# HiJack This run - Virus take over?



## amaul (Jun 7, 2000)

Someone at this post
http://forums.techguy.org/web-email...rts-when-internet-connection.html#post4047980
suggested that I do a new post with a HiJack This log inserted. I also have Symantec AntiVirus which seems to have detected some bad stuff. First the HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 3:00:20 AM, on 10/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\cpqalert.exe
C:\WINNT\CPQDIAG\CPQDFWAG.EXE
C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\logn.exe
C:\elk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system\dllhost.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f344.mail.yahoo.com/ym/ShowFolder?YY=39622&box=Inbox&YN=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [winmlp02] C:\logn.exe
O4 - HKLM\..\Run: [winmlp05] C:\elk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158024677093
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0345D1D-67F0-4B37-9FFF-F619C050EEF5}: NameServer = 10.10.1.4
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe

Now when doing a Symantec AntiVirus scan, it found the following as shown in the attached file AV.xls
In "dllhost.exe" if finds "W32.Spybot.Worm". It also finds "Hacktool.Spammer" in other files.

Please help. You can find more on the history behind this problem at the link at the top of this message.


----------



## cybertech (Apr 16, 2002)

Go to this web site: http://virusscan.jotti.org/
In the File to upload & scan box copy and paste each of the following one at a time. Then click the Submit button.

C:\logn.exe
C:\elk.exe

Copy the results and paste them back here in your next reply with a new HJT log.


----------



## amaul (Jun 7, 2000)

Yes, I was wondering what those two files were. They kept on trying to access the internet as my ZoneAlarm kept on warning. As mentioned in the post above here, I suspected these files in my previous post which may provide more background on the problem, here:
http://forums.techguy.org/web-email/503904-computer-restarts-when-internet-connection.html

Also as shown in this previous post is a screen capture from ZoneAlarm, which I'll try to link here:









Since the problem computer keeps on getting a BSOD stop error each time it connects to the internet, I'll have to load those two files to floppies and upload them to that website from a friend's or library computer. Thus, it may take some time, at least 12-24 hours between posts for me unfortunately because of this.

By the way, my Symantec AV definitions were updated in late September. Other scans with AV show that the virus is back, keeps on recreating the infected file, dllhost.exe
Also, I did another scan from safe mode. Pretty much followed the instructions found at
http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99&tabid=3


----------



## cybertech (Apr 16, 2002)

Let's not wait 12-24 hours... 

Please download suspicious file packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it & paste in the list of files below and when it has created the archive on your desktop.

Please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so they can by examined.

Just press new topic, fill in the needed details and *post a link to your post here *& then press the browse button and then navigate to & select the files on your computer, When the file is listed in the window press send to upload the file.


----------



## cybertech (Apr 16, 2002)

*Click Here* and download Killbox and save it to your desktop.

*Run HJT again and put a check in the following:*

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe

*Close all applications and browser windows before you click "fix checked".*

Close Hijackthis.

Double-click on Killbox.exe to run it. 
Put a tick by *Delete on Reboot*. 
In the "Full Path of File to Delete" box, copy and paste the following line.

*C:\WINNT\system\dllhost.exe*

Click on the button that has the red circle with the X in the middle after you enter the file name. 
It will ask for confimation to delete the file. 
Click Yes. 
It will ask for confimation to reboot now.
Click Yes.

*Note:* It is possible that Killbox will tell you that the file does not exist. 
If your computer does not restart automatically then please restart it manually. 
If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

*After reboot please post your hijackthis log. Use Task Manager to kill those two processes after you reboot.*


----------



## flavallee (May 12, 2002)

amaul:

I got your private message. I'm not going to be of any help to you because I've never used Windows 2000. Continue to follow cybertech's instructions.

-------------------------------------------------------------------------------------

I wouldn't have Symantec Norton Antivirus nor ZoneLabs ZoneAlarm in my computer, but that's me.

-------------------------------------------------------------------------------------


----------



## cybertech (Apr 16, 2002)

amaul, 

You PM'd me and asked me to help you. Are you having problems with any thing I have requested you to do?


