Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Task manager, regedit, command prompt will not run!

  • 19-07-2007 1:12pm
    #1
    Closed Accounts Posts: 271 ✭✭


    Hi,

    I'm wondering if anyone here could shed some light on a problem that has arisen within the past few days.

    I'm running windows Xp SP2 with all the most recent security updates.

    I am unable to open any of the above applications in addition to firefox and other security tools (spybot, avg) after the pc has been on for about 30 minutes. Everything works fine when I first boot up. I'm using avast antivirus which has not reported any infection (I'm almost paranoid about security so haven't opened any of the numerous spam e-mails clogging up my inbox, have scripting turned off in firefox etc).

    I have no problem opening any of the above when I boot up in safe mode. Spybot and avg when run in safe mode haven't found anything although avast has reported a worm in a system restore folder. However after fixing this and "flushing" system restore the above problem continues.

    Here's a HJT logfile (the only app I'm able to run in normal mode) if anyone cares to take a look!

    I hope someone can shed some light on this. Maybe it's not virus related but something else?

    ________________________

    Logfile of HijackThis v1.99.1
    Scan saved at 13:59:07, on 19/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Comodo\CBOClean\BOCORE.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    C:\WINDOWS\system32\defrag.exe
    C:\WINDOWS\SYSTEM32\taskmgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Alwil Software\Avast4\ashAvast.exe
    C:\WINDOWS\SYSTEM32\cidaemon.exe
    C:\Program Files\Alwil Software\Avast4\ashLogV.exe
    C:\Documents and Settings\User\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/0.8.0794.48/WinSSWebAgent.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098842717234
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133988243750
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: WIKI.DLL
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Event Log Watch (LogWatch) - Unknown owner - c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing)
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Comments

  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Hello Rebeller, your problem sounds virus related so lets try a few things.

    You seem to be using two firewalls, ZoneAlarm and Comodo. This can lead to a lot of problems, and might be responsible. So please uninstall one of these programs. I recommend keeping Comodo as it is excellent, so please go to :

    Start > Control Panel > Add or Remove Programs > Remove Zone Labs or Comodo


    Go to this site:
    http://www.virustotal.com/en/indexx.html
    On top you'll find 'Browse'
    Click the browse button and browse to the file:

    C:\WINDOWS\system32\WIKI.DLL

    Click open.
    Then click the 'Send' button next to it.
    This will scan the file. Please be patient.
    Once scanned, copy and paste the results as well in your next reply.


    Please download Deckard's System Scanner (DSS) and save it to your Desktop.
    • Close all other windows before proceeding.
    • Double-click on dss.exe and follow the prompts.
    • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

    Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)


    So in your next reply please post the report of that file I asked you to scan, and the two DSS texts in full.


  • Closed Accounts Posts: 271 ✭✭Rebeller


    Hi ActorSeeksJob,

    Thanks for taking the time to help.

    I only have one firewall running at the mo (zonealarm). I was using comodo but uninstalled it. The comodo app you're seeing in the log is comodo BO Clean

    WIKI.DLL is not showing up in the system32 folder even after showing hidden files.

    DSS.exe quits shortly after I allow access to the internet with the message

    "dss.exe has encountered a problem and needs to close....."

    I'm stumped:( Any ideas?

    Thanks again for your time!


  • Closed Accounts Posts: 164 ✭✭ob


    Try running Process Explorer, post a sceenshot.


  • Closed Accounts Posts: 271 ✭✭Rebeller


    Hi ob,

    Unfortunately I can't take a screenshot as mspaint will not open (although it shows as a running process). I've attached a text file of process explorer's output below if it's any use. I've cleaned it up as best I can to make it easier on the eye. (EDIT: unfortunately it's all jumbled together again once posted!)

    I rebooted my pc and have taskmanager running but I'm accessing the internet from another computer (I have shut off internet access on the problem pc)

    ______________________

    Process PID CPU Description Company Name

    System Idle Process 0 95.38

    Interrupts n/a Hardware Interrupts

    DPCs n/a Deferred Procedure Calls

    System 4
    smss.exe 424 Windows NT Session Manager Microsoft Corporation

    csrss.exe 472 Client Server Runtime Process Microsoft Corporation

    winlogon.exe 496 Windows NT Logon Application Microsoft Corporation

    services.exe 540 1.54 Services and Controller app Microsoft Corporation

    svchost.exe 716 Generic Host Process for Win32 Services Microsoft Corporation

    svchost.exe 788 Generic Host Process for Win32 Services Microsoft Corporation

    svchost.exe 832 Generic Host Process for Win32 Services Microsoft Corporation

    svchost.exe 892 Generic Host Process for Win32 Services Microsoft Corporation

    svchost.exe 960 Generic Host Process for Win32 Services Microsoft Corporation

    vsmon.exe 988 TrueVector Service Zone Labs, LLC

    aswUpdSv.exe 1348 avast! Antivirus updating service ALWIL Software

    ashServ.exe 1412 avast! antivirus service ALWIL Software

    LEXBCES.EXE 1588 LexBce Service Lexmark International, Inc.

