste or place your cursor in the response box here and hit CTRL V on your keyboard  this way I can see the any errors you might be having.


Next right click my computer select properties go to hardware and then click on device manager see if their is anything with a yellow mark next to it or red x or anything odd if so please click on it to open it and tell me if it shows an error status.  if so what it is and what device it is.


Now a seperate question is did the anti virus or norton find anything wrong ?

If so I would encourage you to also run

http://www.bitdefender.com   - however change the default action setting so it does not delete if it cannot cure

http://housecall.trendmicro.com

http://www.lavasoft.com   - download and run adaware personal edition
ttp://www.ewido.net  - Ewido anti spyware same as above

http://www.intermute.com/spysubtract/cwshredder_download.html -download coolweb shredder

also

Run Rootkit revealer http://www.sysinternals.com/Utilities/RootkitRevealer.html  see if it finds anything if it does and it is suspicious then post the result here and we can look at it further
0
 

Author Comment

by:sborah99
Comment Utility
Logfile of HijackThis v1.99.1
Scan saved at 6:11:33 PM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
D:\Program Files\Norton Internet Security\comHost.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
D:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com/
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] D:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\windows.exe
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\windows.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.apple.com.edgesuite.net/qtinstall.info.apple.com/lupin/us/win/QuickTimeInstaller.exe
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by113fd.bay113.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Hi,

1.  Please, Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Click on "Delete File on Reboot"
Navigate to this file --> C:\WINDOWS\system32\windows.exe

Double click on that file.
HJT asks you if you want to reboot, now. Click "Yes"


2.  Next, download http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
 and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, a menu with options should appear;
[*]Select the first option, to run Windows in Safe Mode, then press "Enter".
[*]Choose your usual account.

[*] In Safe Mode, right click the SDFix.zip folder and choose "Extract All"
[*] Open the extracted folder and double click "RunThis.bat" to start the script.
[*] Type Y to begin the script.
[*] It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] Your system will take longer that normal to restart as the fixtool will be running and removing files.
[*] When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
[*] Finally open the SDFix folder on your desktop and copy and paste the contents of the results file
Report.txt back


3.  After you've done the above, go and rename Hijackthis.exe into "some.exe" or any exe you want to rename it to, then run another scan with the renamed Hijackthis and show us the log, some entries in your are missing so maybe some nasties are monitoring hijackthis.exe process that's why you need to rename it.

You can upload the hijackthis log to EE-Stuff.com,

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 

Author Comment

by:sborah99
Comment Utility
Hey Brian,

TASKMGR only showed Internet Explorer as using 34,212 which was the most out of 5 programs running (IE was 3 of these since I have a few windows opened, the others were NAVW32.EXE -- 33,208; and CCAPP.EXE -- 29,980).  I'm waiting on CCLEANER's report which has been going for 30 minutes now.  I only posted the errors and warnings from the last 1 days.

Stacy

EVENT VIEWER:

APPLICATIONS
Event Type:      Error
Event Source:      Application Hang
Event Category:      (101)
Event ID:      1002
Date:            11/6/2006
Time:            10:56:11 PM
User:            N/A
Computer:      STACYPARTII
Description:
Hanging application wmplayer.exe, version 10.0.0.3802, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 48 61 6e 67   ion Hang
0010: 20 20 77 6d 70 6c 61 79     wmplay
0018: 65 72 2e 65 78 65 20 31   er.exe 1
0020: 30 2e 30 2e 30 2e 33 38   0.0.0.38
0028: 30 32 20 69 6e 20 68 75   02 in hu
0030: 6e 67 61 70 70 20 30 2e   ngapp 0.
0038: 30 2e 30 2e 30 20 61 74   0.0.0 at
0040: 20 6f 66 66 73 65 74 20    offset
0048: 30 30 30 30 30 30 30 30   00000000

Event Type:      Warning
Event Source:      Userenv
Event Category:      None
Event ID:      1517
Date:            11/6/2006
Time:            9:17:07 PM
User:            NT AUTHORITY\SYSTEM
Computer:      STACYPARTII
Description:
Windows saved user STACYPARTII\Stacy Borah registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      Userenv
Event Category:      None
Event ID:      1524
Date:            11/6/2006
Time:            9:17:04 PM
User:            STACYPARTII\Stacy Borah
Computer:      STACYPARTII
Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.  