----------



## flavallee (May 12, 2002)

Cybertech:

He PM'd me with this message:

*Hi. I was wondering if you could possibly help me out as you did recently for another on a similar problem.*

I've never worked with Windows 2000 anyway, so I'm of no real help to him. I'm staying out of this thread and leaving it to you. I don't know why he hasn't replied back to your previous instructions.

Frank

-------------------------------------------------------------------------------------


----------



## cybertech (Apr 16, 2002)

Same here flavallee.


----------



## telecom69 (Oct 12, 2001)

Same here too  told him to follow cybertechs instructions .......

Hi. I was wondering if you could possibly help me out as you did recently for another on a similar problem.

http://forums.techguy.org/windows-nt...take-over.html


----------



## amaul (Jun 7, 2000)

I haven't been back to that computer yet. I'll try it out tomorrow. I sent out the help requests prior to Cybertech's 07-Oct-2006 02:09 PM post, as my previous post really got me nowhere (few responses, nothing solved). I'm happy that there are now many who would like to help.

Please have patience in my responses, as the computer I have for the internet is geographically in a separate location to the sick computer, which cannot connect to the internet.

I only wish that I can save the TechGuy page to transfer and to look at on that faulty computer that can't connect to the internet. Every time I do a File / Save As to this web page, it gives the error "The web page cannot be saved" shown as attached.


----------



## cybertech (Apr 16, 2002)

Can you make a hard copy? Print it.


----------



## amaul (Jun 7, 2000)

No printer. I did a "view source" and saved the txt as a html document so that I could look at it on my other computer. Doesn't look as nice as if I could have just saved the web page with a "Save As", but it did the trick. I was able to follow your instructions.

Well I saved
C:\logn.exe
C:\elk.exe
and dllhost.exe
to a floppy to check in http://virusscan.jotti.org/ but I think I grabbed the wrong floppy to check using this computer that works. Duh! Do you want me to try again?

The next step, 


> Please download suspicious file packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it & paste in the list of files below and when it has created the archive on your desktop.
> Please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so they can by examined.
> Just press new topic, fill in the needed details and post a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the window press send to upload the file.


I'm sorry Cybertech, but other than downloading SFP, unzipping it, and running the program, I'm lost here. I don't know what to paste in this SFP window.









Next step,


> Click Here and download Killbox and save it to your desktop.
> Run HJT again and put a check in the following:
> O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
> O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe
> ...


Ok, I got KILLBOX on the bad PC. I ran HJT again and put a check in those two boxes. Closed all apps and browser windows and chose "fix checked" and closed HJT. Ran Killbox, did everything you mentioned, and chose "yes" to reboot. It couldn't shutdown all the way hanging up somewhere showing just a black screen and a movable mouse pointer, but I manually forced a restart as you mentioned. No error messages. A HJT log follows. I'm not sure what two processes you wanted me to kill using Task Manager, but here is the TM window:









HJT:
Logfile of HijackThis v1.99.1
Scan saved at 7:28:43 PM, on 10/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\cpqalert.exe
C:\WINNT\CPQDIAG\CPQDFWAG.EXE
C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\cpqdmi.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\logn.exe
C:\elk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f344.mail.yahoo.com/ym/ShowFolder?YY=39622&box=Inbox&YN=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [winmlp02] C:\logn.exe
O4 - HKLM\..\Run: [winmlp05] C:\elk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158024677093
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0345D1D-67F0-4B37-9FFF-F619C050EEF5}: NameServer = 10.10.1.4
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe


----------



## cybertech (Apr 16, 2002)

These are the two processes to kill:
logn.exe
elk.exe
both are visible in the Task Manger list you posted.

Since you have a copy of each of these files I would suggest *deleting *them from the infected machine.

You don't need to submit dllhost.exe, that file is known bad.

Upgrade IE to v6 when you get this device back on the internet.

*Run HJT again and put a check in the following:*

O4 - HKLM\..\Run: [winmlp02] C:\logn.exe
O4 - HKLM\..\Run: [winmlp05] C:\elk.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)

*Close all applications and browser windows before you click "fix checked".*

All you need to do with SFP is copy:
c:\logn.exe
c:\elk.exe 
and paste into the box.

