Computer Locks Up for no apparent reason.

identify the process in task manager by hitting CTRL-SHIFT-ESC  Click on Processes tab and then click on CPU twice to bring the highest processes to the top.  

Cheers,

Brian

Some other tools worth mentioning.

http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx
http://www.spywareinfo.com/~merijn/programs.php

Rootkit Revealer, Process Explorer, HijackThis

Okay, here's a bit more info.  I do update windows manually and often.  I do run AV software in both normal and safe modes and they include:  NAV, AVG, Adware Away, Adaware, Spybot, HJT, and the others I can't see right now because the computer just locked up again.  (I am on my laptop now).  

Using ctrl + shift + esc to see processes, or ctrl + alt + delete doesn't work because the computer is locked up.  You can do nothing with it.  So how does one identify cpu usage if the machine is in that state?  

Thanks

Greg

You would need to have task manager up at all times.  Doesn't really bother you if you have dual monitors so you can just slide task manager to the other monitor, but if only 1 monitor then the task manager can be annoying.

Have you checked anything in the event logs to see if something got logged right before the lockup?

You're not running NAV and AVG at the same time are you?  If so, disable NAV and see how your system runs then.  Running both NAV and AVG (or more then one AV product) at the same time can cause serious resource and locking issues.

Check the Event logs.  

Check out Process Monitor.  You can get a lot of information on your running programs.  Under File, open Backing Files.  You can specify a file name and location to save the file.  When the pc locks up and you reboot, you can then open the saved file and view the events prior to and at the time of the pc locking up.

other ways to get to task manager:  click start click run type taskmgr and hit enter.  

Or... when booting up and soon as you log on, hit CTRL SHIFT ESC immediately before too many processes start.  

Good luck,

Brian

Just for grins, I went to msconfig and disabled all the start up items and ran just select MS services.  Had it on for about an hour or so before I thought I would try to add some back to see if that made a difference.  When I opened the msconfig dialog, it locked up.

Do your event viewer files give you any insight?

Could be a bad RAM stick.

OOPs, forgot to mention, it could be heat too. Are your cooling fans working?

Hmm..  locked up after disabling some items.  Have you tried it again, it could be a random thing.  However, as Chief suggested, if you are getting random events like that, might be a bad memory chip. The event viewer under system should show if there are any memory errors. (or any other hardware related problems for that matter)

Here is the last update.  I contacted Dell CS and they sent me a CD that has an extended test for all the hardware.  I ran that with no errors.  It also had a list of "symptoms" you could test for.  Included on the list was "Locking Up".  I ran that test - about 3 hrs worth -  and it all passed.

Since I ran the tests off the CD it hasn't locked up again.  No idea why or if it's just coincidence.  I have not modified anything else on the computer.

As for cooling, the mini-tower is on top of the desk and the room is air conditioned and I blo/vac the system regularly.

I started looking around and I found some files in the Windows directory that don't look right but when I scan them they come up as not being infected.  They don't appear when I run HJT either.  They include names like lssas1.exe, mservice1.exe, msqdevl1.exe, svshost1.exe, stisvsq1.exe and there may be others.

Also, I am still having the "refreshing" issue, where applications change focus.  Can't seem to figure out where to pinpoint that or find anyone who knows what it is.

Thanks for everyone's input.

Greg

Three of those files you mentioned belong to an SDBot variant, the infection usually show up in the Hijackthis log.


Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


If problem persists also run this, or just run this as well anyway so we can check the log.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Ran SDFix as instructed.  It ran in safe mode and then prompted a restart.  After restart it came up again in safe mode and did nothing for about five minutes so I rebooted it in normal mode.  I used msconfig to boot into and out of safe mode.  

When booting back into normal mode, I got the "finishing registry repairs" dos prompt.  It finished the repairs and generated the report.txt file.  A copy of that is found below.

Question sidebar, why is it that in safe mode, the pc screen resolution drops to 8bit and when I safe mode my laptop, also a dell with same OS, version, etc and both connected to identical monitors, the laptop resolution doesn't change at all?  What is screen resolution in safe mode a function of?

