?
Solved

Computer Locks Up for no apparent reason.

Posted on 2007-08-01
33
Medium Priority
?
1,839 Views
Last Modified: 2013-12-04
I have a Dell PC, Optiplex, P 2.8GHz, 2.0GB Ram, XP Pro SP2.  In the last week or so, the computer has started to lock up for no apparent reason.  I am not getting any kind of error message and I ran a test of the memory which showed no errors.

The only other "symptom" which happens frequently and I've never been able to get a diagnosis on is that for about 3 or 4 months, I noticed that whatever I happen to be working on, whatever application is "in focus", (this could be anything from OE or IE to notepad), the application will appear to "refresh".  This happens about every 10 to 15 minutes.  By "refresh", I mean you can see the dark blue of the title bar change to light blue, the cursor temporarily disappears and then it all comes back.  

I have no idea why this started happening or how to fix it or if it is related to the lock ups I'm getting now.  When the computer does lock up, I have no option but to power off and restart.  The lock ups were happening about once ever couple days and today it happened twice in the span of about 6 hours.

Your help is greatly appreciated.

-Greg
0
Comment
Question by:wgrogers
  • 13
  • 6
  • 4
  • +3
33 Comments
 
LVL 16

Assisted Solution

by:Kevin Hays
Kevin Hays earned 150 total points
ID: 19607993
Those are pretty hard to diagnose sometimes.  Some things to check first.

- power supply
- windows is up to date
- all devices have up to date drivers
- run spyware/malware checks
- run virus checks
- motherboard/cpu monitor to check to see if motherboard/cpu is getting too hot
- memory test (already done that)

Kevin
0
 
LVL 3

Assisted Solution

by:Circleblue
Circleblue earned 150 total points
ID: 19608016
Greg,  there are a few things you can start to help yourself.  1)  identify which process(es) are using up the CPU percentage.  2)  Then assuming you can close  process  you need to identify if there is a startup process that is causing this by running msconfig and looking at the startup.  Disable the process that matches the one you disabled.  

There are numerous other things it could be but this is  a good place to start.

Cheers,

Brian
0
 
LVL 3

Expert Comment

by:Circleblue
ID: 19608026
identify the process in task manager by hitting CTRL-SHIFT-ESC  Click on Processes tab and then click on CPU twice to bring the highest processes to the top.  

Cheers,

Brian
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 27

Assisted Solution

by:michko
michko earned 150 total points
ID: 19608095
FIrst, make sure your system is clean of viruses and ad/spyware.
Make sure your antivirus is up to date.  If you don't have an antivirus solution, AVG Free Edition (http://free.grisoft.com/doc/1) is a good solution.  
Make sure you have good spy/adware detection programs.  Personally, I use Adaware (http://www.lavasoftusa.com/products/ad-aware_se_personal.php) and Spybot (http://www.safer-networking.org/).  I've heard good things lately about SuperAntiSpyware (www.superantispyware.com).  Check that your definitions are up to date.
Thoroughly scan your pc for virii and spy/adware.  Reboot, and rescan until clean.,
Another helpful tool is CCleaner (www.ccleaner.com).  This will clean out all temp files, including temp internet folders.  It also has a good registry cleaner.
Once your pc is clean, run a defrag.
Then make sure you continue to update/scan/clean on a regular basis.

Run a manual Windows Update.  Make sure all critical updates have been installed.  You can install optional updates if you want.  Keep repeating manual update until no more critical updates show.

If it's still locking up, look at Process Monitor (http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx).  This can provide a lot of information about what processes are running, what they're doing, and how much memory they're taking up.  You should be able to pinpoint what is causing the lockup, and we can go from there.