No problem on the time it takes to get this done. :up:


----------



## amaul (Jun 7, 2000)

I couldn't delete logn.exe & elk.exe until after I ran HJT again and fixed the three checked lines you indicated. Before this, it wouldn't allow me to delete them. They're now deleted. I didn't upgrade the infected computer's IE to v.6. I'm afraid to connect to the internet while still having a pizza virus eating my computer. I'm afraid that it'll also just crash when the internet connection is made as was happening befoire. Now on checking all of these files (plus a new one, pizza.exe)…

At http://virusscan.jotti.org/ I inputted the files LOGN.EXE, ELK.EXE, and DLLHOST.EXE. The results are below. I also noticed this afternoon a weird file in the C:\ root directory, the only application there. PIZZA.EXE. The jotti.org website identified this as an infected file.

_File: LOGN.EXE 
Status: INFECTED/MALWARE 
MD5 d1eeed403db8b752715284f09ed8eca5 
Packers detected: - 
Scanner results 
AntiVir Found Trojan/Proxy.Small.FD 
ArcaVir Found Trojan.Proxy.Small.Fd 
Avast Found nothing 
AVG Antivirus Found Proxy.FUW 
BitDefender Found BehavesLike:Win32.Backdoor (probable variant) 
ClamAV Found nothing 
Dr.Web Found Trojan.Proxy.1088 
F-Prot Antivirus Found Possibly a new variant of W32/Behavior:SelfStarterInternetTrojan!Maximus 
Fortinet Found W32/Small.FD!tr 
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Small.fd 
NOD32 Found nothing 
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]
* File length: 9216 bytes.
[ Changes to registry ]
* Creates value "winmlp02"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
[ Network services ]
* Opens URL: http://58.20.162.136/ok.php?p=1030.
[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 1030.
[ Process/window information ]
* Creates a mutex winmlp02.
* Will automatically restart after boot (I'll be back...). 
UNA Found nothing 
VirusBuster Found Trojan.PR.Small.EHI 
VBA32 Found Trojan-Proxy.Win32.Small.fd

File: ELK.EXE 
Status: INFECTED/MALWARE 
MD5 6010af1e95421806de23ddcdf789f693 
Packers detected: - 
Scanner results 
AntiVir Found Trojan/Proxy.Small.FD.1 
ArcaVir Found Trojan.Proxy.Small.Fd 
Avast Found nothing 
AVG Antivirus Found Proxy.GAF 
BitDefender Found BehavesLike:Trojan.FirewallBypass (probable variant) 
ClamAV Found nothing 
Dr.Web Found Trojan.Proxy.1089 
F-Prot Antivirus Found Possibly a new variant of W32/Behavior:SelfStarterInternetTrojan!Maximus 
Fortinet Found W32/Small.FD!tr 
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Small.fd 
NOD32 Found nothing 
Norman Virus Control Found W32/Smalltroj.KEI 
UNA Found nothing 
VirusBuster Found Trojan.PR.Mailer.B 
VBA32 Found Trojan-Proxy.Win32.Small.fd

File: DLLHOST.EXE 
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5 bfd30ff043a16228e8a950ad1c684618 
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT 
Scanner results 
AntiVir Found Worm/Sdbot.43520.30 
ArcaVir Found Trojan.Sdbot.Xd 
Avast Found nothing 
AVG Antivirus Found IRC/BackDoor.SdBot2.HWV 
BitDefender Found Generic.Sdbot.4A2A001D 
ClamAV Found Trojan.SdBot-2700 
Dr.Web Found BackDoor.IRC.Sdbot 
F-Prot Antivirus Found W32/Sdbot.UNJ 
Fortinet Found W32/SDBot.XD!tr.bdr 
Kaspersky Anti-Virus Found Backdoor.Win32.SdBot.xd 
NOD32 Found a variant of IRC/SdBot 
Norman Virus Control Found W32/SDBot.AJKO 
UNA Found nothing 
VirusBuster Found Worm.SdBot.CRX 
VBA32 Found Backdoor.Win32.SdBot.xd _​
Ok, I ran SFP for logn.exe & elk.exe to create one zipped file and for pizza.exe for another zipped file. I uploaded them to that website (I think), linked here -
http://www.thespykiller.co.uk/forum/index.php?topic=2787.0
and
http://www.thespykiller.co.uk/forum/index.php?topic=2786.0
I also emailed these two zipped files to [email protected] for further analysis.