For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Application Hang
Event Category:      (101)
Event ID:      1002
Date:            11/6/2006
Time:            9:13:31 PM
User:            N/A
Computer:      STACYPARTII
Description:
Hanging application EXCEL.EXE, version 11.0.5612.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 48 61 6e 67   ion Hang
0010: 20 20 45 58 43 45 4c 2e     EXCEL.
0018: 45 58 45 20 31 31 2e 30   EXE 11.0
0020: 2e 35 36 31 32 2e 30 20   .5612.0
0028: 69 6e 20 68 75 6e 67 61   in hunga
0030: 70 70 20 30 2e 30 2e 30   pp 0.0.0
0038: 2e 30 20 61 74 20 6f 66   .0 at of
0040: 66 73 65 74 20 30 30 30   fset 000
0048: 30 30 30 30 30            00000  

Event Type:      Error
Event Source:      Application Hang
Event Category:      (101)
Event ID:      1002
Date:            11/6/2006
Time:            4:16:32 PM
User:            N/A
Computer:      STACYPARTII
Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 48 61 6e 67   ion Hang
0010: 20 20 49 45 58 50 4c 4f     IEXPLO
0018: 52 45 2e 45 58 45 20 36   RE.EXE 6
0020: 2e 30 2e 32 39 30 30 2e   .0.2900.
0028: 32 31 38 30 20 69 6e 20   2180 in
0030: 68 75 6e 67 61 70 70 20   hungapp
0038: 30 2e 30 2e 30 2e 30 20   0.0.0.0
0040: 61 74 20 6f 66 66 73 65   at offse
0048: 74 20 30 30 30 30 30 30   t 000000
0050: 30 30                     00      

Event Type:      Error
Event Source:      Application Error
Event Category:      (100)
Event ID:      1000
Date:            11/6/2006
Time:            4:05:10 PM
User:            N/A
Computer:      STACYPARTII
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x62756f64.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 65 78 70   ure  exp
0018: 6c 6f 72 65 72 2e 65 78   lorer.ex
0020: 65 20 36 2e 30 2e 32 39   e 6.0.29
0028: 30 30 2e 32 31 38 30 20   00.2180
0030: 69 6e 20 75 6e 6b 6e 6f   in unkno
0038: 77 6e 20 30 2e 30 2e 30   wn 0.0.0
0040: 2e 30 20 61 74 20 6f 66   .0 at of
0048: 66 73 65 74 20 36 32 37   fset 627
0050: 35 36 66 36 34            56f64  

Event Type:      Warning
Event Source:      Userenv
Event Category:      None
Event ID:      1517
Date:            11/6/2006
Time:            12:24:50 AM
User:            NT AUTHORITY\SYSTEM
Computer:      STACYPARTII
Description:
Windows saved user STACYPARTII\Stacy Borah registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Application Hang
Event Category:      (101)
Event ID:      1002
Date:            11/5/2006
Time:            11:52:46 PM
User:            N/A
Computer:      STACYPARTII
Description:
Hanging application NMain.exe, version 104.0.1.17, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 48 61 6e 67   ion Hang
0010: 20 20 4e 4d 61 69 6e 2e     NMain.
0018: 65 78 65 20 31 30 34 2e   exe 104.
0020: 30 2e 31 2e 31 37 20 69   0.1.17 i
0028: 6e 20 68 75 6e 67 61 70   n hungap
0030: 70 20 30 2e 30 2e 30 2e   p 0.0.0.
0038: 30 20 61 74 20 6f 66 66   0 at off
0040: 73 65 74 20 30 30 30 30   set 0000
0048: 30 30 30 30               0000    