    LEXPPS.EXE 1632 LEXPPS.EXE Lexmark International, Inc.

    spoolsv.exe 1624 Spooler SubSystem App Microsoft Corporation

    guard.exe 1752 AVG Anti-Spyware guard GRISOFT s.r.o.

    BOCore.exe 1816 COMODO BOClean - Anti-Malware COMODO

    cisvc.exe 1840 Content Index service Microsoft Corporation

    cidaemon.exe 3412 Indexing Service filter daemon Microsoft Corporation

    svchost.exe 1952 Generic Host Process for Win32 Services Microsoft Corporation

    wdfmgr.exe 1984 Windows User Mode Driver Manager Microsoft Corporation

    svchost.exe 2032 Generic Host Process for Win32 Services Microsoft Corporation

    alg.exe 2100 Application Layer Gateway Service Microsoft Corporation

    ashMaiSv.exe 2992 avast! e-Mail Scanner Service ALWIL Software

    ashWebSv.exe 192 avast! Web Scanner ALWIL Software

    lsass.exe 552 LSA Shell (Export Version) Microsoft Corporation

    taskmgr.exe 612 Windows TaskManager Microsoft Corporation

    explorer.exe 1136 Windows Explorer Microsoft Corporation

    PDVDServ.exe 2332 PowerDVD RC Service Cyberlink Corp.

    ashDisp.exe 2340 avast! service GUI component ALWIL Software

    Belkinwcui.exe 2364 Belkin Wireless Client Utility Belkin

    SOUNDMAN.EXE 2424 Realtek Sound Manager Realtek Semiconductor Corp.

    zlclient.exe 2432 ZoneAlarm Client Zone Labs, LLC

    ctfmon.exe 2448 CTF Loader Microsoft Corporation

    Cordless DUALphone Suite.exe 2484 Cordless DUALphone Suite RTX Products A/S

    firefox.exe 2640 3.08 Firefox Mozilla Corporation

    procexp.exe 2928 Sysinternals Process Explorer Sysinternals

    ashSimpl.exe 2276 Virus scanner ALWIL Software


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Try this it will show us if anything nasty is causing your problems.


    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        Extended (if available otherwise Standard)
      • Scan Options:
        Scan Archives
        Scan Mail Bases


        [*]Click OK
        [*]Now under select a target to scan:
          Select
        My Computer

        [*]This will program will start and scan your system.
        [*]The scan will take a while so be patient and let it run.
        [*]Once the scan is complete it will display if your system has been infected.
        • Now click on the Save as Text button:
        [*]Save the file to your desktop.
        [*]Copy and paste that information in your next post.


      • Advertisement
      • Closed Accounts Posts: 271 ✭✭Rebeller


        Ok,

        I can't use Kaspersky's online scanner as I am unable to get IE7 to accept the active X control. In general ever since these problems started I have been unable to navigate to any website with IE. I can enter an address but as soon as I hit enter IE freezes and won't close.

        Kaspersky's scanner doesn't seem to work with firefox so I'm going to try Panda's online one. I'll post again as soon as it's finished.

        Whatever I have it's some piece of work:mad:


      • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


        yeah the panda scan thing is good, make sure you save the report and post it here. also please do this

        1. Download this file - combofix.exe
        2. Double click combofix.exe & follow the prompts.
        3. When finished, it shall produce a log for you. Post that log in your next reply

        Note:
        Do not mouseclick combofix's window whilst it's running. That may cause it to stall


      • Closed Accounts Posts: 271 ✭✭Rebeller


        Thanks for your help ActorSeeksJob (and ob).

        I seem to have solved the problem but am not entirely sure how:confused:

        After your last post I checked all recently installed programmes and remembered that I had installed sony ericsson's (notoriously buggy) PC suite and software update software for my mobile. I think that was the source of the issues I was experiencing.

        After a reboot I uninstalled the above and managed to access Panda's online virus scanner via IE7 which took an 3 hours to inform me that there were no problems. Mcafee's online scanner gave the same result.

        However, I downloaded and installed the trial version of Trend Micro's antispyware which identified a problem in windows registry (presence of a.better.internet spyware). What confuses me is that this nasty piece of malware needs to be intentionally installed and provokes a general system slowdown (which I experienced) popup ads and browser redirects (neither of which I experienced). I have my suspicions that sony-ericsson are responsible given sony's previous drm rootkit fiasco as I have not installed any other software within the past few weeks.

        Lavasoft's adaware identified another registry problem. After fixing both problems I scheduled avast to run a boot time scan which showed up 3 false positives (pskavs.dll related to panda software's online active scan) 2 in system restore folder and another in WINDOWS/activescan folder. I deleted activescan flode and registry entries, turned off system restore and ran another boot scan. System now shows clean (according to combofix, AVG, avast, Mcafee, panda, spybot, trend micro and F-Secure BlackLight rrotkit eliminator).

        Task manager, regedit, command prompt and all other apps now running without problems. Hopefully it'll stay that way.

        Thanks again for your time and help.


      • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


        Thanks for letting us know. It's always good to hear what was causing the problem so we will know for next time!


      Advertisement