# Screen freeze



## Gamajobert (Mar 7, 2009)

I thought I had solved this problem but it continues in 2 forms. A complete freeze at any time anywhere, or the cursor is live but cannot activate anything (this happens in games only). Below is my HJT - I have a Lookinmy PC report but do not know how to copy it to this post.

Very frustrated - any help welcome. I have plenty of spare capacity on HD and run live McAfee (full) and Superanti (full), +Tune Up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:58 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {631ac2d4-57b3-42b0-a148-da33b462c1a3} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {631ac2d4-57b3-42b0-a148-da33b462c1a3} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games - Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab98974.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
--
End of file - 8454 bytes


----------



## Gamajobert (Mar 7, 2009)

I am now sure that a hacker has got in through my Hearts (MSN Zone) game - for last 2 days have not been able to load the game - the first screen comes up but then a message saying internet not connected. All other internet access is OK - emails, Bubbles, Forum, PhysOrg etc.

I assume the freezes were just the original effects and now the final blow.

Have uninstalled and reinstalled both Hearts and Google toolbar to no effect. Mcafee and SuperAnti nothing. CCleaner nothing. Did System Restore to before 2 days ago - nothing. Tried Mbam on desktop icon - nothing - obviously cannot use Mbam on Game itself as there is no file reference (that I can find).

I am largely retired (and partially disabled) and Hearts is a nice diversion for me. Any suggestions welcome.


----------



## Gamajobert (Mar 7, 2009)

Update - spent the day trying different things - installed, ran then uninstalled Norton, added McAfee Stinger and ran it, added SpyWareBlaster and updated system, ran Mcafee and SuperAnti and TuneUp again, used CCleaner - all without result. Can't even Google MSN Zone Hearts (which I unstalled and tried to reinstall) - always says that Internet disconnected although all other Internet functions working perfectly. I know you guys are very busy, so happy to take my turn - but if this a new form of focussed Trojan/worm it could be very dangerous for everyone - not just the gamers.


----------



## Gamajobert (Mar 7, 2009)

Just got Hearts to DL using MSN search. Saved the first page to favourites then desk top. Wouldn't go past first page but when I looked at properties on the desktop shortcut found:

fault.htm?intgid=gb_AllCardBoard+List_22_hrtz

Don't know if this is important.


----------



## Gamajobert (Mar 7, 2009)

Update - ran Mbam 3 more times - nothing. DL Avast - SUCCESS - Hearts back (although scan did not report anything). So far today no screen freeze - will keep you advised.


----------



## Gamajobert (Mar 7, 2009)

Another screen freeze - see new HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:44 PM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VMSnap3.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {631ac2d4-57b3-42b0-a148-da33b462c1a3} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {631ac2d4-57b3-42b0-a148-da33b462c1a3} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games - Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab98974.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
--
End of file - 8857 bytes


----------



## Gamajobert (Mar 7, 2009)

I know you guys are extremely busy but 10 days without any reply! I'm still getting freezes - so help would be much appreciated.


----------



## Gamajobert (Mar 7, 2009)

Still no help?


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## Gamajobert (Mar 7, 2009)

Great - see ComboFix log - will post HJT next. Incidentally had to log in twice using Firefox.

ComboFix 09-04-03.01 - John Henderson 2009-04-04 21:33:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.143 [GMT 4:00]
Running from: c:\program files\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.
/wow section - STAGE 27
The system cannot find the path specified.
The system cannot find the path specified.