Event Type:      Error
Event Source:      Application Hang
Event Category:      (101)
Event ID:      1002
Date:            11/5/2006
Time:            11:52:44 PM
User:            N/A
Computer:      STACYPARTII
Description:
Hanging application NMain.exe, version 104.0.1.17, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 48 61 6e 67   ion Hang
0010: 20 20 4e 4d 61 69 6e 2e     NMain.
0018: 65 78 65 20 31 30 34 2e   exe 104.
0020: 30 2e 31 2e 31 37 20 69   0.1.17 i
0028: 6e 20 68 75 6e 67 61 70   n hungap
0030: 70 20 30 2e 30 2e 30 2e   p 0.0.0.
0038: 30 20 61 74 20 6f 66 66   0 at off
0040: 73 65 74 20 30 30 30 30   set 0000
0048: 30 30 30 30               0000    


SYSTEM
Event Type:      Warning
Event Source:      W32Time
Event Category:      None
Event ID:      36
Date:            11/7/2006
Time:            10:57:47 AM
User:            N/A
Computer:      STACYPARTII
Description:
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      DCOM
Event Category:      None
Event ID:      10010
Date:            11/6/2006
Time:            10:58:22 PM
User:            STACYPARTII\Stacy Borah
Computer:      STACYPARTII
Description:
The server {E08DE58F-82D2-4B97-A063-95E34EF205DE} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      Dhcp
Event Category:      None
Event ID:      1003
Date:            11/6/2006
Time:            9:18:20 PM
User:            N/A
Computer:      STACYPARTII
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00115BC27E7E.  The following error occurred:
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00               y...    

Event Type:      Error
Event Source:      DCOM
Event Category:      None
Event ID:      10010
Date:            11/6/2006
Time:            9:10:02 PM
User:            STACYPARTII\Stacy Borah
Computer:      STACYPARTII
Description:
The server {F3A614DC-ABE0-11D2-A441-00C04F795683} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            11/6/2006
Time:            2:39:26 PM
User:            N/A
Computer:      STACYPARTII
Description:
The TCP/IP NetBIOS Helper service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7009
Date:            11/6/2006
Time:            2:39:26 PM
User:            N/A
Computer:      STACYPARTII
Description:
Timeout (30000 milliseconds) waiting for the TCP/IP NetBIOS Helper service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      DCOM
Event Category:      None
Event ID:      10010
Date:            11/6/2006
Time:            9:03:56 AM
User:            STACYPARTII\Stacy Borah
Computer:      STACYPARTII
Description:
The server {F3A614DC-ABE0-11D2-A441-00C04F795683} did not register with DCOM within the required timeout.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            11/6/2006
Time:            1:00:35 AM
User:            N/A
Computer:      STACYPARTII
Description:
The LiveUpdate service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7009
Date:            11/6/2006
Time:            1:00:34 AM
User:            N/A
Computer:      STACYPARTII
Description:
Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            11/6/2006
Time:            1:00:33 AM
User:            N/A
Computer:      STACYPARTII
Description:
The LiveUpdate service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7009
Date:            11/6/2006
Time:            1:00:26 AM
User:            N/A
Computer:      STACYPARTII
Description:
Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            11/6/2006
Time:            12:59:51 AM
User:            N/A
Computer:      STACYPARTII
Description:
The LiveUpdate service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7009
Date:            11/6/2006
Time:            12:59:19 AM
User:            N/A
Computer:      STACYPARTII
Description:
Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            11/6/2006
Time:            12:58:51 AM
User:            N/A
Computer:      STACYPARTII
Description:
The LiveUpdate service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7009
Date:            11/6/2006
Time:            12:58:20 AM
User:            N/A
Computer:      STACYPARTII
Description:
Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            11/6/2006
Time:            12:57:43 AM
User:            N/A
Computer:      STACYPARTII
Description:
The LiveUpdate service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7009
Date:            11/6/2006
Time:            12:57:26 AM
User:            N/A
Computer:      STACYPARTII
Description:
Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            11/6/2006
Time:            12:56:51 AM
User:            N/A
Computer:      STACYPARTII
Description:
The LiveUpdate service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7009
Date:            11/6/2006
Time:            12:56:14 AM
User:            N/A
Computer:      STACYPARTII
Description:
Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            11/6/2006
Time:            12:55:47 AM
User:            N/A
Computer:      STACYPARTII
Description:
The LiveUpdate service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7009
Date:            11/6/2006
Time:            12:55:03 AM
User:            N/A
Computer:      STACYPARTII
Description:
Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            11/6/2006
Time:            12:54:29 AM
User:            N/A
Computer:      STACYPARTII
Description:
The LiveUpdate service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7009
Date:            11/6/2006
Time:            12:53:55 AM
User:            N/A
Computer:      STACYPARTII
Description:
Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            11/6/2006
Time:            12:53:15 AM
User:            N/A
Computer:      STACYPARTII
Description:
The LiveUpdate service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