Also, check the Event logs (http://support.microsoft.com/kb/308427/).  Advise us of what event id errors you are receiving.

michko

0
 
LVL 16

Expert Comment

by:Kevin Hays
ID: 19608135
0
 

Author Comment

by:wgrogers
ID: 19610957
Okay, here's a bit more info.  I do update windows manually and often.  I do run AV software in both normal and safe modes and they include:  NAV, AVG, Adware Away, Adaware, Spybot, HJT, and the others I can't see right now because the computer just locked up again.  (I am on my laptop now).  

Using ctrl + shift + esc to see processes, or ctrl + alt + delete doesn't work because the computer is locked up.  You can do nothing with it.  So how does one identify cpu usage if the machine is in that state?  

Thanks

Greg
0
 
LVL 16

Expert Comment

by:Kevin Hays
ID: 19610997
You would need to have task manager up at all times.  Doesn't really bother you if you have dual monitors so you can just slide task manager to the other monitor, but if only 1 monitor then the task manager can be annoying.

Have you checked anything in the event logs to see if something got logged right before the lockup?
0
 
LVL 27

Expert Comment

by:michko
ID: 19611192
You're not running NAV and AVG at the same time are you?  If so, disable NAV and see how your system runs then.  Running both NAV and AVG (or more then one AV product) at the same time can cause serious resource and locking issues.

Check the Event logs.  

Check out Process Monitor.  You can get a lot of information on your running programs.  Under File, open Backing Files.  You can specify a file name and location to save the file.  When the pc locks up and you reboot, you can then open the saved file and view the events prior to and at the time of the pc locking up.
0
 
LVL 3

Expert Comment

by:Circleblue
ID: 19611910
other ways to get to task manager:  click start click run type taskmgr and hit enter.  

Or... when booting up and soon as you log on, hit CTRL SHIFT ESC immediately before too many processes start.  

Good luck,

Brian
0
 

Author Comment

by:wgrogers
ID: 19612383
Just for grins, I went to msconfig and disabled all the start up items and ran just select MS services.  Had it on for about an hour or so before I thought I would try to add some back to see if that made a difference.  When I opened the msconfig dialog, it locked up.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 19630533
Do your event viewer files give you any insight?

Could be a bad RAM stick.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 19630534
OOPs, forgot to mention, it could be heat too. Are your cooling fans working?
0
 
LVL 3

Expert Comment

by:Circleblue
ID: 19630853
Hmm..  locked up after disabling some items.  Have you tried it again, it could be a random thing.  However, as Chief suggested, if you are getting random events like that, might be a bad memory chip. The event viewer under system should show if there are any memory errors. (or any other hardware related problems for that matter)
0
 

Author Comment

by:wgrogers
ID: 19631956
Here is the last update.  I contacted Dell CS and they sent me a CD that has an extended test for all the hardware.  I ran that with no errors.  It also had a list of "symptoms" you could test for.  Included on the list was "Locking Up".  I ran that test - about 3 hrs worth -  and it all passed.

Since I ran the tests off the CD it hasn't locked up again.  No idea why or if it's just coincidence.  I have not modified anything else on the computer.

As for cooling, the mini-tower is on top of the desk and the room is air conditioned and I blo/vac the system regularly.

I started looking around and I found some files in the Windows directory that don't look right but when I scan them they come up as not being infected.  They don't appear when I run HJT either.  They include names like lssas1.exe, mservice1.exe, msqdevl1.exe, svshost1.exe, stisvsq1.exe and there may be others.

Also, I am still having the "refreshing" issue, where applications change focus.  Can't seem to figure out where to pinpoint that or find anyone who knows what it is.

Thanks for everyone's input.

Greg
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19632489
Three of those files you mentioned belong to an SDBot variant, the infection usually show up in the Hijackthis log.


Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


If problem persists also run this, or just run this as well anyway so we can check the log.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 750 total points
ID: 19633571
Your "refresh" problem and lockup problem may be one in the same.

1) I once had a computer that didn't seem to realize one of my users was working on it. It had simular symptoms as your computer. Since the computer didn't recognize, it would try to go into sleep mode, screen saver, or hybernate. I figured it out by disabling all of these modes. Also, some downloaded screen savers don't work well with XP.