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.
2009-04-04 21:27 . 2006-03-02 23:42 73,728 --a------ C:\pv.exe
2009-04-04 21:26 . 2009-04-04 21:26 3,067,656 -ra------ c:\program files\Combo-Fix.exe
2009-04-04 14:07 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2009-04-03 23:36 . 2009-04-03 23:36 43,083,040 --a------ c:\program files\AdbeRdr910_en_US_Std.exe
2009-04-03 22:35 . 2009-04-03 22:35 d-------- c:\program files\Common Files\Adobe AIR
2009-04-02 19:14 . 2009-04-02 19:14 d-------- c:\program files\JRE
2009-04-01 11:30 . 2009-04-01 11:30 773,640 --a------ c:\program files\dfsetup108.exe
2009-04-01 08:40 . 2009-04-01 08:40 7,518,920 --a------ c:\program files\Firefox Setup 3.0.8.exe
2009-03-27 09:29 . 2009-03-27 09:29 3,190,688 --a------ c:\program files\ccsetup218.exe
2009-03-24 22:34 . 2009-03-24 22:34 d-------- c:\program files\Trend Micro
2009-03-24 22:33 . 2009-03-24 22:33 812,344 --a------ c:\program files\HJTInstall.exe
2009-03-22 20:41 . 2009-03-22 20:41 2,639,879 --a------ c:\program files\stinger10000482.exe
2009-03-22 20:38 . 2009-03-22 20:38 49,152 --a------ c:\program files\RRT.exe
2009-03-22 20:35 . 2009-03-22 20:35 104,170,056 --a------ c:\program files\sdat5560.exe
2009-03-22 20:12 . 2009-03-23 00:05 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-22 20:11 . 2009-03-23 00:05 d-------- c:\program files\SpywareBlaster
2009-03-22 20:11 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-03-22 20:11 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2009-03-22 20:10 . 2009-03-22 20:10 2,869,536 --a------ c:\program files\spywareblastersetup41.exe
2009-03-22 17:01 . 2009-03-22 18:55 d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-22 17:01 . 2009-03-22 18:55 d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-22 16:59 . 2009-03-22 16:59 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-22 10:27 . 2009-03-22 10:27 306,864 --a------ c:\program files\mvtapp.exe
2009-03-21 23:39 . 2009-04-02 20:55 d-------- c:\program files\OpenOffice.org 3.0 (en-US) Installation Files
2009-03-21 22:30 . 2009-04-02 19:14 d-------- c:\program files\OpenOffice.org 3
2009-03-21 22:29 . 2009-03-21 22:29 d-------- c:\program files\readmes
2009-03-21 22:29 . 2009-03-21 22:29 d-------- c:\program files\licenses
2009-03-21 20:22 . 2009-03-21 20:22 d-------- c:\program files\Common Files\Java
2009-03-21 20:21 . 2009-04-02 18:31 149,353,184 --a------ c:\program files\OOo_3.0.1_Win32Intel_install_wJRE_en-US.exe
2009-03-21 18:14 . 2009-03-22 10:41 d-------- c:\program files\FreshDevices
2009-03-21 18:13 . 2009-03-21 18:13 d-------- c:\program files\Google
2009-03-21 17:02 . 2009-03-21 18:13 d-------- c:\program files\Google(2)
2009-03-21 17:02 . 2009-03-21 18:13 d-------- c:\documents and settings\All Users\Application Data\Google(2)
2009-03-20 09:01 . 2009-03-20 09:01 d-------- c:\documents and settings\John Henderson\Application Data\KC Softwares
2009-03-19 21:58 . 2009-03-19 21:58 d-------- C:\ATI
2009-03-15 19:42 . 2009-03-15 19:42 23,596,328 --------- c:\program files\SkypeSetupFull.exe
2009-03-15 01:24 . 2009-03-15 01:24 d-------- c:\documents and settings\John Henderson\Application Data\TuneUp Software
2009-03-15 01:24 . 2009-03-15 01:24 603,904 --------- c:\windows\system32\TUProgSt.exe
2009-03-15 01:24 . 2009-03-15 01:24 360,192 --------- c:\windows\system32\TuneUpDefragService.exe
2009-03-15 01:24 . 2008-12-11 13:31 27,904 --------- c:\windows\system32\uxtuneup.dll
2009-03-15 01:23 . 2009-03-16 14:05 d-------- c:\program files\TuneUp Utilities 2009
2009-03-15 01:23 . 2009-03-15 01:23 d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-15 01:22 . 2009-03-15 01:22 d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-15 01:21 . 2009-03-15 01:22 17,242,368 --------- c:\program files\TU2009TrialEN-US.exe
2009-03-13 01:24 . 2009-03-13 01:25 d-------- c:\program files\LookInMyPC
2009-03-13 01:21 . 2009-03-13 01:23 1,250,952 --------- c:\program files\setupLMPC.exe
2009-03-12 23:37 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-12 23:31 . 2009-03-12 23:31 d-------- c:\program files\Windows Installer Clean Up
2009-03-12 23:29 . 2009-03-12 23:29 359,656 --------- c:\program files\msicuu2.exe
2009-03-12 23:27 . 2009-03-12 23:27 16,434,584 --------- c:\program files\jre-6u12-windows-i586-p-s.exe
2009-03-11 16:32 . 2009-03-11 16:33 d-------- c:\documents and settings\John Henderson\Application Data\FreshDiagnose
2009-03-11 16:17 . 2009-03-11 16:19 d-------- c:\program files\Double Driver
2009-03-11 16:17 . 2009-03-11 16:17 1,879,377 --------- c:\program files\dd210.zip
2009-03-11 16:17 . 2000-05-22 16:58 608,448 --------- c:\windows\system32\COMCTL32.OCX
2009-03-11 16:17 . 2008-12-01 07:00 517,120 --------- c:\windows\system32\7-ZIP32.DLL
2009-03-11 15:29 . 2009-03-11 15:29 1,998,828 --------- c:\program files\diagnose.exe
2009-03-11 15:00 . 2009-03-11 15:00 d-------- c:\program files\Adobe Media Player
2009-03-11 14:22 . 2009-03-11 14:22 d-------- c:\program files\Secunia
2009-03-11 14:21 . 2009-03-11 14:21 543,704 --------- c:\program files\PSISetup.exe
2009-03-11 14:12 . 2009-03-11 14:12 1,878,888 --------- c:\program files\install_flash_player.exe
2009-03-09 13:10 . 2009-03-09 18:09 d-------- c:\program files\K-Lite Codec Pack
2009-03-07 13:20 . 2009-03-07 13:20 d-------- c:\windows\Logs
2009-03-07 13:20 . 2009-04-04 13:58 301,384 --a------ c:\program files\dxwebsetup.exe
2009-03-07 12:46 . 2009-03-07 12:46 d-------- c:\documents and settings\John Henderson\Application Data\uniblue
2009-03-07 11:28 . 2009-03-27 09:34 d-------- c:\program files\SUPERAntiSpyware
2009-03-07 11:27 . 2009-03-07 11:27 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-07 11:26 . 2009-03-07 11:26 6,018,080 --------- c:\program files\SUPERAntiSpywarePro.exe
2009-03-06 13:48 . 2009-03-18 13:35 754 --a------ c:\windows\WORDPAD.INI
2009-03-04 13:15 . 2008-04-14 04:12 116,224 -----c--- c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-04 13:15 . 2001-08-17 22:37 99,865 -----c--- c:\windows\system32\dllcache\xlog.exe
2009-03-04 13:15 . 2001-08-17 22:37 27,648 -----c--- c:\windows\system32\dllcache\xrxftplt.exe
2009-03-04 13:15 . 2001-08-17 22:36 23,040 -----c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-04 13:15 . 2004-08-03 22:29 19,455 -----c--- c:\windows\system32\dllcache\wvchntxx.sys
2009-03-04 13:15 . 2008-04-14 04:12 18,944 -----c--- c:\windows\system32\dllcache\xrxscnui.dll
2009-03-04 13:15 . 2001-08-17 12:11 16,970 -----c--- c:\windows\system32\dllcache\xem336n5.sys
2009-03-04 13:15 . 2004-08-03 22:29 12,063 -----c--- c:\windows\system32\dllcache\wsiintxx.sys
2009-03-04 13:15 . 2001-08-17 22:37 4,608 -----c--- c:\windows\system32\dllcache\xrxflnch.exe
2009-03-04 13:13 . 2001-08-17 13:28 765,884 -----c--- c:\windows\system32\dllcache\usrti.sys
2009-03-04 13:12 . 2001-08-17 13:28 794,654 -----c--- c:\windows\system32\dllcache\usr1801.sys
2009-03-04 13:11 . 2001-08-17 22:36 525,568 -----c--- c:\windows\system32\dllcache\tridxp.dll
2009-03-04 13:10 . 2001-08-17 14:56 172,768 -----c--- c:\windows\system32\dllcache\t2r4disp.dll
2009-03-04 13:09 . 2001-08-17 12:18 285,760 -----c--- c:\windows\system32\dllcache\stlnata.sys
2009-03-04 13:08 . 2001-08-17 14:56 147,200 -----c--- c:\windows\system32\dllcache\smidispb.dll
2009-03-04 13:07 . 2001-08-17 14:56 252,032 -----c--- c:\windows\system32\dllcache\sis300iv.dll
2009-03-04 13:06 . 2001-08-17 22:36 386,560 -----c--- c:\windows\system32\dllcache\sgiul50.dll
2009-03-04 13:05 . 2001-08-17 22:36 495,616 -----c--- c:\windows\system32\dllcache\sblfx.dll
2009-03-04 13:04 . 2001-08-17 13:28 899,146 -----c--- c:\windows\system32\dllcache\r2mdkxga.sys
2009-03-04 13:03 . 2008-04-14 04:12 363,520 -----c--- c:\windows\system32\dllcache\psisdecd.dll
2009-03-04 13:02 . 2008-04-14 04:10 259,328 -----c--- c:\windows\system32\dllcache\perm3dd.dll
2009-03-04 13:01 . 2001-08-17 14:05 351,616 -----c--- c:\windows\system32\dllcache\ovcodek2.sys
2009-03-04 13:00 . 2004-08-03 22:31 132,695 -----c--- c:\windows\system32\dllcache\netwlan5.sys
2009-03-04 12:59 . 2001-08-17 12:50 103,296 -----c--- c:\windows\system32\dllcache\mtxvideo.sys
2009-03-04 12:58 . 2001-08-17 13:28 802,683 -----c--- c:\windows\system32\dllcache\ltsm.sys
2009-03-04 12:57 . 2008-04-14 04:11 253,952 -----c--- c:\windows\system32\dllcache\kdsusd.dll
2009-03-04 12:56 . 2008-04-14 04:12 151,552 -----c--- c:\windows\system32\dllcache\irftp.exe
2009-03-04 12:55 . 2008-04-14 04:11 702,845 -----c--- c:\windows\system32\dllcache\i81xdnt5.dll
2009-03-04 12:54 . 2001-08-17 13:28 542,879 -----c--- c:\windows\system32\dllcache\hsf_msft.sys
2009-03-04 12:53 . 2001-08-17 14:56 1,733,120 -----c--- c:\windows\system32\dllcache\g400d.dll
2009-03-04 12:52 . 2001-08-17 12:15 455,680 -----c--- c:\windows\system32\dllcache\fus2base.sys
2009-03-04 12:51 . 2001-08-17 13:28 634,134 -----c--- c:\windows\system32\dllcache\el656ct5.sys
2009-03-04 12:50 . 2001-08-17 12:14 952,007 -----c--- c:\windows\system32\dllcache\diwan.sys
2009-03-04 12:49 . 2001-08-17 22:36 256,512 -----c--- c:\windows\system32\dllcache\devcon32.dll
2009-03-04 12:48 . 2001-08-17 12:13 980,034 -----c--- c:\windows\system32\dllcache\cicap.sys
2009-03-04 12:47 . 2001-08-17 13:28 871,388 -----c--- c:\windows\system32\dllcache\bcmdm.sys
2009-03-04 12:46 . 2001-08-17 12:19 747,392 -----c--- c:\windows\system32\dllcache\adm8830.sys
2009-03-04 12:45 . 2001-08-17 13:28 762,780 -----c--- c:\windows\system32\dllcache\3cwmcru.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 04:30 --------- d-----w c:\program files\NOS
2009-04-04 04:30 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-31 17:50 --------- d-----w c:\program files\Java
2009-03-30 06:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-29 19:47 --------- d-----w c:\documents and settings\John Henderson\Application Data\Skype
2009-03-29 19:11 --------- d-----w c:\documents and settings\John Henderson\Application Data\skypePM
2009-03-27 16:30 --------- d-----w c:\program files\Yahoo!
2009-03-27 06:24 --------- d-----w c:\program files\Alwil Software
2009-03-26 12:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 12:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-22 16:57 17 ----a-w c:\program files\stinger10000482.opt
2009-03-22 16:36 1,117 ----a-w c:\program files\SuperDAT.log
2009-03-22 13:42 --------- d-----w c:\program files\SpeedFan
2009-03-21 19:14 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-21 14:14 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 17:59 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-19 17:39 --------- d-----w c:\program files\Common Files\Adobe
2009-03-17 13:05 --------- d-----w c:\program files\Windows Desktop Search
2009-03-16 10:18 69,448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 10:18 517,448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 10:18 235,352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 10:18 22,360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-12 19:29 --------- d-----w c:\program files\MSECache
2009-03-09 11:27 453,456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 11:27 4,178,264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-09 11:27 1,846,632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 09:07 --------- d-----w c:\program files\Bonjour
2009-03-09 01:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 09:38 1,259 ------w c:\program files\1236418694048-integrated.jnlp
2009-03-07 07:28 --------- d-----w c:\documents and settings\John Henderson\Application Data\SUPERAntiSpyware.com
2009-03-04 17:57 --------- d-----w c:\program files\Common Files\Apple
2009-03-03 07:02 --------- d-----w c:\documents and settings\John Henderson\Application Data\Apple Computer
2009-03-03 05:24 --------- d-----w c:\program files\Safari
2009-03-01 20:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-01 20:07 --------- d-----w c:\program files\Apple Software Update
2009-03-01 20:06 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-03-01 17:15 --------- d-----w c:\documents and settings\John Henderson\Application Data\Yahoo!
2009-02-28 18:38 301,976 ------w c:\program files\rootsupd.exe
2009-02-26 06:09 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-25 19:04 1,259 ------w c:\program files\1235588622657-integrated.jnlp
2009-02-25 07:51 3,277,532 ------w c:\program files\SASDEFINITIONS.EXE
2009-02-22 17:50 --------- d-----w c:\program files\Common Files\Skype
2009-02-22 17:50 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-22 17:50 --------- d-----r c:\program files\Skype
2009-02-14 18:24 4,865,408 ------w c:\program files\Silverlight.2.0.exe
2009-02-11 10:35 1,193,472 ------w c:\program files\cp_ga.exe
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 06:00 --------- d-----w c:\program files\MSXML 4.0
2009-02-08 17:23 --------- d-----w c:\documents and settings\All Users\Application Data\Seagate
2009-02-07 22:08 --------- d-----w c:\program files\Defraggler
2009-02-07 20:01 --------- d-----w c:\documents and settings\John Henderson\Application Data\TeamViewer
2009-02-07 13:18 389,632 ------w c:\program files\MOSDAL.msi
2009-02-06 19:33 --------- d-----w c:\program files\Common Files\Windows Live
2009-02-06 19:29 1,144,136 ------w c:\program files\wlsetup-custom.exe
2009-02-06 10:19 --------- d-----w c:\program files\MSBuild
2009-02-06 10:18 --------- d-----w c:\program files\Reference Assemblies
2009-02-06 09:11 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-01 19:30 201,384 ------w c:\program files\GoogleToolbarInstaller_download_signed.exe
2009-01-28 19:31 16,939,888 ------w c:\program files\IE8-WindowsXP-x86-ENU.exe
2009-01-28 19:11 3,347,616 ------w c:\program files\radio-amp-mp3-player.exe
2009-01-28 13:59 1,839,856 ------w c:\program files\installspeedfan437.exe
2009-01-21 16:14 336 ----a-w c:\program files\setup.ini
2009-01-14 22:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-14 22:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-14 22:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-14 22:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-14 22:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-14 22:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-14 22:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-14 22:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-14 22:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-14 21:50 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-13 19:46 61,224 ------w c:\documents and settings\John Henderson\GoToAssistDownloadHelper.exe
2009-01-08 18:35 1,226,248 ------w c:\program files\DMSetup.exe
2009-01-04 15:25 8,071,280 ------w c:\program files\visioviewer.exe
2009-01-04 13:56 615,355 ------w c:\program files\NetMeter_v113.exe
2002-03-11 09:06 1,822,520 ----a-w c:\program files\instmsiw.exe
2002-03-11 08:45 1,708,856 ----a-w c:\program files\instmsia.exe
2000-10-13 20:44 5,301 ----a-w c:\program files\readme.htm
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"VMSnap3"="c:\windows\VMSnap3.EXE" [2007-01-20 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^John Henderson^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\John Henderson\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-03-27 09:34 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--------- 2009-02-01 23:31 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Google Update"="c:\documents and settings\John Henderson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"Domino"=c:\windows\Domino.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee.com\\Shared\\mcappins.exe"=
"c:\\Documents and Settings\\John Henderson\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\NetMeter_v113.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-01-04 11264]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-08 206096]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-03-15 603904]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2009-02-22 428160]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\Seagate\Sync\SeaSyncServices.exe" --> c:\program files\Seagate\Sync\SeaSyncServices.exe [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]
2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-602162358-1801674531-1003.job
- c:\documents and settings\John Henderson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-24 10:46]
2009-03-14 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-03-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{631ac2d4-57b3-42b0-a148-da33b462c1a3} - (no file)
Toolbar-{631ac2d4-57b3-42b0-a148-da33b462c1a3} - (no file)
WebBrowser-{631AC2D4-57B3-42B0-A148-DA33B462C1A3} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\John Henderson\Application Data\Mozilla\Firefox\Profiles\hgudxix0.default\
FF - component: c:\documents and settings\John Henderson\Application Data\Mozilla\Firefox\Profiles\hgudxix0.default\extensions\[email protected]\components\coolirisstub.dll
FF - plugin: c:\documents and settings\John Henderson\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 21:34:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-117609710-602162358-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\John Henderson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-04 21:36:02
ComboFix-quarantined-files.txt 2009-04-04 17:36:00
Pre-Run: 64,668,524,544 bytes free
Post-Run: 64,656,343,040 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
327 --- E O F --- 2009-02-26 05:07:17


