Sign in with
Sign up | Sign in
Your question

DrWaton Postmortem Debugger

Last response: in Applications
Share
April 7, 2009 4:40:21 PM

Hi Tom's Hardware,



First of all i'd like to clarify just simply what this thread is regarding, (In atleast what I can) considering I hardly know myself.

Clarification

Ok, well it was about a year or so ago when a friend of mine infected my computer with a complete bastard of a virus. So I decided well I suppose i'll just format, not to long after literally 10 - 15 formats I did believe it was gone (It was a virus that infecting every exe file on my computer then if I was to take those exe files anywhere else obviously it would start again).

Now I did not ever determine just what this virus was named (Nor did I even really investigate it at all much back then) i simply formatted and thought well to hell with this thing if it doesn't want to be removed by almost any bloody Anti-Virus program that I have used.

Things were fine for a year or so though recently in the past few months the same friend has started giving me files and what not again (Mostly media files though via a external HDD).

Lately my virus programs AVG & NOD32 (I switch quite often because I don't believe AVG works very well and NOD32 seems to bloody well completely ruin any port-forwarding via uTorrent anyways that's another story).

The virus programs have started picking up Trojan alerts in my system volume folders, which brings me to think that could definitely be the way this Trojan gets around (Since it goes via Flash-drives & External HDD's and what not)

Now finally we are getting back to where this topic title was originated (DrWatson Postmortem Debugger) i've recently read quite a few articles on several websites on the net saying that it's possible that DrWatson Postmortem Debugger can be used as a mask for Trojans's....


AceBot

AceBot...... supposedly one of the largest virus's and most bastard of them all out there (atleast for SP2) it's probably quite old now, I am running SP3 though i'm wondering since I was running SP2 at one point in time is it possible that the virus is still effecting me?


Conclusion

In the past few weeks i've been experiencing some serious malfunctions in my computer i'll list as many as I can think of.


[In order of most common]

1. All around computer speed just being decreased in some cases taking literally 1 - 3 minutes to open ANY application.

2. Windows Live Messenger crashing very often. (This sometimes triggers the DrWatson Error)

3. My browser can only access HTTPS websites not ANY HTTP website at all.

4. Alot of my Java application also seem to crash & error quite a lot.

5. AVG crashed and was asking for error reports to be send to AVG.


To conclude what i'm really asking for is your opinion & help regarding anything that is wrong with my computer.