I did another AV scan in Safe Mode. Didn't find anything. See AVscanhist.xls attached.

My latest Task Manager appears as shown. I don't see Pizza.exe here, but think it's just a matter of time. How do I address pizza.exe and others that might pop up?









The latest HJT log is as shown:

_Logfile of HijackThis v1.99.1
Scan saved at 6:20:57 PM, on 10/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\cpqalert.exe
C:\WINNT\CPQDIAG\CPQDFWAG.EXE
C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\cpqdmi.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f344.mail.yahoo.com/ym/ShowFolder?YY=39622&box=Inbox&YN=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158024677093
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0345D1D-67F0-4B37-9FFF-F619C050EEF5}: NameServer = 10.10.1.4
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe_​


----------



## amaul (Jun 7, 2000)

I did a search for pizza in my HJT log and didn't find anything. Hmmm.


----------



## cybertech (Apr 16, 2002)

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/removaltools/sdfix.zip

Right click the SDFix.zip folder and choose Extract All to extract it to its own folder on the Desktop. 
Reboot your computer in Safe Mode.
Open the extracted SDFix folder and double click RunThis.bat to start the script. 
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt back onto the forum with a new hijackthis log.


----------



## amaul (Jun 7, 2000)

Why does Safe Mode take so long to load?
Ok, Report.txt follows:

SDFix: Version 1.28
-------------------

Scan run on: 
Wed 10/11/2006

Time:
10:42p

Microsoft Windows 2000 [Version 5.00.2195]

Running from: C:\Documents and Settings\Administrator\Desktop\New Folder\SDFix

Stage One...

Checking Services...

Name: 
-----

DLLHOST

Path:
----

"C:\WINNT\system\dllhost.exe"

DLLHOST ... deleted

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
--------------------------

C:\pizza.exe
C:\WINNT\system32\i

Backing Up and Removing any Files Found...

Final Check:

Remaining Services:
------------------

Remaining Files:
--------------

*Any removed Files are saved in the SDFix\backups Folder*

*FINISHED*

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:13 PM, on 10/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\cpqalert.exe
C:\WINNT\CPQDIAG\CPQDFWAG.EXE
C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\cpqdmi.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f344.mail.yahoo.com/ym/ShowFolder?YY=39622&box=Inbox&YN=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158024677093
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0345D1D-67F0-4B37-9FFF-F619C050EEF5}: NameServer = 10.10.1.4
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe


----------



## amaul (Jun 7, 2000)

BTW, I now have another computer on the internet next to the infected computer, thus I can respond more quickly.


----------



## cybertech (Apr 16, 2002)

Have you tried putting it on the internet yet?

That log looks clean.


----------



## amaul (Jun 7, 2000)

Well I had to re-install PeoplePC. I did that, from their CD. The first time during installation when it called the toll-free number to get information, I received a BSOD stop error. I rebooted, deinstalled and reinstalled again. This time it worked. I was connected to the internet and on the techguy.org website getting ready to respond here, when another BSOD appeared. The error, writing it down this time, was:

0X00000050 (0XFFFF0000, 0X00000000, 0X80469324, 0X00000000) PAGE_FAULT_IN_NONPAGED_AREA
*** Address 80469324 base at 80400000, DateStamp 44925809 - ntoskrnl.exe

This is like the same error I received at the beginning, in the previous TechGuy post, which led to this one. I'll visit that link and check into it.


----------



## amaul (Jun 7, 2000)

Well checked my previous post
http://forums.techguy.org/web-email...rts-when-internet-connection.html#post4047980
on the error, and everything from

PAGE_FAULT...

onward was the same as before. All of those hexidecimal codes at the beginning are new.

Again, I don't think the problem is with the RAM. Completely different and brand new memory chips produce the same error page.

What about running a "debugging utility on the dump files" as Rollin' Rog said can be done in the previous post? That was never done, using the debugging utility. My dump files are still attached in that prior post.


----------



## cybertech (Apr 16, 2002)

Respond to the other thread with that.