----------



## Gamajobert (Mar 7, 2009)

See HJT below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:59 PM, on 4/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\VMSnap3.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games - Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
--
End of file - 8040 bytes


----------



## Cookiegal (Aug 27, 2003)

The only problem I see is that you're running both McAfee and Avast. You shouldn't have two anti-virus programs installed as they will conflict and cause problems.

Please uninstall one of them via the Control Panel - Add or Remove Programs.

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## Gamajobert (Mar 7, 2009)

I don't have Avast - maybe there is a remnant from my earlier postings but screen freezes started before that. Will try to get rid of remnant but it is not the problem.


----------



## Gamajobert (Mar 7, 2009)

Opened HJT but there is no "Config".


----------



## Gamajobert (Mar 7, 2009)

Although nothing in Programs - Search found a folder Avast4, which I have now deleted and emptied Rubbish. Interesting, I used Search before to delete Avast remnants. Let's see what happens. Thanks for your help.


----------



## Gamajobert (Mar 7, 2009)

Just to be sure I rebooted and did another Search for Avast and Avtil - nothing found.


----------



## Cookiegal (Aug 27, 2003)

In HijackThis, you must be opening it from the main menu. In that case, click on Open miscellaneous tools.

Please post a new regular HijackThis log as well as there were some Avast services running.


----------



## Gamajobert (Mar 7, 2009)

I see there are three double entries for Adobe Air, Media player 11 and Media Player Format 11 - could this have anything to do with it?

Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 9.1
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Bonjour
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
Defraggler (remove only)
Double Driver
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Java(TM) 6 Update 13
Java(TM) 6 Update 7
LookInMyPC
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Visio Viewer 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
MOSDAL
Mozilla Firefox (3.0.8)
MSN
MSXML 4.0 SP2 (KB954430)
NetMeter 1.1.3
OpenOffice.org 3.0
Realtek AC'97 Audio
Safari
Secunia PSI
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Skype&#8482; 4.0
SpeedFan (remove only)
SpywareBlaster 4.1
SUPERAntiSpyware Professional
TuneUp Utilities 2009
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Platform Device Manager
VIA Rhine-Family Fast Ethernet Adapter
Windows Installer Clean Up
Windows Internet Explorer 8 Release Candidate 1
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3


----------



## Gamajobert (Mar 7, 2009)

REGULAR SCAN - DAMN STILL SHOWING AVAST

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:50 AM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VMSnap3.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games - Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
--
End of file - 8118 bytes


----------



## Gamajobert (Mar 7, 2009)

Did Search again - no Avast, Looked at cookies in CCleaner ditto. In Program Files I found an empty folder Alwil, which I have deleted.


----------



## Gamajobert (Mar 7, 2009)

Just had a thought after reading the posts on "Can I have IE8 as well as IE6/7". During scanning I often see reference to IE5 - could this be the source of the problem?


----------



## Cookiegal (Aug 27, 2003)

No, the IE5 reference would likely be Content.IE5 which is part of your temporary files.

Are those entries also listed twice in your Control Panel under Add or Remove Programs?

Use this Avast removal tool please and then reboot and post a new HijackThis log.

http://www.avast.com/eng/avast-uninstall-utility.html


----------



## Gamajobert (Mar 7, 2009)

No duplications in Add/Remove although I see that there is Java Update 6 and Java Update 11 - can I delete 6?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:00 AM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VMSnap3.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games - Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
--
End of file - 7603 bytes


----------



## Gamajobert (Mar 7, 2009)

Forgot to mention - now logging in first time with IE


----------



## Gamajobert (Mar 7, 2009)

No freezes today so far (fingers crossed)


----------



## Cookiegal (Aug 27, 2003)

It's possible your freezes were due to Avast still being on the machine.