(These errors are logged about 20 more times over a 30 minute span)
0
 

Author Comment

by:sborah99
Comment Utility
Brian,

Norton Antivirus and Panda Online scan did reveal a few things but nothing major.They took care of all the spyware they found.

Stacy
0
 

Author Comment

by:sborah99
Comment Utility
CCLEANER removed 305.6 MB from my system.
0
 

Author Comment

by:sborah99
Comment Utility
As far as devices with a yellow mark beside them: my PCI modem and my video controller both have those beside them.
0
 
LVL 21

Expert Comment

by:briancassin
Comment Utility
Stacy,

follow what rpggamergirl has suggested she is correct that file needs to go according to my information that is zotob or feldor worm but follow her directions... afterwards run another logfile like she said.

You do have a lot of errors in your event logs
I noticed one that really concerns me and that is that LIVEUPDATE IS NOT WORKING!!!! It says the service is failing to start because it did not respond in a timely fashion.

Did you check the date of your virus defintions for your norton anti virus because without live update you have old definitions... I would go syamntec's site itself and run a scan. SOmething has eiyther damaged your norton or is preventing it from updating.

I would run the zotob tool just to be safe
http://www.symantec.com/smb/security_response/writeup.jsp?docid=2005-081514-1503-99


rpggamergirl,

do you have a link for what this is I am just wondering where you got the SDfix from ?
0
 
LVL 21

Expert Comment

by:briancassin
Comment Utility
Okay we have a bunch of issues with your PC then that can be causing issues

1. You still are infected which means do what rpggamergirl said but also do the things listed below

2. You have driver errors in device manager

3. Your live update in symantec appears to be DOA

4. Your probably have a lot of fragmentation if you have never defragmented your drive then this will definately cause issues

5. I am not sure on your status of windows updates but you may be missing some.


-----------------------------WHAT TO DO ------------------------------------------------------------

Go into control panel add/remove programs and check for odd stuff things that say Internet Accelerator or things that just don't look right post them here and I can tell you if they are junk or you need them...

http://www.bitdefender.com   - however change the default action setting so it does not delete if it cannot cure

http://housecall.trendmicro.com

http://www.lavasoft.com   - download and run adaware personal edition
ttp://www.ewido.net  - Ewido anti spyware same as above

http://www.intermute.com/spysubtract/cwshredder_download.html -download coolweb shredder

Run Rootkit revealer http://www.sysinternals.com/Utilities/RootkitRevealer.html  see if it finds anything if it does and it is suspicious then post the result here and we can look at it further


0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
>>>do you have a link for what this is I am just wondering where you got the SDfix from ?<<<

Brian, the link I have is not accessible by everyone, sorry.
the Asker has something else hiding in his log, but if he doesn't listen its up to him, my advice is there, I've had 3 cases where Asker didn't listen to people's advice and did a repair and made his pc unbootable! lol.
He has a choice to be wise and know when to follow advice or do his own thing, :)


SDFix removes:
Backdoor (IRCBot) Trojans:
RBot/SDBot(newer variants)
HackerDefender

windows.exe <-- is a viariant of R-Bot, that's why I suggested SDFix

Their signatures(telltale sign in hijackthis) is similar to these or same:
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe

O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\Microsoft.exe                                
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\Microsoft.exe

O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\Mysia.exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\Mysia.exe

O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\winlog.exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\winlog.exe

O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\windows.exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\windows.exe

0
 

Author Comment

by:sborah99
Comment Utility
I just ran LiveUpdate and it worked fine.  Also, I defragmented my hard drives about 2 months ago.  Probably need to do that again.  I'll also do what rpggamergirl suggested and I'll let you know what happens with that.  Thanks for the help so far, guys.