----------



## amaul (Jun 7, 2000)

What else should I do here?


----------



## Genghis505 (Oct 16, 2006)

Hello,
I'm in a similar situation as you, so I figure I'd sign up and post what I've found so far in hopes that it might help you. Or at least get us closer to a solution.

I formatted and reinstalled a friend's computer with Win2000 Pro, AVG Anti-Virus, ZoneAlarm. I updated what I could at my house using my cable modem. Everything seemed fine at my house, but when he tried it at his house using PeoplePC Dial Up, the computer would hard reboot after it established a connection with PeoplePC.

Anyhow, it looks like it could be ZoneAlarm. I did a search on Google for +peoplepc +connection +reboot (this is how I found this thread as well) and found a thread on McAfee's site with people having a similar problem. McAfee issued them an unofficial patch which seemed to fix their problem.

I just tried uninstalling ZoneAlarm and was able to log onto PeoplePC using dial up without the reboot. I would test it further, but I have to get some sleep. So tomorrow I will either try an earlier version of ZoneAlarm or an alternate free firewall program.

I hope this helps. I'm not confident with my solution yet, but it looks like I'm moving in the right direction.


----------



## amaul (Jun 7, 2000)

Thanks. By "hard reboot" at the connection, do you mean you didn't get a Blue Screen Of Death (BSOD) stop error?
In my previous post at
. . . http://forums.techguy.org/web-email...rts-when-internet-connection.html#post4047980
the same thing was happening, but then I followed the guidance at
. . . http://wilderssecurity.com/showthread.php?p=494916
which can show the stop error code instead of just rebooting.
_by default windows is set to reboot during a critical failure so that could be it. that can be changed by right-clicking My Computer>Properties>Advanced tab>then click "Settings" in Startup and Recovery>uncheck "Automatically Restart" box_.​Are you sure the problem is with ZoneAlarm? McAffee doesn't own ZoneAlarm, so a fix by McAfee wouldn't really affect users of ZoneAlarm.


----------



## Genghis505 (Oct 16, 2006)

Sorry for the confusion. Yes, when PeoplePC established a connection with the internet using PeoplePC, the computer would just reboot itself (no BSOD).

And you are correct, the patch from McAfee wouldn't help us because they don't own ZoneAlarm. But I figured since other people were having the same problem with PeoplePC and their firewall, that it could be that ZoneAlarm isn't playing nice with PeoplePC.

I did a search at Zonelabs forums and found that earlier this year others were also having a problem with PeoplePC and ZoneAlarm. Zonelab was able to reproduce the error, but it does not look like they've issued a resolution.

http://forum.zonelabs.org/zonelabs/board/message?board.id=inst&message.id=51421&query.id=4519#M51421

So last night, I uninstalled ZoneAlarm and tried to install an earlier version. The computer kept giving me an error when I tried this. I'm guessing the computer still has remnants of the current version and isn't allowing me to load an earlier version.

I ended up using an alternative free firewall program and the computer doesn't reboot anymore when I connect using PeoplePC. I was able to connect multiple times last night using PeoplePC without getting an error, BSOD, or a reboot.

You can try PeoplePC after turning off ZoneAlarm (I didn't try this) or uninstalling to see if you can connect to the internet. This could narrow it down to your firewall having a problem with PeoplePC.

I hope this helps. Good luck.


----------



## amaul (Jun 7, 2000)

I went to that link (I hate clicking the links to see each message though). Our problems seem to be the same. I'll try reconnecting with ZA shutdown. If that doesn't work, I'll uninstall ZA and try again. It's funny how this happened only after getting totally updated with all Win2000 patches/fixes and all ZA and AV and other updates. Do you know if P-PC has looked into a fix? What other free firewall do you recommend? Thanks.


----------



## Rollin' Rog (Dec 9, 2000)

Amaul, I've looked at both your threads and the minidumps. Unfortunately I can't tell you anything other than what you already know: the 050 fault is occuring in ntoskrnl.exe -- a core NT memory management and file driver.

You've apparently ruled out faulty ram, so we won't go there.