Yes, you should uninstall this older version of Java:

*Java(TM) 6 Update 7*

Are you able to update and run MalwarBytes Anti-Malware? If so, please do that and post the results of the scan.


----------



## Gamajobert (Mar 7, 2009)

Would you believe it - screen freeze during Mbam scan, and again at Welcome screen on reboot. Have removed the old Java update (actually I did this before the first Mbam - any connection?)

Partition E below is my external HD.

Malwarebytes' Anti-Malware 1.36
Database version: 1946
Windows 5.1.2600 Service Pack 3
4/7/2009 10:08:17 AM
mbam-log-2009-04-07 (10-08-17).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 125909
Time elapsed: 37 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## Gamajobert (Mar 7, 2009)

Jusr ran TuneUp and found a lot of problems, which weren't there last week. I have copied the details to Clipboard but don't know how to open it to copy to you. I haven't fixed the problems.


----------



## Gamajobert (Mar 7, 2009)

More freezes - as there were none yesterday there seems to be a link with removing the Java Update. If I do System Restore - will it bring it back and then we will see if freezes continue? Also again having log-in problems.


----------



## Gamajobert (Mar 7, 2009)

Found how to open clipboard - nothing on it - assumed reboot after screen freeze automatically deleted any data stored. Ran TuneUp again - surprise - this morning there were a total of 28 problems. Now there are 76. Tried to send to clipboard but again nothing on it when I checked after sending the first one - can't copy and paste so have just fixed the problems.


----------



## Cookiegal (Aug 27, 2003)

Removing an older Java would not be the source of the problem and doing a system restore will not restore programs.

I wouldn't be surprised if TuneUp is though. It may be fixing things that are needed. It's hard to say. I don't see the need for such programs if your machine is maintained properly.

Where do we stand now? Are you still getting freezes? If so, what are you doing when it happens?

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## Gamajobert (Mar 7, 2009)

Firstly let me say how much I appreciate the time and effort you are putting into assisting me - I am most grateful.

No freezes since my last post. When they happen, all I can do is reboot as Cntr/Alt/Del doesn't seem to do anything. Have uninstalled TuneUp - as you suggest, it probably does more harm than good. On maintenance, I scan with McAfee, SuperAnti and Mbam on successive days - use CCleaner about twice a week and similarly do defrag and Disc Cleanup.

Re below, I included Warnings even though you did not ask for this data. I don't know the significance of Warnings.

SYSTEM

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 4/6/2009
Time: 10:12:26 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 4/6/2009
Time: 10:11:33 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The following boot-start or system-start driver(s) failed to load: 
Aavmker4
aswSP
aswTdi
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 4/6/2009
Time: 10:11:23 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer has automatically configured the IP address for the Network Card with network address 0017317D07A1. The IP address being used is 169.254.179.251.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/6/2009
Time: 10:11:22 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! Antivirus service depends on the avast! Standard Shield Support service which failed to start because of the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/6/2009
Time: 10:11:22 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! Standard Shield Support service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/6/2009
Time: 10:11:22 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! iAVS4 Control Service service failed to start due to the following error: 
The system cannot find the path specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/6/2009
Time: 10:11:22 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The aswFsBlk service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/6/2009
Time: 10:11:17 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y...

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/6/2009
Time: 10:10:49 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/6/2009
Time: 10:10:41 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 4/5/2009
Time: 11:27:36 PM
User: JMHENDER-EAC4C7\John Henderson
Computer: JMHENDER-EAC4C7
Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 51
Date: 4/5/2009
Time: 9:12:57 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 04 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..€
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 8e 00 bc 00 00 00 00 .Ž.¼....
0028: 7a c4 0f 00 00 00 00 00 zÄ......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @..„....
0040: 00 20 0a 12 80 01 20 40 . ..€. @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 a0 ec f8 18 2d 8d 82 . ìø.-‚
0058: 00 00 00 00 08 20 a1 fa ..... ¡ú
0060: 00 00 00 00 47 00 5e 00 ....G.^.
0068: 2a 00 00 5e 00 47 00 00 *..^.G..
0070: 08 00 00 00 00 00 00 00 ........
0078: 70 00 02 00 00 00 00 0a p.......
0080: 00 00 00 00 04 02 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

THEN 6 more warnings with exactly the same error number

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 4/5/2009
Time: 4:45:30 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 4/5/2009
Time: 4:45:10 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The following boot-start or system-start driver(s) failed to load: 
Aavmker4
aswSP
aswTdi
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/5/2009
Time: 4:45:10 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! Antivirus service depends on the avast! Standard Shield Support service which failed to start because of the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 4:45:10 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! Standard Shield Support service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 4:45:10 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! iAVS4 Control Service service failed to start due to the following error: 
The system cannot find the path specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 4:45:10 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The aswFsBlk service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 4/5/2009
Time: 4:44:58 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer has automatically configured the IP address for the Network Card with network address 0017317D07A1. The IP address being used is 169.254.179.251.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/5/2009
Time: 4:44:52 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y...

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/5/2009
Time: 4:44:23 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/5/2009
Time: 4:44:15 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 4/5/2009
Time: 9:47:59 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The following boot-start or system-start driver(s) failed to load: 
Aavmker4
aswSP
aswTdi
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/5/2009
Time: 9:47:49 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! Antivirus service depends on the avast! Standard Shield Support service which failed to start because of the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 9:47:49 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! Standard Shield Support service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 9:47:49 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! iAVS4 Control Service service failed to start due to the following error: 
The system cannot find the path specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 9:47:49 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The aswFsBlk service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 4/5/2009
Time: 9:04:19 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 4/5/2009
Time: 9:03:56 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The following boot-start or system-start driver(s) failed to load: 
Aavmker4
aswSP
aswTdi
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 4/5/2009
Time: 9:03:46 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer has automatically configured the IP address for the Network Card with network address 0017317D07A1. The IP address being used is 169.254.179.251.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/5/2009
Time: 9:03:46 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! Antivirus service depends on the avast! Standard Shield Support service which failed to start because of the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 9:03:46 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! Standard Shield Support service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 9:03:46 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! iAVS4 Control Service service failed to start due to the following error: 
The system cannot find the path specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 9:03:46 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The aswFsBlk service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/5/2009
Time: 9:03:40 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y...

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/5/2009
Time: 9:03:11 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 4/5/2009
Time: 2:52:01 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The following boot-start or system-start driver(s) failed to load: 
Aavmker4
aswSP
aswTdi
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/5/2009
Time: 2:51:48 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! Antivirus service depends on the avast! Standard Shield Support service which failed to start because of the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 2:51:48 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! Standard Shield Support service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 2:51:48 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The avast! iAVS4 Control Service service failed to start due to the following error: 
The system cannot find the path specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/5/2009
Time: 2:51:48 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The aswFsBlk service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

APPLICATION

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 4/7/2009
Time: 12:00:47 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 4/7/2009
Time: 12:00:47 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Gamajobert (Mar 7, 2009)

Update - after uninstalling TuneUp, I ran Search to get rid of the bits - I couldn't delete one (in use) file so rebooted and ran Search again. This file again found: TuneUp.evt in System32/config - found it but it won't delete (being used by another...). I've no idea which app could be using it.

Looks like TuneUP is another Avast - surely they should post warnings about the difficulties in uninstalling these programs - or maybe Forum should warn against using them.


----------



## Gamajobert (Mar 7, 2009)

Update - no freezes for 2 days. BUT - there is a weirdo in my Hearts game who delights in downloading something that prevents access to Hearts. When you try to load it says "no Internet connection" - this is the second time it's happened and guess what removed it - Avast! At least I know who the weirdo is now - "Waldo one", and so can "do not match" him in future. 

Will go through the Avast rigmarole again and let you know what happens.


----------



## Gamajobert (Mar 7, 2009)

Aagh - 3 freezes in a row. The first during Avast "run", the second while I was looking for the Avast program in My Computer to run it again (couldn't find it before the freeze). The third at the Welcome stage following reboot. Finally got it to open but couldn't find the Avast or Adwil file so downloaded again and this time scanned - nothing found and I can't get into Hearts. Will scan again and report back.


----------



## Cookiegal (Aug 27, 2003)

Are you using an external drive and if so, is it you D drive?