When your cursor dissapears and the title bar turns a different shade, it sounds like the unit is trying to go to sleep or into a screensaver. Also you stated this happened about every ten to fifteen minutes. Sounds like a 15 minute screen saver.

Temporarily disable screen savers, and any type of auto shutdown and hybernate modes. You seem pretty computer savy, so I don't think you need direction on how to.

2) If this doesn't work, try booting into safe mode and see how long it operates. It could be the video driver.

3) I helped another one of my clients out with a simular problem. It was two Antivirus programs running at the same time. (McAfee and Norton to be precise) Multiple AV or AS programs could stall the computer. Check your AV / AS programs and see how often they are scheduled to scan the computer. One of these coule be trying to scan your computer and the program is constipated. So, it freezes your machine.
0
 

Author Comment

by:wgrogers
ID: 19649749
Ran SDFix as instructed.  It ran in safe mode and then prompted a restart.  After restart it came up again in safe mode and did nothing for about five minutes so I rebooted it in normal mode.  I used msconfig to boot into and out of safe mode.  

When booting back into normal mode, I got the "finishing registry repairs" dos prompt.  It finished the repairs and generated the report.txt file.  A copy of that is found below.

Question sidebar, why is it that in safe mode, the pc screen resolution drops to 8bit and when I safe mode my laptop, also a dell with same OS, version, etc and both connected to identical monitors, the laptop resolution doesn't change at all?  What is screen resolution in safe mode a function of?

Also, I had a network tech in here a while back who created a "new user" profile on my desktop.  I switched users and got into that profile and found that screen saver was set to 10min.  I disabled the screen saver on the new user account, but prior to running sdfix, it didn't seem to impact the changing focus.  Can I just delete the new user account?

Results of the Reports.txt file from SDFix:


SDFix: Version 1.96
Run by Administrator on 08/07/2007 at 01:34 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:
Trojan Files Found:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MyDNSAPI.dll  - Deleted
C:\WINDOWS\csrss1.dll  - Deleted
C:\WINDOWS\lssas1.exe  - Deleted
C:\WINDOWS\mservice1.exe  - Deleted
C:\WINDOWS\msqdevl1.exe  - Deleted
C:\WINDOWS\smssa1.dll  - Deleted
C:\WINDOWS\stisvsq1.exe  - Deleted
C:\WINDOWS\svshost1.exe  - Deleted
C:\WINDOWS\taskmgr1.dll  - Deleted
C:\WINDOWS\uvchost1.dll  - Deleted
C:\WINDOWS\winlogon1.dll  - Deleted

Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
                                 Final Check:

Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"="C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe:*:Enabled:CuteFTP"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\TMPdgusplhblz.htm
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\images\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\old index\images\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\old index\order\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\order\Thumbs.db
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[hotmail email hidden intentionally]\Sharing Folders\[[hotmail email hidden intentionally]\Thumbs.db
C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP\5.0\cuteftp.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP50\A0012410.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP52\A0014612.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP52\A0014660.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP57\A0015298.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP59\A0015471.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP60\A0015589.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP60\A0015652.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP65\A0017206.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP67\A0017395.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP71\A0018878.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP73\A0019223.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP73\A0019240.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP74\A0019307.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP78\A0019966.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP78\A0020077.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP79\A0021113.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP81\A0021190.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP81\A0022226.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP82\A0025322.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP82\A0026322.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP83\A0026371.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP84\A0026456.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP85\A0026500.sys
C:\WINDOWS\system32\6F0ABD5481.sys
C:\WINDOWS\system32\8154BD0A6F.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

                                 Finished
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 300 total points
ID: 19650167
C:\WINDOWS\system32\6F0ABD5481.sys
C:\WINDOWS\system32\8154BD0A6F.sys
The above files looks very suspicious, i suggest renaming them or submitting them at jotti.org for a check http://virusscan.jotti.org/
other nasties are found on System Restore points which can be taken care of later on by flushing those restore points.