Since this problem is only occuring regarding internet connectivey -- if this were my problem I would uninstall all internet related 3rd party programs such as Zone Alarm, Windows Defender -- etc. and test. Leave only a basic antivirus.

I would also reset the Winsock and possibly reinstall tcp/ip.

The first can be done with 3rd party programs, the second -- is more involved in Windows 2000, though very easy in XP.

For the Winsock you can use Bob Cerelli's method here:

http://forums.techguy.org/windows-95-98-me/323749-how-do-i-put-winsock.html#post2305987

You will have no internet connectivity once you delete the key so be sure to have the new file downloaded and ready to merge.

For TCP/IP in Win2K this is Microsoft's recommended procedure:

http://www.petri.co.il/reinstall_tcp_ip_on_windows_2000.htm


----------



## Genghis505 (Oct 16, 2006)

I'm hoping that your problem is similar to mine. I've already returned the computer to my friend, so hopefully my reasoning and solution were sound. I guess I'll find out in a couple of days.

I have no idea if P-PC is looking into the problem. What version of P-PC are you on? I think my friend's was 6.2 and if I remember correctly from P-PC's website, they are now on 6.3. I didn't update the program because I didn't know his password (it was already saved on the computer, and I didn't want it to get deleted.) I know, I should have updated it anyways while I had the computer with me. You may want to give that a shot, if you are on an earlier version of P-PC.

I don't feel comfortable recommending any firewall software, since I have zero experience with firewall programs other than ZoneAlarm. I just went to CNet's website and downloaded one of the free one's that other user's gave a better than average rating to. Maybe other's with more experience can recommend something. The one I chose was Comodo (I've never heard of it before). I have no idea if it is a good one or not, but I figured it was better than not having a firewall.

Good luck with your problem.


----------



## amaul (Jun 7, 2000)

I don't know what to do. Now I'm not sure if there's a ZA / P-PC conflict.

I first shutdown ZA and tried to install P-PC. During the installation when P-PC tried to connect to the toll-free number, the BSOD appeared. Then I uninstalled the partial P-PC installation and uninstalled ZA. THen I tried to install P-PC again. *The BSOD appeared again, with ZA uninstalled.*

I believe the P-PC version I'm installing is 6.2. I got this P-PC installation CD maybe 6 months ago at the most. I have it installed on another computer (WinXP) without any problems thus far. XP apparently comes with its own firewall. When I click on the "Software Version 6.2" link in the Bartshell (PeoplePC Online) window on the XP computer, I just get a link to "Download the Software":
https://www.peoplepc.com/register/login.asp?download=true&membershiptype=1
Nothing on "Update your version" or anything like this. The problem computer has Win 2000 professional as the operating system.

I'm pretty depressed now. Is there an expert in this forum to help me on this Stop Error? I took a picture of the screen. I'll try to attach the image here.


----------



## amaul (Jun 7, 2000)

Well Rollin Rog had something, to uninstall the other programs. Now with both ZA and Windows Defender uninstalled, an install of P-PC gives a BSOD stop error saying that I'm a:
BAD_POOL_CALLER
I'm not sure why I got this, as I'm a good billiards player and always call my shots when not playing slop. I took another photo of the screen to attach here. I'm not sure what else to uninstall now.


----------



## Genghis505 (Oct 16, 2006)

I'm sorry to hear that you are still unable to resolve your problem. I was hoping it was the same as mine. Unfortunately I didn't uncheck the box to read the BSOD error versus letting the computer reboot itself, so I couldn't tell you if it was the same error.

Have you tried Rollin' Rog's suggestion of uninstalling all third party internet related programs except an anti-virus and start from there?

I saw that there was an available version 6.3 for download on P-PC's website. It's located in there FAQ section.

http://home.peoplepc.com/helpinfo/faq/default.asp

It looks like you need a username and password to download, which I don't have.

Good luck and hopefully my friend won't call me telling me the problem is back, or I'll be back here hoping you've found a solution to your problem.

Edit: It looks like you were trying Rollin' Rog's suggestions while I was typing this.
Edit again: I'm sure this won't make a difference, but I also ran a registry cleaner after I uninstalled ZA. "BAD_POOL_CALLER"?? Do you have an accent that is hard to understand? I normally just point to the pocket, unless I'm doing a combo.