----------



## Gamajobert (Mar 7, 2009)

Firstly update - ran Avast scan again - found Trojan in 2 files:

C:\System volume information\-restore{947C5229-1CEE-451B-A7D7-43BEF2CABD35}RP156\AO169870.EXE infected by Trojan-gen{other}

C:\WINDOWS\Domino.EXE is infected by Trojan-gen{other}

Deleted both but not sure if I did the right thing as the second is a WINDOWS file.

This guy should be reported to MSN urgently - his name is Wally one not Waldo as I said earlier. I still can't get into Hearts but perhaps after I uninstall AVAST and reboot - will advise.

My external drive is E not D


----------



## Cookiegal (Aug 27, 2003)

One is in system restore, which is not a thread unless you do a system restore and I always flush them out when we're finished.

The other is likely a false positive as it related to your VIMICRO camera. It looks like a generic detection. You can restore that file and then let's check it out this way:

Go to the following link and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\WINDOWS\Domino.EXE*

What guy are you referring to?

What is you D drive then please? Is that you CD/DVD optical drive?


----------



## Gamajobert (Mar 7, 2009)

Let's take this slowly - the guy who infected my Hearts game needs to be reported to MSN - he is dangerous.

I have uninstalled and reinstalled Hearts after several screen freezes but now it is working again - confirming the Trojan is not a false positive.

My D drive is for CD.

I have downloaded virusscan but cannot copy/paste or type the file name in the box - tried twice.

Now very late here - will try again tomorrow (today) - good night.


----------



## Cookiegal (Aug 27, 2003)

You don't type the name in, you have to browse to the file on your computer and then upload it for analysis.


----------



## Cookiegal (Aug 27, 2003)

I'm getting confused here. You've been talking about scanning with Avast again but you removed Avast didn't you? 

ComboFix didn't seem to run correctly the first time. Are you sure you disabled all security programs when running it? Let's give it another try but first, please drag it to the recycle bin and grab a newer version.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.


----------



## Gamajobert (Mar 7, 2009)

This reply after 3 freezes.

Can't open DOMINO.exe as it was deleted when Avast found the Trojan in it. I reloaded Avast because it cured the Hearts problem last time. Now uninstalled it again using the UninstalAvast program - still left remnants that Search found.

Now installing Combo and will revert after the scan.


----------



## Gamajobert (Mar 7, 2009)

Log too big for one post - first half:

ComboFix 09-04-04.01 - John Henderson 2009-04-10 9:58:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.219 [GMT 4:00]
Running from: c:\documents and settings\John Henderson\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.
2009-04-09 23:38 . 2009-04-09 23:41 230,776 --a------ c:\program files\aswclear.exe
2009-04-09 21:00 . 2009-04-09 23:48 d-------- c:\program files\Alwil Software
2009-04-09 13:56 . 2009-04-09 13:56 d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-04-09 09:29 . 2009-04-09 09:30 d--h-c--- c:\windows\ie8
2009-04-07 17:58 . 2009-04-07 17:58 d-------- c:\documents and settings\John Henderson\Application Data\JAM Software
2009-04-07 17:57 . 2009-04-07 17:57 d-------- c:\program files\TreeSizeFree_9x
2009-04-07 17:57 . 2009-04-07 17:57 739,972 --a------ c:\program files\TreeSizeFree_9x.zip
2009-04-07 09:00 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-04-04 14:07 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2009-04-03 23:36 . 2009-04-03 23:36 43,083,040 --a------ c:\program files\AdbeRdr910_en_US_Std.exe
2009-04-03 22:35 . 2009-04-03 22:35 d-------- c:\program files\Common Files\Adobe AIR
2009-04-02 19:14 . 2009-04-02 19:14 d-------- c:\program files\JRE
2009-04-01 11:30 . 2009-04-01 11:30 773,640 --a------ c:\program files\dfsetup108.exe
2009-04-01 08:40 . 2009-04-01 08:40 7,518,920 --a------ c:\program files\Firefox Setup 3.0.8.exe
2009-03-27 09:29 . 2009-03-27 09:29 3,190,688 --a------ c:\program files\ccsetup218.exe
2009-03-24 22:34 . 2009-03-24 22:34 d-------- c:\program files\Trend Micro
2009-03-24 22:33 . 2009-03-24 22:33 812,344 --a------ c:\program files\HJTInstall.exe
2009-03-22 20:41 . 2009-03-22 20:41 2,639,879 --a------ c:\program files\stinger10000482.exe
2009-03-22 20:38 . 2009-03-22 20:38 49,152 --a------ c:\program files\RRT.exe
2009-03-22 20:35 . 2009-03-22 20:35 104,170,056 --a------ c:\program files\sdat5560.exe
2009-03-22 20:12 . 2009-03-23 00:05 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-22 20:11 . 2009-03-23 00:05 d-------- c:\program files\SpywareBlaster
2009-03-22 20:11 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-03-22 20:11 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2009-03-22 20:10 . 2009-03-22 20:10 2,869,536 --a------ c:\program files\spywareblastersetup41.exe
2009-03-22 17:01 . 2009-03-22 18:55 d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-22 17:01 . 2009-03-22 18:55 d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-22 16:59 . 2009-03-22 16:59 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-22 10:27 . 2009-03-22 10:27 306,864 --a------ c:\program files\mvtapp.exe
2009-03-21 23:39 . 2009-04-02 20:55 d-------- c:\program files\OpenOffice.org 3.0 (en-US) Installation Files
2009-03-21 22:30 . 2009-04-02 19:14 d-------- c:\program files\OpenOffice.org 3
2009-03-21 22:29 . 2009-03-21 22:29 d-------- c:\program files\readmes
2009-03-21 22:29 . 2009-03-21 22:29 d-------- c:\program files\licenses
2009-03-21 20:21 . 2009-04-02 18:31 149,353,184 --a------ c:\program files\OOo_3.0.1_Win32Intel_install_wJRE_en-US.exe
2009-03-21 18:14 . 2009-03-22 10:41 d-------- c:\program files\FreshDevices
2009-03-21 18:13 . 2009-03-21 18:13 d-------- c:\program files\Google
2009-03-21 17:02 . 2009-03-21 18:13 d-------- c:\program files\Google(2)
2009-03-21 17:02 . 2009-03-21 18:13 d-------- c:\documents and settings\All Users\Application Data\Google(2)
2009-03-20 09:01 . 2009-03-20 09:01 d-------- c:\documents and settings\John Henderson\Application Data\KC Softwares
2009-03-19 21:58 . 2009-03-19 21:58 d-------- C:\ATI
2009-03-15 19:42 . 2009-03-15 19:42 23,596,328 --------- c:\program files\SkypeSetupFull.exe
2009-03-15 01:24 . 2009-03-15 01:24 d-------- c:\documents and settings\John Henderson\Application Data\TuneUp Software
2009-03-15 01:23 . 2009-03-15 01:23 d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-15 01:22 . 2009-03-15 01:22 d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-13 01:24 . 2009-03-13 01:25 d-------- c:\program files\LookInMyPC
2009-03-13 01:21 . 2009-03-13 01:23 1,250,952 --------- c:\program files\setupLMPC.exe
2009-03-12 23:31 . 2009-03-12 23:31 d-------- c:\program files\Windows Installer Clean Up
2009-03-12 23:29 . 2009-03-12 23:29 359,656 --------- c:\program files\msicuu2.exe
2009-03-12 23:27 . 2009-03-12 23:27 16,434,584 --------- c:\program files\jre-6u12-windows-i586-p-s.exe
2009-03-11 16:32 . 2009-03-11 16:33 d-------- c:\documents and settings\John Henderson\Application Data\FreshDiagnose
2009-03-11 16:17 . 2009-03-11 16:19 d-------- c:\program files\Double Driver
2009-03-11 16:17 . 2009-03-11 16:17 1,879,377 --------- c:\program files\dd210.zip
2009-03-11 16:17 . 2000-05-22 16:58 608,448 --------- c:\windows\system32\COMCTL32.OCX
2009-03-11 16:17 . 2008-12-01 07:00 517,120 --------- c:\windows\system32\7-ZIP32.DLL
2009-03-11 15:29 . 2009-03-11 15:29 1,998,828 --------- c:\program files\diagnose.exe
2009-03-11 15:00 . 2009-03-11 15:00 d-------- c:\program files\Adobe Media Player
2009-03-11 14:22 . 2009-03-11 14:22 d-------- c:\program files\Secunia
2009-03-11 14:21 . 2009-03-11 14:21 543,704 --------- c:\program files\PSISetup.exe
2009-03-11 14:12 . 2009-03-11 14:12 1,878,888 --------- c:\program files\install_flash_player.exe