PleaSe rename those files or Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\6F0ABD5481.sys
C:\WINDOWS\system32\8154BD0A6F.sys

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.


SDFix found a few trojans there.
Can you run SDFix again, to make sure it didn't missed anything,
Or run Combofix instead.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log in your next reply please, if you have hijackthis a log would be helpful too.
0
 

Author Comment

by:wgrogers
ID: 19650215
C:\WINDOWS\system32\6F0ABD5481.sys
C:\WINDOWS\system32\8154BD0A6F.sys
scanned both on jotti, results said "found nothing" on all apps.

Last time I tried combofix it messed up my computer terrible.  Rather not do that again.  I can run SDFix again, but question:  You said, "SDFix found a few trojans there".  Found them where?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19650367
>> Found them where?<<
the below report.

Checking Files:
Trojan Files Found:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MyDNSAPI.dll  - Deleted
C:\WINDOWS\csrss1.dll  - Deleted
C:\WINDOWS\lssas1.exe  - Deleted
C:\WINDOWS\mservice1.exe  - Deleted
C:\WINDOWS\msqdevl1.exe  - Deleted
C:\WINDOWS\smssa1.dll  - Deleted
C:\WINDOWS\stisvsq1.exe  - Deleted
C:\WINDOWS\svshost1.exe  - Deleted
C:\WINDOWS\taskmgr1.dll  - Deleted
C:\WINDOWS\uvchost1.dll  - Deleted
C:\WINDOWS\winlogon1.dll  - Deleted



>>Last time I tried combofix it messed up my computer terrible. <<
when was that? yes, there was a time when combofix was pulled out from the public when it malfunction due to a present of a particular rootkit but that was then.
When it malfunction also, the time might not be set back to the right time.
You don't have to use it again, just use other scanners like DrWebCureIt, and or download Kaspersky free trial(it removes what it finds, but the online scan will not remove what it finds)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19650389
>>>C:\WINDOWS\system32\6F0ABD5481.sys
C:\WINDOWS\system32\8154BD0A6F.sys
scanned both on jotti, results said "found nothing" on all apps.<<<

I'm not very trusting on suspicious files, if I were you I would rename it to disable it. sometimes a nasty file can even report as 0 bytes when user try to check it for viruses.
renaming will disable it, and if a program it belongs to stops functioning then you can always rename it back later.
0
 

Author Comment

by:wgrogers
ID: 19651663
Renamed the two files to .syys.  Rerunning SDFix and results posted below.

You said:  "other nasties are found on System Restore points which can be taken care of later on by flushing those restore points."  How?  Disable and re-enable SR?

Installed and ran Kaspersky AV 7.  It detected ten items and quarantined them or deleted them.

SDFix: Version 1.96
Run by Administrator on 08/07/2007 at 04:46 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:
No Trojan Files Found

Removing Temp Files...
ADS Check:

C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
                                 Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"="C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe:*:Enabled:CuteFTP"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Files with Hidden Attributes:

C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\TMPdgusplhblz.htm
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\images\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\old index\images\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\old index\order\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\order\Thumbs.db
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[hotmail email hidden intentionally]\Sharing Folders\[hotmail email hidden intentionally]\Thumbs.db
C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP\5.0\cuteftp.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP50\A0012410.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP52\A0014612.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP52\A0014660.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP57\A0015298.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP59\A0015471.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP60\A0015589.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP60\A0015652.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP65\A0017206.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP67\A0017395.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP71\A0018878.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP73\A0019223.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP73\A0019240.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP74\A0019307.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP78\A0019966.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP78\A0020077.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP79\A0021113.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP81\A0021190.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP81\A0022226.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP82\A0025322.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP82\A0026322.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP83\A0026371.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP84\A0026456.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP85\A0026500.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP89\A0026849.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP89\A0026850.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

                                 Finished


0
 

Author Comment

by:wgrogers
ID: 19652143
Well, this is interesting.  I ran the Kaspersky as I said and noticed that after the scans were done and "viruses" found, I tried to reboot.  I could not.  I went to start, shut down, restart and it displayed the sand clock but never anything else.  Had to power off.  