Stacy
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
BTW, the above are just few of the telltale signs for R-Bot,
the telltale signs of SDBot are different
the telltale signs of Hacker Defender are also very different and located in the 023 entries of HJT.
0
 
LVL 21

Expert Comment

by:briancassin
Comment Utility
rpggamergirl,

I was just curious where you got info on those from. I used to be extremely up to date on these threats but a handful of them are news to me... That is why I asked I like to stay in the know.
0
 

Author Comment

by:sborah99
Comment Utility
Quick note: I opened HijackThis, went to "Config" and then "Misc Tools" and clicked on "Delete a file on Reboot", but the program ended itself.  No error message or anything.  It's done this 3 times now.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Brian,
I understand, yeah it's good to stay up to date, malware/virus writers always come up with new tricks to evade detection, by the time antivirus detects them they come up with a new one.
It is not a winning battle, but it sure is interesting, :)

I got myself infected with chinese virus 4 days ago, and it sure wasn't easy to get rid of even with all the tools that I already have at hand.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
>>>Quick note: I opened HijackThis, went to "Config" and then "Misc Tools" and clicked on "Delete a file on Reboot", but the program ended itself.  No error message or anything.  It's done this 3 times now.<<<

You can also manually delete the file, or use Killbox "Delete On Reboot" or "Kill explorer while killing the file"
or just run SDBot.

Most importantly, did you rename hijackthis and scan your system with the rename hijackthis? I have the feeling something is hiding from the scan because some entries are missing.
0
 

Author Comment

by:sborah99
Comment Utility
No I haven't renamed HijackThis yet or scanned with it renamed.  I was doing everything in order and I didn't want to mix up the order you suggested.
0
 

Author Comment

by:sborah99
Comment Utility
I am running the Symantec Zotob removal tool right now.
0
 

Expert Comment

by:cola_ghost
Comment Utility
U install NAT to scan Virus
0
 

Author Comment

by:sborah99
Comment Utility
Guys,

I downloaded SDFix last night (which wasn't easy, since it took my computer almost 3 hours just to be able to navigate to the site), and after it downloaded, I rebooted my computer in Safe Mode.  Then I extracted and ran SDFix and left it going all day.  When I got home from work, it was prompting me to hit any button to restart.  So I did.  It restarted in Normal Mode, and SDFix began running its second phase, saying it would only take 4-5 minutes.  It went from repairing registry files to checking for infected files in about 2 minutes.  Since then, it seems to be stuck on checking for infected files.  It has been running now for about four hours and no change.  What should I do?

Stacy
0
 
LVL 21

Expert Comment

by:briancassin
Comment Utility
Stacy,

unfortunately I am not familiar with this tool.... if it doesn't look like it is progressing and their is no hard drive activity then I would be inclined to think the program possibly hung. If you can check task manager and see what is currently running and then go to processes and see what is running under there and using the most CPU%...
0
 

Author Comment

by:sborah99
Comment Utility
Actually, I did hit Ctrl-Alt-Delete to bring up Task Manager about 30 minutes ago and it still hasn't come up yet.  I am currently on an outdated laptop (750 Mhz CPU, 128 MB RAM, Windows 2000), but this can only go for so long before I get frustrated with its slowness.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
SDFix was updated on the 11/7/2006, I couldn't access the site yesterday either.
Yeah, sounded like the program crashed.