----------



## Gamajobert (Mar 7, 2009)

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^John Henderson^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\John Henderson\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-03-27 09:34 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--------- 2009-02-01 23:31 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Google Update"="c:\documents and settings\John Henderson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"Domino"=c:\windows\Domino.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee.com\\Shared\\mcappins.exe"=
"c:\\Documents and Settings\\John Henderson\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\NetMeter_v113.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-01-04 11264]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-08 206096]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2009-02-22 428160]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\Seagate\Sync\SeaSyncServices.exe" --> c:\program files\Seagate\Sync\SeaSyncServices.exe [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{142ad628-da6d-11dd-a924-0017317d07a1}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-602162358-1801674531-1003.job
- c:\documents and settings\John Henderson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-24 10:46]
2009-03-14 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
2009-03-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\John Henderson\Application Data\Mozilla\Firefox\Profiles\hgudxix0.default\
FF - component: c:\documents and settings\John Henderson\Application Data\Mozilla\Firefox\Profiles\hgudxix0.default\extensions\[email protected]\components\coolirisstub.dll
FF - plugin: c:\documents and settings\John Henderson\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 10:00:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-117609710-602162358-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\John Henderson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-10 10:01:43
ComboFix-quarantined-files.txt 2009-04-10 06:01:40
ComboFix2.txt 2009-04-10 05:45:07
ComboFix3.txt 2009-04-04 17:36:03
Pre-Run: 64,286,158,848 bytes free
Post-Run: 64,270,061,568 bytes free
271 --- E O F --- 2009-04-09 05:23:09


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
c:\windows\Domino.EXE

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Domino"=-
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## Gamajobert (Mar 7, 2009)

Firstly no freezes since last post and Hearts is running normally.

Tried 3 times with your instructions (all security is off) - get asked if I should allow Active X and say yes, but after I drag to the box it seems to be looping - no Combofix reference.


----------



## Gamajobert (Mar 7, 2009)

Don't know if it is helpful without Combo first but HJT below - off to bed - goodnight. At leadt no referenced to Avast/Adwil.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:33 AM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games - Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)
--
End of file - 7550 bytes


----------



## Gamajobert (Mar 7, 2009)

Tried again this morning - same result. Had an idea - last night I had not removed any previous Combo references. So now removed all previous stuff and then ran per your last instructions. At first there was some red light activity and the Tech screen disappeared (as before), but after a couple of minutes the red light steadied to a single regular blip (at around heartbeat speed). No eggtimer showing. Left for 20 minutes but nothing else happened. Maybe I am doing something wrong.


----------



## Cookiegal (Aug 27, 2003)

Try running the CFScript in safe mode please.


----------



## Gamajobert (Mar 7, 2009)

Sorry Cookie - this is where my inexperience comes in. Started in Safe Mode but:

. couldn't disable McAfee or Windows Firewall
. couldn't get back into Forum to activate your instructions

Rebooted as you can see - but please talk me through this - remember there is no longer any ComboFix installed.


----------



## Cookiegal (Aug 27, 2003)

You need to reinstall ComboFix to run the CFScript.

Before booting to safe mode, create the CFScript as instructed and print the instructions.

Once in safe mode you then just drag the CFScript onto the ComboFix.exe and drop it there.


----------



## Gamajobert (Mar 7, 2009)

Your fantastic - as a series of operations is needed, I will do it in the morning. Goodnight.


----------



## Cookiegal (Aug 27, 2003)

That's fine. Good night.


----------



## Gamajobert (Mar 7, 2009)

Firstly let me tell the order in which I did things in case I missed something:
1. DL CombFix to Desktop
2. Created Noteoad CFScript
3. Disable all security
Restarted in Safe Mode then dragged CFScript into Combo exe