Logs


HijackThis

  1. Logfile of HijackThis v1.99.1
  2. Scan saved at 2:25:53 AM, on 4/8/2009
  3. Platform: Windows XP SP3 (WinNT 5.01.2600)
  4. MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
  5.  
  6. Running processes:
  7. C:\WINDOWS\System32\smss.exe
  8. C:\WINDOWS\system32\winlogon.exe
  9. C:\WINDOWS\system32\services.exe
  10. C:\WINDOWS\system32\lsass.exe
  11. C:\WINDOWS\system32\Ati2evxx.exe
  12. C:\WINDOWS\system32\svchost.exe
  13. C:\WINDOWS\System32\svchost.exe
  14. C:\WINDOWS\system32\Ati2evxx.exe
  15. C:\WINDOWS\system32\spoolsv.exe
  16. C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
  17. C:\Program Files\Bonjour\mDNSResponder.exe
  18. C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
  19. C:\Program Files\Java\jre6\bin\jqs.exe
  20. C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  21. C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  22. C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
  23. C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
  24. C:\WINDOWS\Explorer.EXE
  25. C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
  26. C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
  27. C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
  28. C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
  29. C:\Program Files\iTunes\iTunesHelper.exe
  30. C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  31. C:\Program Files\Java\jre6\bin\jusched.exe
  32. C:\WINDOWS\system32\drivers\itech4\itech.exe
  33. C:\Program Files\iPod\bin\iPodService.exe
  34. C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
  35. C:\Program Files\CronoSoft\Quick Hide Windows\qhw.exe
  36. C:\Program Files\PeerGuardian2\pg2.exe
  37. C:\Program Files\SpeedFan\speedfan.exe
  38. C:\WINDOWS\system32\wscntfy.exe
  39. C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
  40. C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
  41. E:\bootcd\wintools\autorun.exe
  42. C:\WINDOWS\system32\cmd.exe
  43. C:\Program Files\uTorrent\uTorrent.exe
  44. C:\WINDOWS\system32\ntvdm.exe
  45. C:\WINDOWS\system32\cmd.exe
  46. C:\WINDOWS\system32\java.exe
  47. C:\Program Files\Mozilla Firefox\firefox.exe
  48. C:\Program Files\iTunes\iTunes.exe
  49. C:\Documents and Settings\Aaron\Desktop\Extreme Virus Removal\HijackThis\HijackThis.exe
  50.  
  51. O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
  52. O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
  53. O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
  54. O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
  55. O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
  56. O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
  57. O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
  58. O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
  59. O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
  60. O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
  61. O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
  62. O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  63. O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
  64. O4 - HKLM\..\Run: [itech4] C:\WINDOWS\system32\drivers\itech4\itech.exe
  65. O4 - HKLM\..\Run: [Malwarebytes Piracy] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /piracy
  66. O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
  67. O4 - HKCU\..\Run: [Quick Hide Windows] C:\Program Files\CronoSoft\Quick Hide Windows\qhw.exe -s
  68. O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
  69. O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
  70. O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  71. O4 - Startup: Speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe
  72. O4 - Global Startup: SoundMAX Control Panel.lnk = ?
  73. O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
  74. O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
  75. O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
  76. O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
  77. O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  78. O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  79. O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
  80. O10 - Unknown file in Winsock LSP: c:\windows\system32\drivers\itech4\imonlsp.dll
  81. O10 - Unknown file in Winsock LSP: c:\windows\system32\drivers\itech4\imonlsp.dll
  82. O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238633442281
  83. O17 - HKLM\System\CCS\Services\Tcpip\..\{73F6C600-AF72-41B3-BFBE-F97DD489C94B}: NameServer = 203.12.160.35,203.12.160.36
  84. O17 - HKLM\System\CCS\Services\Tcpip\..\{F3BA4602-0A62-4FCC-A61A-96EF6B5C7664}: NameServer = 203.12.160.35,203.12.160.36
  85. O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
  86. O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
  87. O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  88. O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  89. O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
  90. O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
  91. O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
  92. O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
  93. O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
  94. O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
  95. O23 - Service: MBAMService - Malwarebytes - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  96. O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  97. O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
  98. O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Service.exe" -service (file missing)
  99. O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe



ESET NOD32 Antivirus

  1. [b]Date:[/b] 4/7/2009
  2. [b]Time:[/b] 4:28:20 PM
  3. [b]Directory:[/b] C:\System Volume Information\_restore{D3695F7F-6197-4762-9134-CA0B8E551470}\RP43\A0013337.exe
  4. [b]Size:[/b] 126976
  5. [b]Reason:[/b] probably a variant of Win32/Agent Trojan
  6.  
  7.  
  8. [b]Date:[/b] 4/7/2009
  9. [b]Time:[/b] 4:23:25 PM
  10. [b]Directory:[/b] C:\System Volume Information\_restore{D3695F7F-6197-4762-9134-CA0B8E551470}\RP27\A0011389.dll
  11. [b]Size:[/b] 590792
  12. [b]Reason:[/b] Win32/Adware.WhenU.SaveNow application