Can we just look at a renamed hijackthis log? the log should give us bad entries we can just delete and should help.
0
 

Author Comment

by:sborah99
Comment Utility
Ok I'll see if I can get that for you.
0
 

Author Comment

by:sborah99
Comment Utility
I renamed HijackThis.exe Stacy.exe and rescanned and here is the logfile:

http://www.hijackthis.de/logfiles/8e2cd6f61b0f1d59f7d07ea43fa5aad3.html
0
 
LVL 21

Assisted Solution

by:briancassin
briancassin earned 100 total points
Comment Utility
For starters You have the winfixer Vundo trojan

it is in your hijack this logfile
O2 - BHO: (no name) - {E347DB4E-4A72-4011-A262-913B1377F183} - C:\WINDOWS\system32\geede.dll
O20 - Winlogon Notify: geede - C:\WINDOWS\system32\geede.dll

go here to get the fix
http://www.atribune.org/content/view/24/2/

You also have
O20 - Winlogon Notify: winysd32 - C:\WINDOWS\SYSTEM32\winysd32.dll

which is Trojan.Agent.QT


ewido anti spyware can get rid of Trojan.Agent.QT
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 400 total points
Comment Utility
Yeah there it is , showing now the nasties, vundo infection and mediatickets dialer.

1.  Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Click on "Delete File on Reboot"
Navigate to this file --> C:\WINDOWS\SYSTEM32\winysd32.dll
Double click on that file.
HJT asks you if you want to reboot, now. Click "Yes"


2. Then fix this entry:, hijackthis can't fix the vundo entries while vundo's main file is active.
O20 - Winlogon Notify: winysd32 - C:\WINDOWS\SYSTEM32\winysd32.dll


3.  Then run Vundofix:
 Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encounters a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.


If vundofix doesn't find the file use this alternative "VirtumundoBegone"
Download VirtumundoBegone from here:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
 and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot. If you like, post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.


4.  Then download ATF Cleaner to remove the .tmp files created by the dialer.
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Reboot your computer into Safe Mode.
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.



0
 

Author Comment

by:sborah99
Comment Utility
Well, it looks as if everything is cleared up now.  VundoFix ran for hours and just scanned the same files over and over.  So, I used VirtumundoBegone and it cleaned it off in seconds.  Then I ran ATF Cleaner and my computer is running very fast now.  Here is the log from VirtumundoBegone:


[11/09/2006, 23:15:54] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Stacy Borah.STACYPARTII\Desktop\VirtumundoBeGone.exe" )
[11/09/2006, 23:16:00] - Detected System Information:
[11/09/2006, 23:16:00] -  Windows Version: 5.1.2600, Service Pack 2
[11/09/2006, 23:16:01] -  Current Username: Stacy Borah (Admin)
[11/09/2006, 23:16:01] -  Windows is in NORMAL mode.
[11/09/2006, 23:16:01] - Searching for Browser Helper Objects:
[11/09/2006, 23:16:01] -  BHO 1: {81FB1F8E-6D4B-4A74-8A7C-82A1E651CA57} ()
[11/09/2006, 23:16:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/09/2006, 23:16:02] -  Checking for HKLM\...\Winlogon\Notify\geede
[11/09/2006, 23:16:02] -  Found: HKLM\...\Winlogon\Notify\geede - This is probably Virtumundo.
[11/09/2006, 23:16:02] -  Assigning {81FB1F8E-6D4B-4A74-8A7C-82A1E651CA57} MSEvents Object
[11/09/2006, 23:16:02] - BHO list has been changed! Starting over...
[11/09/2006, 23:16:03] -  BHO 1: {81FB1F8E-6D4B-4A74-8A7C-82A1E651CA57} (MSEvents Object)
[11/09/2006, 23:16:03] - ALERT: Found MSEvents Object!
[11/09/2006, 23:16:03] -  BHO 2: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[11/09/2006, 23:16:03] -  BHO 3: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[11/09/2006, 23:16:03] -  BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/09/2006, 23:16:03] - Finished Searching Browser Helper Objects
[11/09/2006, 23:16:04] - *** Detected MSEvents Object
[11/09/2006, 23:16:04] - Trying to remove MSEvents Object...
[11/09/2006, 23:16:05] -    Terminating Process: IEXPLORE.EXE
[11/09/2006, 23:16:09] -    Terminating Process: RUNDLL32.EXE
[11/09/2006, 23:16:15] -    Disabling Automatic Shell Restart
[11/09/2006, 23:16:17] -    Terminating Process: EXPLORER.EXE
[11/09/2006, 23:16:23] -    Suspending the NT Session Manager System Service
[11/09/2006, 23:16:23] -    Terminating Windows NT Logon/Logoff Manager
[11/09/2006, 23:16:23] -    Re-enabling Automatic Shell Restart
[11/09/2006, 23:16:23] -   File to disable: C:\WINDOWS\system32\geede.dll
[11/09/2006, 23:16:23] -  Renaming C:\WINDOWS\system32\geede.dll -> C:\WINDOWS\system32\geede.dll.vir
[11/09/2006, 23:16:23] -  File successfully renamed!
[11/09/2006, 23:16:23] -   Removing HKLM\...\Browser Helper Objects\{81FB1F8E-6D4B-4A74-8A7C-82A1E651CA57}
[11/09/2006, 23:16:23] -   Removing HKCR\CLSID\{81FB1F8E-6D4B-4A74-8A7C-82A1E651CA57}
[11/09/2006, 23:16:23] -   Adding Kill Bit for ActiveX for GUID: {81FB1F8E-6D4B-4A74-8A7C-82A1E651CA57}
[11/09/2006, 23:16:23] -   Deleting ATLEvents/MSEvents Registry entries
[11/09/2006, 23:16:23] -   Removing HKLM\...\Winlogon\Notify\geede
[11/09/2006, 23:16:24] - Searching for Browser Helper Objects:
[11/09/2006, 23:16:24] -  BHO 1: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[11/09/2006, 23:16:24] -  BHO 2: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[11/09/2006, 23:16:24] -  BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/09/2006, 23:16:24] - Finished Searching Browser Helper Objects
[11/09/2006, 23:16:24] - Finishing up...
[11/09/2006, 23:16:24] - A restart is needed.
[11/09/2006, 23:16:33] - Attempting to Restart via STOP error (Blue Screen!)

Is there anything else I need to do?

Stacy
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Vundofix failed again, sometimes it seems to have trouble finding the files, but when it works it removes the main file and all the other reversed vundo files.

VirtumondoBeGone just renamed the vundo's main file to this --> C:\WINDOWS\system32\geede.dll.vir
It's still there in your pc, you can delete it if you wish, or other scanners will find and delete it eventually.
In there are also vundo's reversed files with .bak, tmp, ini extensions --> edeeg.bak, edeeg.bak1, edeeg,ini, eddeg.tmp etc. they are harmless files.


Vundo infection gets in your pc usually thru the vulnerabilities in java so make sure you update your java version.
0
 

Author Comment

by:sborah99
Comment Utility
I have a new, bigger problem now, possibly related to my previous problem.  I ran RootKit Revealer and turned off my screen saver beforehand.  But while it was scanning, Norton Antivirus popped up, saying it had deleted "Trojan.Vundo" from my system.  After I clicked OK, it said I needed to restart my computer for the new changes to take effect.  I held off on restarting until after RootKit had finished.  Thirty minutes later, when it had finished, I tried to save the report it generated and the program closed itself due to an error.  I then opened up another program (a DVD converter program) but then I tried to close it.  However, it never succeeded in closing itself as the program locked up and also locked up my computer.  The cursor would move and then freeze up and after about ten minutes, it froze up completely.  I tried to get Task Manager to come up but to no avail.  So I held down the power button until it shut off and then turned it on again.  Only this time, the computer would not recognize either of my hard drives.  My Windows XP disk will not recognize them either.  I can't log onto anything and I can't figure out how to get my system to recognize the drives again.  What should I do?

Stacy
0
 

Author Comment

by:sborah99
Comment Utility
Never mind.  I got it back up.  I just hit Ctrl-Alt-Delete a few times while it was trying to reboot and it found the drives again.  Thanks for all of your help, rpggamergirl and Brian.

Stacy
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now