Combo log below - will separately send HJT

ComboFix 09-04-13.A0 - John Henderson 2009-04-13 10:22.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.351 [GMT 4:00]
Running from: c:\documents and settings\John Henderson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John Henderson\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
FILE ::
c:\windows\Domino.EXE
.
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.
2009-04-13 06:18 . 2009-04-13 06:18 8212 ----a-w c:\windows\mfebcdata
2009-04-09 09:56 . 2009-04-09 09:56 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-09 05:29 . 2009-04-09 05:30 -------- dc-h--w c:\windows\ie8
2009-04-07 13:58 . 2009-04-07 13:58 -------- d-----w c:\documents and settings\John Henderson\Application Data\JAM Software
2009-04-07 05:00 . 2009-03-08 22:53 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-04 10:07 . 2008-03-05 12:00 25608 ----a-w c:\windows\system32\X3DAudio1_3.dll
2009-04-01 04:44 . 2009-04-01 04:44 -------- d-----w c:\documents and settings\John Henderson\Local Settings\Application Data\Cooliris
2009-04-01 04:41 . 2009-04-01 04:41 -------- d-----w c:\documents and settings\John Henderson\Local Settings\Application Data\Mozilla
2009-03-22 16:12 . 2009-03-22 20:05 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-22 16:11 . 2005-08-25 15:18 118784 ----a-w c:\windows\system32\MSSTDFMT.DLL
2009-03-22 16:11 . 2005-04-15 16:58 1071088 ----a-w c:\windows\system32\MSCOMCTL.OCX
2009-03-22 13:01 . 2009-03-22 14:55 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-22 13:01 . 2009-03-22 14:55 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-03-22 12:59 . 2009-03-22 12:59 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-21 13:02 . 2009-03-21 14:13 -------- d-----w c:\documents and settings\All Users\Application Data\Google(2)
2009-03-20 05:01 . 2009-03-20 05:01 -------- d-----w c:\documents and settings\John Henderson\Application Data\KC Softwares
2009-03-19 17:58 . 2009-03-19 17:58 -------- d-----w C:\ATI
2009-03-14 21:24 . 2009-03-14 21:24 -------- d-----w c:\documents and settings\John Henderson\Application Data\TuneUp Software
2009-03-14 21:23 . 2009-03-14 21:23 -------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-14 21:22 . 2009-03-14 21:22 -------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 19:48 . 2009-04-09 17:00 -------- d-----w c:\program files\Alwil Software
2009-04-09 19:41 . 2009-04-09 19:38 230776 ----a-w c:\program files\aswclear.exe
2009-04-09 09:56 . 2009-04-09 09:56 245760 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
2009-04-08 19:44 . 2009-02-22 17:50 -------- d-----w c:\documents and settings\John Henderson\Application Data\Skype
2009-04-08 17:47 . 2009-02-22 17:54 -------- d-----w c:\documents and settings\John Henderson\Application Data\skypePM
2009-04-07 13:57 . 2009-04-07 13:57 -------- d-----w c:\program files\TreeSizeFree_9x
2009-04-07 13:57 . 2009-04-07 13:57 739972 ----a-w c:\program files\TreeSizeFree_9x.zip
2009-04-07 13:52 . 2009-01-08 18:58 -------- d-----w c:\program files\McAfee
2009-04-07 10:07 . 2009-01-08 18:35 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-07 05:03 . 2009-01-28 07:36 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-07 05:01 . 2009-01-04 15:20 -------- d-----w c:\program files\Java
2009-04-06 11:32 . 2009-01-28 07:36 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 11:32 . 2009-01-28 07:36 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 17:51 . 2009-01-04 12:08 18424 ----a-w c:\documents and settings\John Henderson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 09:58 . 2009-03-07 09:20 301384 ----a-w c:\program files\dxwebsetup.exe
2009-04-04 04:30 . 2009-01-22 19:09 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-04 04:30 . 2009-01-22 19:09 -------- d-----w c:\program files\NOS
2009-04-03 19:36 . 2009-04-03 19:36 43083040 ----a-w c:\program files\AdbeRdr910_en_US_Std.exe
2009-04-03 18:35 . 2009-04-03 18:35 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-02 16:55 . 2009-03-21 19:39 -------- d-----w c:\program files\OpenOffice.org 3.0 (en-US) Installation Files
2009-04-02 15:14 . 2009-04-02 15:14 -------- d-----w c:\program files\JRE
2009-04-02 15:14 . 2009-03-21 18:30 -------- d-----w c:\program files\OpenOffice.org 3
2009-04-02 14:31 . 2009-03-21 16:21 149353184 ----a-w c:\program files\OOo_3.0.1_Win32Intel_install_wJRE_en-US.exe
2009-04-01 07:30 . 2009-04-01 07:30 773640 ----a-w c:\program files\dfsetup108.exe
2009-04-01 04:40 . 2009-04-01 04:40 7518920 ----a-w c:\program files\Firefox Setup 3.0.8.exe
2009-03-27 16:30 . 2009-03-01 17:15 -------- d-----w c:\program files\Yahoo!
2009-03-27 05:34 . 2009-03-07 07:28 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-27 05:29 . 2009-03-27 05:29 3190688 ----a-w c:\program files\ccsetup218.exe
2009-03-24 18:34 . 2009-03-24 18:34 -------- d-----w c:\program files\Trend Micro
2009-03-24 18:33 . 2009-03-24 18:33 812344 ----a-w c:\program files\HJTInstall.exe
2009-03-22 20:05 . 2009-03-22 16:11 -------- d-----w c:\program files\SpywareBlaster
2009-03-22 16:57 . 2009-03-22 16:57 17 ----a-w c:\program files\stinger10000482.opt
2009-03-22 16:41 . 2009-03-22 16:41 2639879 ----a-w c:\program files\stinger10000482.exe
2009-03-22 16:38 . 2009-03-22 16:38 49152 ----a-w c:\program files\RRT.exe
2009-03-22 16:36 . 2009-03-22 16:36 1117 ----a-w c:\program files\SuperDAT.log
2009-03-22 16:35 . 2009-03-22 16:35 104170056 ----a-w c:\program files\sdat5560.exe
2009-03-22 16:10 . 2009-03-22 16:10 2869536 ----a-w c:\program files\spywareblastersetup41.exe
2009-03-22 13:42 . 2009-01-28 14:00 -------- d-----w c:\program files\SpeedFan
2009-03-22 06:41 . 2009-03-21 14:14 -------- d-----w c:\program files\FreshDevices
2009-03-22 06:27 . 2009-03-22 06:27 306864 ----a-w c:\program files\mvtapp.exe
2009-03-21 18:29 . 2009-03-21 18:29 -------- d-----w c:\program files\readmes
2009-03-21 18:29 . 2009-03-21 18:29 -------- d-----w c:\program files\licenses
2009-03-21 14:14 . 2009-01-04 13:04 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:13 . 2009-03-21 14:13 -------- d-----w c:\program files\Google
2009-03-21 14:13 . 2009-03-21 13:02 -------- d-----w c:\program files\Google(2)
2009-03-19 17:59 . 2009-01-04 12:47 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-19 17:39 . 2009-01-22 19:20 -------- d-----w c:\program files\Common Files\Adobe
2009-03-17 13:05 . 2009-01-04 19:13 -------- d-----w c:\program files\Windows Desktop Search
2009-03-16 10:18 . 2009-04-04 10:08 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 10:18 . 2009-04-04 10:08 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 10:18 . 2009-04-04 10:08 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 10:18 . 2009-04-04 10:08 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-15 15:42 . 2009-03-15 15:42 23596328 ------w c:\program files\SkypeSetupFull.exe
2009-03-12 21:25 . 2009-03-12 21:24 -------- d-----w c:\program files\LookInMyPC
2009-03-12 21:23 . 2009-03-12 21:21 1250952 ------w c:\program files\setupLMPC.exe
2009-03-12 19:31 . 2009-03-12 19:31 -------- d-----w c:\program files\Windows Installer Clean Up
2009-03-12 19:29 . 2009-01-04 15:26 -------- d-----w c:\program files\MSECache
2009-03-12 19:29 . 2009-03-12 19:29 359656 ------w c:\program files\msicuu2.exe
2009-03-12 19:27 . 2009-03-12 19:27 16434584 ------w c:\program files\jre-6u12-windows-i586-p-s.exe
2009-03-11 12:33 . 2009-03-11 12:32 -------- d-----w c:\documents and settings\John Henderson\Application Data\FreshDiagnose
2009-03-11 12:19 . 2009-03-11 12:17 -------- d-----w c:\program files\Double Driver
2009-03-11 12:17 . 2009-03-11 12:17 1879377 ------w c:\program files\dd210.zip
2009-03-11 11:29 . 2009-03-11 11:29 1998828 ------w c:\program files\diagnose.exe
2009-03-11 11:00 . 2009-03-11 11:00 -------- d-----w c:\program files\Adobe Media Player
2009-03-11 10:22 . 2009-03-11 10:22 -------- d-----w c:\program files\Secunia
2009-03-11 10:21 . 2009-03-11 10:21 543704 ------w c:\program files\PSISetup.exe
2009-03-11 10:12 . 2009-03-11 10:12 1878888 ------w c:\program files\install_flash_player.exe
2009-03-09 14:09 . 2009-03-09 09:10 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-09 11:27 . 2009-04-04 10:08 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 11:27 . 2009-04-04 10:08 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 11:27 . 2009-04-04 10:08 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-09 09:07 . 2009-03-03 05:20 -------- d-----w c:\program files\Bonjour
2009-03-09 01:19 . 2009-01-04 17:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 00:34 . 2006-02-28 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 00:34 . 2006-02-28 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 00:33 . 2006-02-28 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 00:33 . 2006-02-28 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 00:32 . 2006-02-28 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 00:32 . 2006-02-28 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 00:31 . 2006-02-28 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 00:31 . 2006-02-28 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 00:31 . 2006-02-28 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 00:22 . 2006-02-28 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-07 09:38 . 2009-03-07 09:38 1259 ------w c:\program files\1236418694048-integrated.jnlp
2009-03-07 08:46 . 2009-03-07 08:46 -------- d-----w c:\documents and settings\John Henderson\Application Data\uniblue
2009-03-07 07:28 . 2009-01-04 11:48 -------- d-----w c:\documents and settings\John Henderson\Application Data\SUPERAntiSpyware.com
2009-03-07 07:27 . 2009-03-07 07:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-07 07:26 . 2009-03-07 07:26 6018080 ------w c:\program files\SUPERAntiSpywarePro.exe
2009-03-04 17:57 . 2009-03-01 20:06 -------- d-----w c:\program files\Common Files\Apple
2009-03-03 07:04 . 2009-03-03 07:04 18824 ---h--w c:\windows\system32\mlfcache.dat
2009-03-03 07:02 . 2009-03-01 20:09 -------- d-----w c:\documents and settings\John Henderson\Application Data\Apple Computer
2009-03-03 05:24 . 2009-03-03 05:24 -------- d-----w c:\program files\Safari
2009-03-01 20:08 . 2009-03-01 20:07 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-01 20:07 . 2009-03-01 20:07 -------- d-----w c:\program files\Apple Software Update
2009-03-01 20:06 . 2009-03-01 20:06 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-03-01 17:15 . 2009-03-01 17:15 -------- d-----w c:\documents and settings\John Henderson\Application Data\Yahoo!
2009-02-28 18:38 . 2009-02-28 18:38 301976 ------w c:\program files\rootsupd.exe
2009-02-26 06:09 . 2009-02-14 18:24 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-25 19:04 . 2009-02-25 19:04 1259 ------w c:\program files\1235588622657-integrated.jnlp
2009-02-25 07:51 . 2009-02-25 07:51 3277532 ------w c:\program files\SASDEFINITIONS.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^John Henderson^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\John Henderson\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-03-27 09:34 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--------- 2009-02-01 23:31 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Google Update"="c:\documents and settings\John Henderson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee.com\\Shared\\mcappins.exe"=
"c:\\Documents and Settings\\John Henderson\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\NetMeter_v113.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-27 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-05 206096]
R2 Seagate Sync Service;Seagate Sync Service; [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-12-10 7808]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2007-01-20 428160]
S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-602162358-1801674531-1003.job
- c:\documents and settings\John Henderson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-24 10:46]
2009-03-14 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
2009-03-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\John Henderson\Application Data\Mozilla\Firefox\Profiles\hgudxix0.default\
FF - component: c:\documents and settings\John Henderson\Application Data\Mozilla\Firefox\Profiles\hgudxix0.default\extensions\[email protected]\components\coolirisstub.dll
FF - plugin: c:\documents and settings\John Henderson\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 10:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-117609710-602162358-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(232)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\John Henderson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(400)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-04-13 10:27
ComboFix-quarantined-files.txt 2009-04-13 06:27
ComboFix2.txt 2009-04-10 05:45
ComboFix3.txt 2009-04-04 17:36
Pre-Run: 64,846,516,224 bytes free
Post-Run: 64,832,249,856 bytes free
255 --- E O F --- 2009-04-09 05:23


----------



## Gamajobert (Mar 7, 2009)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:55 AM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games - Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)
--
End of file - 7494 bytes


----------



## Cookiegal (Aug 27, 2003)

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Next click on *My Computer*. Go to *Tools* - *Folder Options*. Click on the View tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders*. Click *Apply* then *OK*.