Also, I had a network tech in here a while back who created a "new user" profile on my desktop.  I switched users and got into that profile and found that screen saver was set to 10min.  I disabled the screen saver on the new user account, but prior to running sdfix, it didn't seem to impact the changing focus.  Can I just delete the new user account?

Results of the Reports.txt file from SDFix:


SDFix: Version 1.96
Run by Administrator on 08/07/2007 at 01:34 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:
Trojan Files Found:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MyDNSAPI.dll  - Deleted
C:\WINDOWS\csrss1.dll  - Deleted
C:\WINDOWS\lssas1.exe  - Deleted
C:\WINDOWS\mservice1.exe  - Deleted
C:\WINDOWS\msqdevl1.exe  - Deleted
C:\WINDOWS\smssa1.dll  - Deleted
C:\WINDOWS\stisvsq1.exe  - Deleted
C:\WINDOWS\svshost1.exe  - Deleted
C:\WINDOWS\taskmgr1.dll  - Deleted
C:\WINDOWS\uvchost1.dll  - Deleted
C:\WINDOWS\winlogon1.dll  - Deleted

Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
                                 Final Check:

Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"="C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe:*:Enabled:CuteFTP"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\TMPdgusplhblz.htm
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\images\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\old index\images\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\old index\order\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\order\Thumbs.db
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[hotmail email hidden intentionally]\Sharing Folders\[[hotmail email hidden intentionally]\Thumbs.db
C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP\5.0\cuteftp.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP50\A0012410.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP52\A0014612.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP52\A0014660.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP57\A0015298.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP59\A0015471.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP60\A0015589.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP60\A0015652.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP65\A0017206.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP67\A0017395.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP71\A0018878.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP73\A0019223.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP73\A0019240.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP74\A0019307.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP78\A0019966.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP78\A0020077.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP79\A0021113.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP81\A0021190.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP81\A0022226.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP82\A0025322.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP82\A0026322.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP83\A0026371.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP84\A0026456.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP85\A0026500.sys
C:\WINDOWS\system32\6F0ABD5481.sys
C:\WINDOWS\system32\8154BD0A6F.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

                                 Finished

C:\WINDOWS\system32\6F0ABD5481.sys
C:\WINDOWS\system32\8154BD0A6F.sys
scanned both on jotti, results said "found nothing" on all apps.

Last time I tried combofix it messed up my computer terrible.  Rather not do that again.  I can run SDFix again, but question:  You said, "SDFix found a few trojans there".  Found them where?

>> Found them where?<<
the below report.

Checking Files:
Trojan Files Found:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MyDNSAPI.dll  - Deleted
C:\WINDOWS\csrss1.dll  - Deleted
C:\WINDOWS\lssas1.exe  - Deleted
C:\WINDOWS\mservice1.exe  - Deleted
C:\WINDOWS\msqdevl1.exe  - Deleted
C:\WINDOWS\smssa1.dll  - Deleted
C:\WINDOWS\stisvsq1.exe  - Deleted
C:\WINDOWS\svshost1.exe  - Deleted
C:\WINDOWS\taskmgr1.dll  - Deleted
C:\WINDOWS\uvchost1.dll  - Deleted
C:\WINDOWS\winlogon1.dll  - Deleted



>>Last time I tried combofix it messed up my computer terrible. <<
when was that? yes, there was a time when combofix was pulled out from the public when it malfunction due to a present of a particular rootkit but that was then.
When it malfunction also, the time might not be set back to the right time.
You don't have to use it again, just use other scanners like DrWebCureIt, and or download Kaspersky free trial(it removes what it finds, but the online scan will not remove what it finds)

>>>C:\WINDOWS\system32\6F0ABD5481.sys
C:\WINDOWS\system32\8154BD0A6F.sys
scanned both on jotti, results said "found nothing" on all apps.<<<

I'm not very trusting on suspicious files, if I were you I would rename it to disable it. sometimes a nasty file can even report as 0 bytes when user try to check it for viruses.
renaming will disable it, and if a program it belongs to stops functioning then you can always rename it back later.

Renamed the two files to .syys.  Rerunning SDFix and results posted below.

You said:  "other nasties are found on System Restore points which can be taken care of later on by flushing those restore points."  How?  Disable and re-enable SR?

