Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MS I.E., MS O.E., Firefox crash. HJT Log help 2

Status
Not open for further replies.
electricpete

electricpete

Technical User
Oct 1, 2002
289
US
My computer: e-Tower 633 Mhz with 256MB Ram, Windows ME

My Protection: e-Trust A/V, Firewall, Anti-spam suite. A/V is in continuous monitor mode.

I successfully ran e-Trust A/V, CWShredder (found and removed something) then rebooted, Adaware, Spybot.

Minor tangent - I did get an error message at some point from my firewall that the executable cafix.exe associated with my a/v which was trying to access the internet had changed. I asked for help and my firewall told me this MIGHT be ok, IF my antivirus had updated it's program (not it's definitions). It's a little annoying that the firewall doesn't know what the a/v is doing since they are all part of the same suite. I think this is harmless but I don't know.

=======Problem/Symptoms (still there):===========
The following programs terminate unexpectedly:
MS Internet Explorer 6.0
MS Outlook Express
Mozilla FireFox

Sometimes they just stop and close. Sometimes I get the MS dialogue box telling me there's an error and asking if I want to send an error report. Sometimes the computer reboots itself (but that has only happened when I was in those applications).

============================================
===============Here is HJT Log =============
===========================================
Logfile of HijackThis v1.99.1
Scan saved at 10:41:25 PM, on 2/24/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\HAWKING TECHNOLOGIES\HAWKING_HWU54G_UTILITY\HWU54G.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = eFanz
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Hawking HWU54G Utility.lnk = C:\Program Files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe
O4 - Startup: Microsoft Office.lnk = F:\MSOFFICE2000\Office\OSA9.EXE
O8 - Extra context menu item: &Find Definitions... - O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: Dialpad US Java Applet - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} -
======================================
Some comments:
=================================
* Hawking is my USB-connected wireless adapter - not a problem.
* Fine Print is software that I installed

====I'm thinking about deleting the following:=====
C:\WINDOWS\ptsnoop.exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O8 - Extra context menu item: &Find Definitions... -
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html

O16 - DPF: Dialpad US Java Applet -
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) -
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} -
Do you think the above are safe to delete? Any others that I should kill?
 
Sort by date Sort by votes
yes you can fix those but leave this entry alone.


O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe


If you want to disable it go to start/run/tpye msconfig/clcik ok/clcike selective startup and then click start up and uncheck the box for ptsnoop, click apply, ok. and exit.




Please download WebRoot SpySweeper from HERE (It's a 2 week trial):



* Click the Free Trial link under "Downloads/SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.



download cleanup






* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* Run cleanup!



Run an online antivirus check from


choose extended database for the scan!




Run ActiveScan online virus scan here


When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the spysweeper and active scan logs







Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Well, it seems that I can not add anything to Pechenegs conclusion, as usual very complete and sound information...

and it seems you have already done your homework beforehand, and came to the exact same conclusion as I had... so it is pretty much what I would clean...

To answer your question, about why one app (firewall) does not know what your AV changes are, or vice versa, is simple... if the AV would set a certain bit/Registry Value etc. to tell the FW that it is a safe Change, this same information could be used to insert a Malware of any type and it would tell the FW/AV that it was a safe change etc...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Maybe time to get a new firewall as I don't think eztrust is doing it's job! There are many good free firewalls out there, here's a few for you to think about!




Filseclab Personal Firewall Professional Edition










sygate





kerio 4




sites for testing firewalls






Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
I removed the items identified in HJT discussion above... still have the problem.

Also the problem occurred in Adobe acrobat files (program terminated abnormally). Also during the same timeframe my Adobe tried to access the internet for update and Firewall flagged it because the adobe program exe (acrord something) had changed since the last time it was run (I never had given it permission to update although it asks periodically).

I did the start/run/msconfig and set selective startup. There was no menu to select ptsnoop (only win.ini and a few other things). It told me to reboot my computer and then during reboot it told me it was doing a selective startup for troubleshooting. I said OK, startup continued and computer acts the same (still problems). I'm not sure exactly what selective startup is supposed to do. Can you explain it?

I ran Spysweeper (results at the end of this message). Notable results are jeem trojan, cws about-blank, and maybe Lycos sidesearch. The trial version of Spysweeper found them but doesn't let me delete them (need to subscribe first).

That brings me to thinking about why my other stuff didn't find this. Two things I noticed:
1 - Spybot S&D - I press "search updates" and it lists the update. Then press "download updates" and it always says "checksum error". I think this means it didn't download any updates.
2 - CWShredder - When I run the program there is an option to get the latest version. I press that button and doesn't seem to do anything.

So my bottom line question - how do I get rid of those three threats?

======================================
Spy Sweeper will provide you with detailed information about the operations being performed in this area.
Updating spyware definitions from Webroot.com
Please wait... This may take a few minutes...
Your spyware definitions have been updated.
You are now protected against 126179 known traces.
Next scheduled sweep:Monday, February 27, 2006 2:00 AM

No items will be ignored during sweeps.

No items will be removed without notification during sweeps.

Pressing a product button will provide more information about that product.

To ensure proper removal of spyware, adware and other unwanted items, be sure to close any programs that are open.
Your Sweep Options indicate the following will be swept:
Drives: C: F:
Also sweeping: Memory, Cookies, Registry
Trojan Horse found: jeem
VERY HIGH RISK - jeem is a Trojan horse that may allow a hacker to gain control of your computer while you are on-line
Adware found: cws-aboutblank
CRITICAL - cws-aboutblank is a variant of coolwebsearch that may hijack internet explorer settings
Adware found: sidesearch
VERY HIGH RISK - Lycos sidesearch is a web search tool that has been reported to self-install itself without user permission

There were also 100+ spy cookies low-risk. I won't post them here.
Full Sweep has completed. Elapsed time 01:50:55
Traces Found: 151
 
Upvote 0 Downvote
Spybot S&D - I press "search updates" and it lists the update. Then press "download updates" and it always says "checksum error". I think this means it didn't download any updates.
Click to expand...
Change the Server it tries to DL from... Choose the Safer Networking1 (Europe) Server...

Try EWIDO AntiMalware, 14 day Trial (Automatic Updates and Background scanner on trial only, main programm will function after that with no problem)...


100+ spy cookies
Click to expand...
these can be deleted easily...

Trojan Jeem Removal and Information:
CWS-AboutBlank see info and removal:

I also suggest here Ad Aware Away: (5 day Free trial, last I heard)...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
you need to post the kaspersky, panda and spysweeper logs so we can see what's being found on your computer!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mike Lewis
  • Locked
  • Question
MsMpEng.EXE in MSE: necessary? desirable?
Replies
3
Views
248
Mike Lewis
Mike Lewis
Sympology
  • Locked
  • Question
MS - Enhanced Mitigation Experience Toolkit
Replies
0
Views
85
Sympology
Sympology
BionicJohn
  • Locked
  • Question
URUASY.A Ransomware Trojan - Help needed with removal
Replies
6
Views
194
BionicJohn
BionicJohn
Sentrif
  • Locked
  • Question
MS Removal and ESET NOD32
Replies
13
Views
187
allteltec
allteltec
TheAceMan1
  • Locked
  • Question
Another HJT Log 2
Replies
5
Views
138
BadBigBen
BadBigBen

Part and Inventory Search

Sponsor

Back
Top