Malwarebytes' Anti-Malware

  1. Malwarebytes' Anti-Malware 1.35
  2. Database version: 1945
  3. Windows 5.1.2600 Service Pack 3
  4.  
  5. 4/7/2009 12:02:19 AM
  6. mbam-log-2009-04-07 (00-02-19).txt
  7.  
  8. Scan type: Quick Scan
  9. Objects scanned: 75378
  10. Time elapsed: 11 minute(s), 0 second(s)
  11.  
  12. Memory Processes Infected: 1
  13. Memory Modules Infected: 0
  14. Registry Keys Infected: 0
  15. Registry Values Infected: 1
  16. Registry Data Items Infected: 0
  17. Folders Infected: 0
  18. Files Infected: 1
  19.  
  20. Memory Processes Infected:
  21. C:\WINDOWS\services.exe (Backdoor.Bot) -> Failed to unload process.
  22.  
  23. Memory Modules Infected:
  24. (No malicious items detected)
  25.  
  26. Registry Keys Infected:
  27. (No malicious items detected)
  28.  
  29. Registry Values Infected:
  30. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.
  31.  
  32. Registry Data Items Infected:
  33. (No malicious items detected)
  34.  
  35. Folders Infected:
  36. (No malicious items detected)
  37.  
  38. Files Infected:
  39. C:\WINDOWS\services.exe (Trojan.Agent) -> Delete on reboot.




Thanks in advance,

RevolutionTT.
April 7, 2009 8:50:15 PM

This will keep you busy for a while.

First you have an amazing amount of stuff running at all times.
Start with Utorrent. Unless you are actively using it TURN IT OFF..
Peer Guardian with Utorrent is a good thing.
A FIREWALL with P2P is also a good idea.
Enough of that.

The following may seem harsh but I dont mean for it to be. So please explain where you can.

I see a WD drive manager. What does that do for you?
Same with the cronosoft\quickhide hide windows (wife?porno?)

Most of the following can be turned off until you need it (including Utorrent)
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\drivers\itech4\itech.exe (not sure what this is)
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
ITunes


Also what is this E:\bootcd\wintools\autorun.exe
Is this part of Alchohol or are you running Linux?
And this as it says at the top you are on IExplorer
C:\Program Files\Mozilla Firefox\firefox.exe why is that running.


Ok we are at line 48 now if you're keeping track.

BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Ill see if I can find more on this cause it seems bad when there is no identity.

As for bonjour Im not sure what it does. I know it has to do with Apple and Ipods but I have turned it off and the kids havent bitched yet so maybe try it.

Lines 57 to 70 explain where the program is launced from.(same items as above)
Most you can goto start|run|msconfig|startup and uncheck them.

Basically we are at line 70

I think the malware bytes took care of the trojan that you had but I think the main reason for your slowdown is the maazing amount of stuff you have running all of the time.
Almost all of the things I mentioned (except the noted ones) can be turned off and will restart when required. eg. real player only needs to start when a real file is encountered and will do it by itself.

Please turn these things off and repost a hijack this log and we can go from there.





April 8, 2009 3:20:46 AM

This will indeed keep me busy for a while i'm guessing....

uTorrent

uTorrent will have to be the main exception from all of this since I am seeding 24/7 to have atleast a 1:1 ratio.


//*****Regarding your comment earlier saying "The following may seem harsh but I dont mean for it to be. So please explain where you can. " Please do not think anything you say will effect me in anyway, i know you're simply here to help and i'm very grateful of that.*****//


Western Digital Drive Manager

The Western Digital Drive Manager that is running is for my External 500 gig HDD, though I suppose when the external is not plugged in it is a very good idea to shut it off.


Quick Hide Windows

"Wife?Porno?" No, this is merely for people who use the same network as me and complain about the internet going slow so what I do is use it to hide uTorrent, otherwise they will close it down.


Idle Programs

Quote:

Most of the following can be turned off until you need it (including Utorrent)
1. C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

2. C:\Program Files\iTunes\iTunesHelper.exe

3. C:\Program Files\Common Files\Real\Update_OB\realsched.exe

4. C:\WINDOWS\system32\drivers\itech4\itech.exe (not sure what this is)

5. C:\Program Files\iPod\bin\iPodService.exe

6. C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

7. ITunes




1. Done, that's purely the application that Alcohol uses to mount images I believe.

2. Done.

3. Done (Don't really like RealPlayer i've always used VLC & JetAudio though the new RealPlayer with media downloading is quite good)

4. I have no idea what this thing is either it has in fact been linked to a program running as "Services.exe" and been detected as a Trojan on AVG.