Installed and ran Kaspersky AV 7.  It detected ten items and quarantined them or deleted them.

SDFix: Version 1.96
Run by Administrator on 08/07/2007 at 04:46 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:
No Trojan Files Found

Removing Temp Files...
ADS Check:

C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
                                 Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"="C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe:*:Enabled:CuteFTP"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Files with Hidden Attributes:

C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\TMPdgusplhblz.htm
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\images\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\old index\images\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\old index\order\Thumbs.db
C:\Documents and Settings\Administrator\Desktop\internet\[old webpages hidden intentionally]\order\Thumbs.db
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[hotmail email hidden intentionally]\Sharing Folders\[hotmail email hidden intentionally]\Thumbs.db
C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP\5.0\cuteftp.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP50\A0012410.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP52\A0014612.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP52\A0014660.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP57\A0015298.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP59\A0015471.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP60\A0015589.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP60\A0015652.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP65\A0017206.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP67\A0017395.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP71\A0018878.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP73\A0019223.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP73\A0019240.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP74\A0019307.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP78\A0019966.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP78\A0020077.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP79\A0021113.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP81\A0021190.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP81\A0022226.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP82\A0025322.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP82\A0026322.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP83\A0026371.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP84\A0026456.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP85\A0026500.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP89\A0026849.sys
C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP89\A0026850.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

                                 Finished

Well, this is interesting.  I ran the Kaspersky as I said and noticed that after the scans were done and "viruses" found, I tried to reboot.  I could not.  I went to start, shut down, restart and it displayed the sand clock but never anything else.  Had to power off.  

Then when I restarted, I disabled my NAV and was able to reboot normally but when I did, I opened my homepage on IE and when I tried to click on a link to open a new window, both windows closed.  I tried to type in a url in the address bar of my home page after I opened it again and click Go, but again it closed the browser window.  That makes it really hard to work!

Any suggestions at this point as to why I can't open anything buy my homepage?  (My homepage is a local page I created, btw).

Thanks

>>System Restore points which can be taken care of later on by flushing those restore points."  How?  Disable and re-enable SR?<<
Yeah disable system Restore, Reboot, and reanalbe system restore and immediately create a new restore point.

I always turn system Restore off after cleaning the system, viruses in the system restore is harmless right now till you used one of those infected restore points.

>>Any suggestions at this point as to why I can't open anything buy my homepage?  (My homepage is a local page I created, btw).<<
Do you have the same problem if using another homepage?

Do you have Hijackthis.exe? can you please scan with it and let us look at the log?

My homepage has been the same for years, I cannot open more than one browser window or more specifically, go anywhere there is an http in the url as opposed to C:

This problem with the browser is NOT a Hijack.   Its something that happened after I ran that Kaspersky
and it's screwed up some kind of settings.

I just tried to open an system restore point too, and it starts to show the window and disappears.  This sucks.  I can't even open a window now.

I just ran sfc /scannow to see if there were missing files.  It ran and I rebooted, but same problem exists.  I can open IE locally but when I click a link to go to any other webpage, www.google.com for example, both windows close w/ NO error message.

I think I've totally disabled Kaspersky, but don't want to uninstall it if there are files there that it's changed or deleted that I need.  I'm not savvy enough to figure out what else to do or where else to look.  Like I said above, I tried to open system restore but when I do, you briefly see part of the title bar and then it disappears, so I can't do that either.

Here is HJT followed by the kaspersky report:


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:21:14 PM, on 08/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Administrator/Desktop/[my local startpage]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [\\ROGERS\EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P33 "\\ROGERS\EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139736399187
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BA5E57BB-88D5-422A-AC9E-C01A6EEE2537} (WebDvr3 Class) - http://192.168.2.3/WebDvr3.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

--
End of file - 7277 bytes

Kaspersky:
Protection : running
--------------------
Total scanned:      308962
Detected:      10
Untreated:      0
Start time:      08/07/2007 05:22:42 PM
Duration:      04:49:14