----------



## amaul (Jun 7, 2000)

Well it's working now. I'm not sure why. AV and Windows Defender is gone. Then I started tweaking the Symantec AV, disabling lots of things. Then P-PC installed and all is seemingly running well. I updated Symantec AV from the 9/22 date I was last able to use the internet on this computer, and did a full system scan. It found lots of stuff, including some new virus/worm, especially in C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\.

In addition to
. . . W32.Spybot.Worm
and
. . . Hacktool.Spammer
now it found
. . . Backdoor.Exdis

I'll attach the log here. I wonder if I can/should try to reinstall Windows Defender and ZA?


----------



## cybertech (Apr 16, 2002)

It looks like everything was taken care of except "C:\WINNT\system\dllhost.exe" which was deleted in post #18. You may want to run SDFix again.


----------



## amaul (Jun 7, 2000)

This computer is driving me insane. It was working ok this morning, now I get a BSOD at startup, even in safe mode. I kept my computer on while going to work, and when I came back, a Symantec AV window was open saying that it found yet another virus (I forgot the name). I chose delete or whatever option Symantec gave me, and then rebooted the computer. Now nothing but the BSOD.

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0x00000080 (0x00000000 0x00000000).

I also need to mention here that I did another "Windows Update" and it downloaded about five more fixes.

This BSOD image follows. Is it dead?


----------



## amaul (Jun 7, 2000)

I did install a brand new Maxtor 100 GB HDD as a slave before all of this junk started happening. I thought I installed it ok. It seemed that it was recognized and all. I even set up the pagefile (about 800 MB) to be on this new HDD. I'm not sure if this has to do with anything.


----------



## cybertech (Apr 16, 2002)

An easy way to find out is to remove it.


----------



## Rollin' Rog (Dec 9, 2000)

Sorry, I was looking for updates to this thread, but didn't notice "page 2" 

If you can no longer start even in Safe Mode, your options are pretty much limited to doing a reinstall.

Have you tried both the built in Administrator account as well as your normal account with Administrative rights?


----------



## amaul (Jun 7, 2000)

Well I took out the extra HDD and the same error comes up.

I'm not sure what you mean Rollin' by the "Admin account" as well as the normal account with Admin rights. It just goes to this error message and stops.

Not sure what else to do. This site
http://support.microsoft.com/kb/330303​on "STOP: c000021a (Fatal System Error)" Error Occurs, Last Review : October 10, 2005
has the following for Windows 2000 computers:
WORKAROUND
To work around this problem, rename the computer so that it is one character shorter. If you do so, the FQDN is less than 200 characters long and the heap corruption does not occur.​I have no idea how to do this. Can you do this from booting from a floppy?

I believe Windows 2000 is based on NT. This website has something on this error for NT computers:
http://support.microsoft.com/kb/317189​but in the resolution, it talks about booting to a "parallel installation of Windows NT". I don't think I have this.

Anything else? What did I do wrong?


----------



## Rollin' Rog (Dec 9, 2000)

Evidently you are not even getting to the point where you can choose a Safe Mode profile?

The first MS article is a one in a million and I'm really sure it doesn't apply here.

The second is a possiblity, but still a longshot, but the suggested fix is really a difficult one, and you would have to have a partition available for a parallel installation -- either that or slave the drive to another computer. What you are doing here is simply creating a second Windows installation and working from that to access the otherwise inaccessible installation.

It's a very technical procedure.

If you could start in Safe Mode, you could delete the PendingFileRenameOperations registry entry manually. But I don't think this particular issue would exist if you could boot in Safe Mode.

If you do have an available drive or partition, you can certainly do a parallel install and at least preserve your personal data.


----------



## amaul (Jun 7, 2000)

Thanks for the response. I know this thread is getting pretty long and help might be becoming more and more hopeless, but I'm relentless and not a quitter.

No, I unfortunately cannot get to fully load Safe Mode. Pressing F8 goes to a screen where I choose "Windows 2000 Professional" (I can take another photo and post this) and then a nice light blue blank screen comes up and then the bad dark BSOD comes up. I'm very certain that there is no partition on the single HDD that boots up Windows 2000 (just a C drive).