Then when I restarted, I disabled my NAV and was able to reboot normally but when I did, I opened my homepage on IE and when I tried to click on a link to open a new window, both windows closed.  I tried to type in a url in the address bar of my home page after I opened it again and click Go, but again it closed the browser window.  That makes it really hard to work!

Any suggestions at this point as to why I can't open anything buy my homepage?  (My homepage is a local page I created, btw).

Thanks
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19652186
>>System Restore points which can be taken care of later on by flushing those restore points."  How?  Disable and re-enable SR?<<
Yeah disable system Restore, Reboot, and reanalbe system restore and immediately create a new restore point.

I always turn system Restore off after cleaning the system, viruses in the system restore is harmless right now till you used one of those infected restore points.

>>Any suggestions at this point as to why I can't open anything buy my homepage?  (My homepage is a local page I created, btw).<<
Do you have the same problem if using another homepage?

Do you have Hijackthis.exe? can you please scan with it and let us look at the log?
0
 

Author Comment

by:wgrogers
ID: 19654806
My homepage has been the same for years, I cannot open more than one browser window or more specifically, go anywhere there is an http in the url as opposed to C:

This problem with the browser is NOT a Hijack.   Its something that happened after I ran that Kaspersky
and it's screwed up some kind of settings.
0
 

Author Comment

by:wgrogers
ID: 19654858
I just tried to open an system restore point too, and it starts to show the window and disappears.  This sucks.  I can't even open a window now.
0
 

Author Comment

by:wgrogers
ID: 19657295
I just ran sfc /scannow to see if there were missing files.  It ran and I rebooted, but same problem exists.  I can open IE locally but when I click a link to go to any other webpage, www.google.com for example, both windows close w/ NO error message.

I think I've totally disabled Kaspersky, but don't want to uninstall it if there are files there that it's changed or deleted that I need.  I'm not savvy enough to figure out what else to do or where else to look.  Like I said above, I tried to open system restore but when I do, you briefly see part of the title bar and then it disappears, so I can't do that either.

Here is HJT followed by the kaspersky report:


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:21:14 PM, on 08/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Administrator/Desktop/[my local startpage]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [\\ROGERS\EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P33 "\\ROGERS\EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139736399187
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BA5E57BB-88D5-422A-AC9E-C01A6EEE2537} (WebDvr3 Class) - http://192.168.2.3/WebDvr3.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

--
End of file - 7277 bytes

Kaspersky:
Protection : running
--------------------
Total scanned:      308962
Detected:      10
Untreated:      0
Start time:      08/07/2007 05:22:42 PM
Duration:      04:49:14


Detected
--------
Status      Object
------      ------
deleted: Trojan program Rootkit.Win32.Agent.fi      File: C:\Program Files\HTMLValidatorLite80\winhjbfnq32.dll//#
deleted: Trojan program Trojan.Win32.Obfuscated.ga      File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2792251D.exe//CryptFF
deleted: Trojan program Trojan-Downloader.Win32.Agent.bkl      File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45725091.exe//CryptFF//UPX
deleted: Trojan program Trojan-Downloader.JS.Agent.kd      File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\59201C13.htm//CryptFF
deleted: virus Email-Worm.Win32.NetSky.t      File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6AA40490.tmp//CryptFF
deleted: Trojan program Trojan-Downloader.Win32.Agent.bkl      File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C16180C.exe//CryptFF//UPX
deleted: Trojan program Rootkit.Win32.Agent.fi      File: C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP90\A0026924.dll//#
deleted: Trojan program Trojan.Win32.Obfuscated.ga      File: C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP90\A0026925.exe//CryptFF
deleted: Trojan program Trojan-Downloader.Win32.Agent.bkl      File: C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP90\A0026926.exe//CryptFF//UPX
deleted: Trojan program Trojan-Downloader.Win32.Agent.bkl      File: C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP90\A0026927.exe//CryptFF//UPX