Detected
--------
Status      Object
------      ------
deleted: Trojan program Rootkit.Win32.Agent.fi      File: C:\Program Files\HTMLValidatorLite80\winhjbfnq32.dll//#
deleted: Trojan program Trojan.Win32.Obfuscated.ga      File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2792251D.exe//CryptFF
deleted: Trojan program Trojan-Downloader.Win32.Agent.bkl      File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45725091.exe//CryptFF//UPX
deleted: Trojan program Trojan-Downloader.JS.Agent.kd      File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\59201C13.htm//CryptFF
deleted: virus Email-Worm.Win32.NetSky.t      File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6AA40490.tmp//CryptFF
deleted: Trojan program Trojan-Downloader.Win32.Agent.bkl      File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C16180C.exe//CryptFF//UPX
deleted: Trojan program Rootkit.Win32.Agent.fi      File: C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP90\A0026924.dll//#
deleted: Trojan program Trojan.Win32.Obfuscated.ga      File: C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP90\A0026925.exe//CryptFF
deleted: Trojan program Trojan-Downloader.Win32.Agent.bkl      File: C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP90\A0026926.exe//CryptFF//UPX
deleted: Trojan program Trojan-Downloader.Win32.Agent.bkl      File: C:\System Volume Information\_restore{87232C71-F39C-498C-8A38-3F47A4B78FBA}\RP90\A0026927.exe//CryptFF//UPX

Reports
-------
Component      Status      Start      Finish      Size
---------      ------      -----      ------      ----
Proactive Defense      running      08/07/2007 05:22:40 PM            0 bytes
File Anti-Virus      running      08/07/2007 05:22:41 PM            697.4 KB
Mail Anti-Virus      running      08/07/2007 05:22:42 PM            0 bytes
Web Anti-Virus      running      08/07/2007 05:22:42 PM            5.6 KB
Scan      completed      08/07/2007 05:34:14 PM      08/07/2007 08:54:03 PM      38.9 MB
Rootkit scan      completed      08/07/2007 08:55:50 PM      08/07/2007 09:43:10 PM      21.5 MB


Quarantine
----------
Status      Object      Size      Added
------      ------      ----      -----


Backup
------
Status      Object      Size
------      ------      ----
Infected: Trojan program Rootkit.Win32.Agent.fi      c:\system volume information\_restore{87232c71-f39c-498c-8a38-3f47a4b78fba}\rp90\a0026924.dll      88 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.bkl      c:\program files\norton systemworks\norton antivirus\quarantine\45725091.exe      16.6 KB
Infected: virus Email-Worm.Win32.NetSky.t      c:\program files\norton systemworks\norton antivirus\quarantine\6aa40490.tmp      20.5 KB
Infected: Trojan program Trojan.Win32.Obfuscated.ga      c:\system volume information\_restore{87232c71-f39c-498c-8a38-3f47a4b78fba}\rp90\a0026925.exe      5.8 KB
Infected: Trojan program Trojan-Downloader.JS.Agent.kd      c:\program files\norton systemworks\norton antivirus\quarantine\59201c13.htm      29.9 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.bkl      c:\program files\norton systemworks\norton antivirus\quarantine\6c16180c.exe      16 KB
Infected: Trojan program Rootkit.Win32.Agent.fi      c:\program files\htmlvalidatorlite80\winhjbfnq32.dll      88 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.bkl      c:\system volume information\_restore{87232c71-f39c-498c-8a38-3f47a4b78fba}\rp90\a0026926.exe      16.6 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.bkl      c:\system volume information\_restore{87232c71-f39c-498c-8a38-3f47a4b78fba}\rp90\a0026927.exe      16 KB
Infected: Trojan program Trojan.Win32.Obfuscated.ga      c:\program files\norton systemworks\norton antivirus\quarantine\2792251d.exe      5.8 KB

No one?

okay, then I uninstalled Krapspersky and it solved the problem.  I can use my IE again.  Now I will have to see if I have a lock up and if not, then issue solved.

How many antivirus programs are you running?

How many antispyware programs are you running?

Multiple AV or AS programs can conflict with one another.

Sorry wasn't able to get back sooner.

Yes, one resident antivirus with real-time protection is all that's needed, 2 will conflict with each other and can corrupt the system.

everything seems to be working now.

thanks for the input.

Glad you got it resolved.

Kevin