5. Done.

6. Done.

7. Done.


Hiren's BootCD WinTools 1.1

Quote:
Also what is this E:\bootcd\wintools\autorun.exe
Is this part of Alchohol or are you running Linux?
And this as it says at the top you are on IExplorer
C:\Program Files\Mozilla Firefox\firefox.exe why is that running.


That's Hiren's BootCD being mounted by PowerISO, it's quite a nifty little program I used it to obtain Data off a completely stuffed up HDD & I had it running yesterday to see if it could help me out with this malware.


I've summed up the programs that are inside Hiren's BootCD with a few screenshots that I have just taken.

Main Window:



AntiSpyware:



Backup:



Cleaners:



Optimizers:



Process:



Recovery:



Repair:



Startup:



Sysinfo:



Testing:



Tweakers:



Other:




I now regret taking the time to do those, but anyway onto the next part.


Linux

No I am not running Linux, here's a quick system summary since it may be useful for future reference also.

(Please point out if the computer is actually pretty *** and that I don't even really have enough ram to be running all these programs)

Quick System Summary




Regarding the Internet Explorer question, well whatever pointed out that I was using that was wrong.... I rarely ever use it unless to perform manual windows updates.


Quote:
Ok we are at line 48 now if you're keeping track.


Trying to atleast.


Quote:
BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Ill see if I can find more on this cause it seems bad when there is no identity.



Please do so because I have no idea what that is.


Bonjour

Nor am I sure what this program does, so I shall close it. (Highly doubt it's any threat though but will need to be closed for optimal performance)


Quote:
Lines 57 to 70 explain where the program is launced from.(same items as above)
Most you can goto start|run|msconfig|startup and uncheck them.


This is just to inform me about lines 57 - 70 are regarding?


Ok, before I post the new HijackThis log i'm wondering how to disable all these programs from startup? I know the basic ones that have their own options menu where I can get into and disable it from start up but i'm referring to more so iTunesHelper, iTunesiPodservice, AppleMobileService & StarWindServiceAE just basically all that crap that only my kids use.


You will see in the log below that ipodservice, AppleMobileservice and all that crap stated above is in fact still running though? Even after i've ended the process? Seems pretty odd.....

(I'm not 100% sure if they are running though i'll post a screenshot of my processes taken literally like 2 seconds after the HijackThis scan)