I do have another PC that works (has WIndows XP on it). I could also get access to another Windows 2000 pc, same model as the afflicted one. Could I take out the C drive of the afflicted PC and install it as a slave to a computer (new XP or older 2000) that works? I must mention here that the afflicted C drive does/did have at least one virus on it. I could possibly take a risk on one of the WIndows 2000 pc's, a risk that a virus might jump to this "good" PC, but I don't want to take much of a risk on infecting the newer XP computer.

I definitely do want to get some personal data/files off of the afflicted C drive. Should I assume that the newly installed D drive (100 GB Maxtor I previously mentioned) is ok w/o any viruses? From what I recall, I just saved data to it and had the large PageFile relocated to it from the older (slower) 20 GB C drive. As I mentioned previously, I installed it just a week or two before all of this junk started to happen.

Not only am I relentless, I can be pretty smart, so if you can walk me through the "very technical procedure", I'm sure we could solve the problem. I greatly appreciate the help.


----------



## Rollin' Rog (Dec 9, 2000)

Assuming both computers have the NTFS file system, yes you should be able to slave the Win2K drive to the XP system or another 2K one and access it. Since the drive is not booting there will be no security risk as long as you do not inadvertantly launch a viral program by clicking on it.

If the "newly" installed D drive was installed on an infected system -- and that system was booted -- you cannot assume it is viral free -- although it probably is.


----------



## amaul (Jun 7, 2000)

The D drive from the afflicted PC wasn't the boot drive, so I guess it's ok.

Actually I'm not certain that the afflicted 2000 PC is NTFS or the other, FAT32 I believe it's called. I do recall there being a link on the afficted PC's desktop named "Convert to NTFS" or something like this. I never opened this. I just checked my XP PC, and it is NTFS.

So to be sure that the same file system is used, I'll slave the afflicted PC C drive to another 2000 PC. I'm pretty certain that both 2000 PCs (the afflicted one and the "new" one) will have the same file system, since they both came from the same batch and are the same model. I'll do this tonight, say by 11 pm EST, and will be ready for any instruction at that time.

Thanks.

BTW - at initial startup with the Windows 2000 system, next to the <F10 = BIOS Setup> is a <F12 = Network Service Boot>. I never tried this Network Service Boot. I wonder if it could have worked.

BTW#2 - it appears that the Win2K HDDs are FAT32. I have the afflicted ex-boot drive now as a slave within another Win2K PC. The boot drive of which is FAT32. I didn't even touch the other drive yet. Awaiting your command captain.


----------



## Rollin' Rog (Dec 9, 2000)

You should have full access to any FAT32 drive if you slave it. Now at the very least you can copy any critical data that you want to preserve.

That's about all you can do I think, unless you want to try looking at the registry in the old system by loading it as a hive.

You have to read carefully the MS instructions there. I've only done this once or twice and not from a slaved drive.

http://support.microsoft.com/default.aspx/kb/317189


----------



## ~Candy~ (Jan 27, 2001)

I just received your pm. I was on vacation for a month........I don't have anything to add at this point.


----------



## amaul (Jun 7, 2000)

Hmm. I do have some registry backup file, did it in mid-September when things were going crazy. I attached the "Properties" here. Anything I can do here with it?


----------



## amaul (Jun 7, 2000)

A scan by "MS Windows Malicious Software Removal Tool - Sep. 2006" showed the following:

Malware - Backdoor:Win32/Rbot.gen
Scan Results - Detected, not removed

all the rest of malware weren't detected.

The file it found was csrss.exe in the slave E:\WINNT\ and was clearly not supposed to be there. I was easily able to delete this file. An older version of this file appears in both C: and E: at WINNT\SYSTEM32, $NtServicePackUninstall$, and ServicePackFiles\i386

Some info on this virus appears here.

csrss - csrss.exe - Process Information
http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/
FGA The CSRSS Backspace Bug in Windows NT 4-NT 2000-NT XP
http://homepages.tesco.net/J.deBoynePollard/FGA/csrss-backspace-bug.html


----------



## amaul (Jun 7, 2000)

Could I also just copy a few files from my working C: to the afflicted E:?


----------