Reports
-------
Component      Status      Start      Finish      Size
---------      ------      -----      ------      ----
Proactive Defense      running      08/07/2007 05:22:40 PM            0 bytes
File Anti-Virus      running      08/07/2007 05:22:41 PM            697.4 KB
Mail Anti-Virus      running      08/07/2007 05:22:42 PM            0 bytes
Web Anti-Virus      running      08/07/2007 05:22:42 PM            5.6 KB
Scan      completed      08/07/2007 05:34:14 PM      08/07/2007 08:54:03 PM      38.9 MB
Rootkit scan      completed      08/07/2007 08:55:50 PM      08/07/2007 09:43:10 PM      21.5 MB


Quarantine
----------
Status      Object      Size      Added
------      ------      ----      -----


Backup
------
Status      Object      Size
------      ------      ----
Infected: Trojan program Rootkit.Win32.Agent.fi      c:\system volume information\_restore{87232c71-f39c-498c-8a38-3f47a4b78fba}\rp90\a0026924.dll      88 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.bkl      c:\program files\norton systemworks\norton antivirus\quarantine\45725091.exe      16.6 KB
Infected: virus Email-Worm.Win32.NetSky.t      c:\program files\norton systemworks\norton antivirus\quarantine\6aa40490.tmp      20.5 KB
Infected: Trojan program Trojan.Win32.Obfuscated.ga      c:\system volume information\_restore{87232c71-f39c-498c-8a38-3f47a4b78fba}\rp90\a0026925.exe      5.8 KB
Infected: Trojan program Trojan-Downloader.JS.Agent.kd      c:\program files\norton systemworks\norton antivirus\quarantine\59201c13.htm      29.9 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.bkl      c:\program files\norton systemworks\norton antivirus\quarantine\6c16180c.exe      16 KB
Infected: Trojan program Rootkit.Win32.Agent.fi      c:\program files\htmlvalidatorlite80\winhjbfnq32.dll      88 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.bkl      c:\system volume information\_restore{87232c71-f39c-498c-8a38-3f47a4b78fba}\rp90\a0026926.exe      16.6 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.bkl      c:\system volume information\_restore{87232c71-f39c-498c-8a38-3f47a4b78fba}\rp90\a0026927.exe      16 KB
Infected: Trojan program Trojan.Win32.Obfuscated.ga      c:\program files\norton systemworks\norton antivirus\quarantine\2792251d.exe      5.8 KB
0
 

Author Comment

by:wgrogers
ID: 19663477
No one?
0
 

Author Comment

by:wgrogers
ID: 19664132
okay, then I uninstalled Krapspersky and it solved the problem.  I can use my IE again.  Now I will have to see if I have a lock up and if not, then issue solved.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 19667048
How many antivirus programs are you running?

How many antispyware programs are you running?

Multiple AV or AS programs can conflict with one another.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19667092
Sorry wasn't able to get back sooner.

Yes, one resident antivirus with real-time protection is all that's needed, 2 will conflict with each other and can corrupt the system.

0
 

Author Comment

by:wgrogers
ID: 19674755
everything seems to be working now.

thanks for the input.
0
 
LVL 16

Expert Comment

by:Kevin Hays
ID: 19676028
Glad you got it resolved.

Kevin
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Most folks would know the basics of how Dropbox works, so that’s not the purpose of this article. Security is what it’s all about, so here I’ll share how I choose to secure my Dropbox Account and the Data it contains.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses
Course of the Month8 days, 16 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question