http://www.freeimagehosting.net/uploads/67fba79d87.png


HijackThis Log

  1. Logfile of HijackThis v1.99.1
  2. Scan saved at 1:16:27 PM, on 4/8/2009
  3. Platform: Windows XP SP3 (WinNT 5.01.2600)
  4. MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
  5.  
  6. Running processes:
  7. C:\WINDOWS\System32\smss.exe
  8. C:\WINDOWS\system32\winlogon.exe
  9. C:\WINDOWS\system32\services.exe
  10. C:\WINDOWS\system32\lsass.exe
  11. C:\WINDOWS\system32\Ati2evxx.exe
  12. C:\WINDOWS\system32\svchost.exe
  13. C:\WINDOWS\System32\svchost.exe
  14. C:\WINDOWS\system32\Ati2evxx.exe
  15. C:\WINDOWS\system32\spoolsv.exe
  16. C:\Program Files\Bonjour\mDNSResponder.exe
  17. C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
  18. C:\Program Files\Java\jre6\bin\jqs.exe
  19. C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  20. C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  21. C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
  22. C:\WINDOWS\Explorer.EXE
  23. C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
  24. C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
  25. C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
  26. C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
  27. C:\Program Files\Java\jre6\bin\jusched.exe
  28. C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
  29. C:\Program Files\CronoSoft\Quick Hide Windows\qhw.exe
  30. C:\Program Files\PeerGuardian2\pg2.exe
  31. C:\Program Files\SpeedFan\speedfan.exe
  32. C:\WINDOWS\system32\wscntfy.exe
  33. C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
  34. C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
  35. E:\bootcd\wintools\autorun.exe
  36. C:\WINDOWS\system32\cmd.exe
  37. C:\Program Files\uTorrent\uTorrent.exe
  38. C:\WINDOWS\system32\ntvdm.exe
  39. C:\DOCUME~1\Aaron\LOCALS~1\Temp\JkDefrag.exe
  40. C:\WINDOWS\system32\cmd.exe
  41. C:\WINDOWS\system32\java.exe
  42. C:\Program Files\Mozilla Firefox\firefox.exe
  43. C:\Program Files\iTunes\iTunes.exe
  44. C:\WINDOWS\system32\svchost.exe
  45. C:\Documents and Settings\Aaron\Desktop\Extreme Virus Removal\HijackThis\HijackThis.exe
  46.  
  47. O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
  48. O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
  49. O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
  50. O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
  51. O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
  52. O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
  53. O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
  54. O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
  55. O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
  56. O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
  57. O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
  58. O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  59. O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
  60. O4 - HKLM\..\Run: [itech4] C:\WINDOWS\system32\drivers\itech4\itech.exe
  61. O4 - HKLM\..\Run: [Malwarebytes Piracy] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /piracy
  62. O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
  63. O4 - HKCU\..\Run: [Quick Hide Windows] C:\Program Files\CronoSoft\Quick Hide Windows\qhw.exe -s
  64. O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
  65. O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
  66. O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  67. O4 - Startup: Speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe
  68. O4 - Global Startup: SoundMAX Control Panel.lnk = ?
  69. O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
  70. O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
  71. O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
  72. O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
  73. O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  74. O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  75. O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
  76. O10 - Unknown file in Winsock LSP: c:\windows\system32\drivers\itech4\imonlsp.dll
  77. O10 - Unknown file in Winsock LSP: c:\windows\system32\drivers\itech4\imonlsp.dll
  78. O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238633442281
  79. O17 - HKLM\System\CCS\Services\Tcpip\..\{73F6C600-AF72-41B3-BFBE-F97DD489C94B}: NameServer = 203.12.160.35,203.12.160.36
  80. O17 - HKLM\System\CCS\Services\Tcpip\..\{F3BA4602-0A62-4FCC-A61A-96EF6B5C7664}: NameServer = 203.12.160.35,203.12.160.36
  81. O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
  82. O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
  83. O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  84. O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  85. O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
  86. O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
  87. O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
  88. O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
  89. O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
  90. O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
  91. O23 - Service: MBAMService - Malwarebytes - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  92. O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  93. O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
  94. O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Service.exe" -service (file missing)
  95. O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe



Thanks once again for the response and the help so far :) 

RevolutionTT.
Related resources
Can't find your answer ? Ask !
April 8, 2009 5:27:22 PM

Ok that looks somewhat better, and yes the less things that are running the better off you will be as most of your 2 megs. memory are always in use and therefore so is your HDD swapfile constantly moving things in and out to memory.
So programs will take longer to load and to function.


First when I run Utorrent I dont generally seed much. I know it says that you should
but I havent really seen my speeds go up due to that. In fact my speeds seem to go down as all of my bandwidth is consumed with the uploading.
I am only on a 2MB connection. Generally if you have many seeds you will get a download rate.
Also having running 24/7 means you have a much better chance of getting caught as I did. Peer Guardian helps but it isnt foolproof. Going through a proxie is better as it is harder to trace.

As for the unidentified BHO at line 48 it has something to do with MSN Messenger.
Being a BHO it probably only runs when Messenger does so no big deal.

Is your External HDD on a USB setup?
If so you may be able to disable that (line 25 newest hijack log).
I have that drive and a Maxtor drive external and dont have that running.
I think it may have to do with the backup feature of the drive, so you should be able to turn that off until you need it.

Regarding the programs that you aren't sure how to turn off you can click the start button and then run.
Type msconfig and ok. Then go to the startup tab and you will see most of the things that start automatically when you turn on your computer. Just uncheck the boxes of the things that you dont want to start.
If you aren't sure, leave some on and we will deal with them later.
The worst that can happen is something wont work and we can turn them back on.

The itech.exe process seems to be missing in the recent hijack log so possibly whatever you turned off took care of it.
I googled it and didnt really get a satisfying answer but it could have to do with a bluetooth device. Do you have one of those?
If not look for it in startup and uncheck it.

Once you uncheck these things in startup and reboot you will see a message
saying that you have started in a diagnostic setup or some damn thing like that.
Just tell it OK. It will then take you to the Msconfig page again so just close it.
You will also see a checbox to "Dont show me this warning again"
Dont check that box just yet so that if you need to get back there you wont have to look for it. When everything is done, then you can check the box.

As for everything below line 69 in the newest log dont worry about those just yet as many will disappear when the ones on top disappear.


The Hirans boot cd looks pretty interesting. Im going to look into that for myself.
I have several of those things now but to have them in one package would be pretty helpful.

One last thing. It still shows that you are running both Iexplorer and Firefox.
Is someone else on the network using that at the same time or do you have that set to come on in some way. Having both at the same time consumes alot of memory.

Once we get this sorted out you will think you have a new computer.



April 8, 2009 5:38:48 PM

First of all i'd just like to say thanks once again for taking the time to view my thread.


uTorrent

The only reason why I leave uTorrent open for seeding is for the shear fact that I'm a member of a private torrent tracker (a small community) of which I like to seed for (also having my own profile/ratio)

I really don't care much about my ISP viewing what I am downloading (in all honestly I don't care at all)

External HDD

Yes, my External HDD is a on a USB setup.


Automatic Startup Programs

Thank you, that gives me a much more advanced interface from which I can set to my own personal settings quite simpler.


iTech.exe

Yes, i did in fact take care of that it turns out it was my son running that process
he claims it was for a game called Runescape.


Warning Box

Will do.


Hiren's BootCD

Yes, it's been proclaimed as "A profession in one program"


Iexplorer & Firefox

I have no idea why both are running, i've just checked my processes 2 seconds ago and iexplorer isn't running.
(If you have any ideas or anymore advice on this please tell me)


Once again thanks so much for all your advice & help,


RevolutionTT.
April 8, 2009 7:03:37 PM

Possibly you aren't running Iexplorer.
I just asked because it states that on top of the hijack log so I though that is what you were on.

As for runescape here is a good description I found in case you wonder what he's doing and the Itech makes sense.
Maybe Ill turn my kid onto that game. He's pretty into world of Warcraft.
http://en.wikipedia.org/wiki/RuneScape

Also I have a few questions about private trackers that maybe we can discuss through the PM feature and not in a open forum because it wasnt my isp that had a problem with it they just told me about it.
If you arent worried about things there must be a reason. wink wink.

Also no problem with the help I'm laid off and real bored.
I like the thought of being helpful.
April 8, 2009 7:05:56 PM

Lol, as do I 90% of the time i'm just helping out in IRC.

Regarding the private trackers, we can discuss it via MSN if you like.

aaron-nagy@hotmail.com


Though if you prefer PMing from this forum i'm fine with that also.
April 8, 2009 7:43:04 PM

Yeah on the forum is easier for me as I dont generally run MSN.
Not to say i wont I just never had a reason so I dont really know how.
Same with skype. I just use it for phone calls.

Give me a little while as I booted into XP to try and get some settings for someone else Im trying to help and Ill give it a try.
April 8, 2009 7:44:41 PM

All good contact me via whichever you like (preferably in the next hour or so since it's 6 am and I have to go out soon)
April 8, 2009 8:03:51 PM

PMd you from here
October 13, 2011 11:29:49 PM

Hi there,

I think you guys should check out OPSWAT.com there are 2 or 3 products that may be a match. I think that OESIS Framework provides a single interface to many antivirus and AVG is in that list. Another option is, I think, Metascan which is more for ISV.
I also found that AVG is certified by OPSWAT.

I hope this helps.
Regards,

Brian
!