Go to the following link and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*c:\windows\mfebcdata*

Open Notepad and copy and paste the text in the code box below into it:


```
RegLock::
[HKEY_USERS\S-1-5-21-117609710-602162358-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## Gamajobert (Mar 7, 2009)

after 2.00 here - good night - your wonderful


----------



## Cookiegal (Aug 27, 2003)

OK, thanks.


----------



## Gamajobert (Mar 7, 2009)

Just testing to see if last night's gremlins have gone. It was unbelievable - not only the freezes, but couldn't log in without 2 or 3 tries every time. Again the freezes were not consistent - sometimes the cursor locked but other times the cursor could move but the screen would not react.


----------



## Gamajobert (Mar 7, 2009)

APPLICATIONS

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 4/14/2009
Time: 12:36:26 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 4/14/2009
Time: 12:36:26 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 4/14/2009
Time: 12:36:26 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 4/14/2009
Time: 12:36:26 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 4/13/2009
Time: 10:15:26 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

There are then 23 identical events to above - same code, same time. At that time there was a McAfee scan running (I was in the shower).

SYSTEM

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 4/15/2009
Time: 9:07:49 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/15/2009
Time: 12:00:39 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 11:48:43 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 11:45:28 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 11:33:38 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 11:32:21 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 4/14/2009
Time: 10:35:54 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ....‚..€
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 10:18:03 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 9:02:50 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 5:47:40 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 5:46:06 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 5:38:40 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 3:19:25 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 2:43:21 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 4/14/2009
Time: 8:19:37 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 4/14/2009
Time: 8:19:02 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer has automatically configured the IP address for the Network Card with network address 0017317D07A1. The IP address being used is 169.254.179.251.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 .... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 8:18:57 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 8:18:28 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç... 
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/14/2009
Time: 8:18:28 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç... 
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 4/13/2009
Time: 10:29:32 AM
User: NT AUTHORITY\SYSTEM
Computer: JMHENDER-EAC4C7
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 4/13/2009
Time: 10:29:15 AM
User: NT AUTHORITY\SYSTEM
Computer: JMHENDER-EAC4C7
Description:
The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 4/13/2009
Time: 10:26:22 AM
User: JMHENDER-EAC4C7\John Henderson
Computer: JMHENDER-EAC4C7
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 4/13/2009
Time: 10:22:29 AM
User: JMHENDER-EAC4C7\John Henderson
Computer: JMHENDER-EAC4C7
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 4/13/2009
Time: 10:21:55 AM
User: NT AUTHORITY\SYSTEM
Computer: JMHENDER-EAC4C7
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service McNASvc with arguments "" in order to run the server:
{24F616A1-B755-4053-8018-C3425DC8B68A}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 4/13/2009
Time: 10:21:52 AM
User: NT AUTHORITY\SYSTEM
Computer: JMHENDER-EAC4C7
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service McNASvc with arguments "" in order to run the server:
{24F616A1-B755-4053-8018-C3425DC8B68A}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 4/13/2009
Time: 10:21:06 AM
User: JMHENDER-EAC4C7\John Henderson
Computer: JMHENDER-EAC4C7
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 4/13/2009
Time: 10:21:06 AM
User: JMHENDER-EAC4C7\John Henderson
Computer: JMHENDER-EAC4C7
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 4/13/2009
Time: 10:21:02 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The following boot-start or system-start driver(s) failed to load: 
AFD
Fips
intelppm
IPSec
mfehidk
MPFP
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/13/2009
Time: 10:21:02 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/13/2009
Time: 10:21:02 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/13/2009
Time: 10:21:02 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/13/2009
Time: 10:21:02 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/13/2009
Time: 10:21:02 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 4/13/2009
Time: 10:21:02 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 4/13/2009
Time: 10:20:37 AM
User: NT AUTHORITY\SYSTEM
Computer: JMHENDER-EAC4C7
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 4/13/2009
Time: 10:20:35 AM
User: JMHENDER-EAC4C7\John Henderson
Computer: JMHENDER-EAC4C7
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 4/13/2009
Time: 9:23:06 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Gamajobert (Mar 7, 2009)

As above worked, I again tried as per post 56 - again no file.


----------



## Cookiegal (Aug 27, 2003)

Let's run chkdsk.

Click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take awhile, so run it when you don't need to use the computer for something else.

When it's finished, go to *Start *- *Run *and type in *eventvwr.msc*, and hit enter.
When Event Viewer opens, click on "Application", then scroll
down to "Winlogon" and double-click on it to open it up. This is the log
created after running chkdsk. Click on the icon that looks like two pieces of paper to copy it and then paste it here please.


----------



## Gamajobert (Mar 7, 2009)

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 4/16/2009
Time: 9:06:57 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Checking file system on C:
The type of the file system is NTFS.
A disk check has been scheduled.
Windows will now check the disk. 
Cleaning up minor inconsistencies on the drive.
Cleaning up 1020 unused index entries from index $SII of file 0x9.
Cleaning up 1020 unused index entries from index $SDH of file 0x9.
Cleaning up 1020 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Windows has made corrections to the file system.
78140128 KB total disk space.
15423988 KB in 49836 files.
16536 KB in 4557 indexes.
4 KB in bad sectors.
160652 KB in use by the system.
65536 KB occupied by the log file.
62538948 KB available on disk.
4096 bytes in each allocation unit.
19535032 total allocation units on disk.
15634737 allocation units available on disk.
Internal Info:
a0 dc 00 00 84 d4 00 00 74 18 01 00 00 00 00 00 ........t.......
b0 10 00 00 02 00 00 00 cd 08 00 00 00 00 00 00 ................
da 7f 2e 04 00 00 00 00 ce 13 57 1c 00 00 00 00 ..........W.....
de 47 41 07 00 00 00 00 0c 84 11 a8 01 00 00 00 .GA.............
c4 6f ab 22 03 00 00 00 1c 64 98 fb 04 00 00 00 .o.".....d......
e0 21 68 ae 00 00 00 00 00 39 07 00 ac c2 00 00 .!h......9......
00 00 00 00 00 d0 67 ad 03 00 00 00 cd 11 00 00 ......g.........
Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Before posting this, I ran Defrag, Disk Cleanup and created a new System Restore point. There were 8 restarts before I finally got here. The last came after I disconnected my external HD. Could the external be part of the problem? I doubt it because most of the time when I have freezes the external is not connected - but your the expert.


----------



## Cookiegal (Aug 27, 2003)

The USB external drive wouldn't cause the problems if it's not connected.

It looks like there could be a problem with your hard drive as there is a bad sector. Can you tell me the make of your hard drive?


----------



## Gamajobert (Mar 7, 2009)

It's interesting - the checkdisc scan ended without any reference/alert regarding the bad sector. Only the detailed report shows it. If you hadn't asked for the report I would have missed it completely.

Ran "Look in my PC" - report:

SAMSUNG SPO842N 74GB Partition 1 Status OK. I typed this as I thought below had not copied. But look at GB in copied data. My Computer/C/ Properties says 74.5 GB of which GB 14.9 used.










*Hard Drive Information* - What's This?Drive NameCapacityPartitionsStatusSAMSUNG SP0842N74 GB1OK*View Page 2* *Report Generated at: 4/17/2009 8:43:11 AM* *Generation Time: 0 seconds* *Copyright Solid Oak Software, Inc. 2005 *

*Page 2 is blank.*


----------



## Cookiegal (Aug 27, 2003)

I've asked someone else to assist as I think you may need to run a hard drive diagnostic utility and he knows more about that than I do.


----------



## Rollin' Rog (Dec 9, 2000)

I don't think the hard drive is bad, but this appears to be the vendor's diagnostic utility appropriate for the model number >>

http://www.samsung.com/global/business/hdd/support/utilities/Support_HUTIL.html

You can also try using HDTune, a generic drive tester

http://www.hdtune.com/

Obviously you had some corrupt files and if specfic applications are continuing to fault, you may need to reinstall those.

Has there been an improvement since running chkdsk?

Most of the recent event viewer errors seem to relate to a failed autoupdate attempt.

http://www.eventid.net/display.asp?eventid=8&eventno=1958&source=crypt32&phase=1

You may need to install this >> http://www.microsoft.com/downloads/...0e-ee7e-435e-99f8-20b44d4531b0&displaylang=en


----------



## Gamajobert (Mar 7, 2009)

Hello Rog - would you believe it froze half way through this message and had to start again.

Since chkdsk no change except now sometimes doesn't print (intermittent). Printer is OK and have printed stuff today.

HUTIL - DL, opened exe. but can't run it - "doesn't know which program created it".

HD tune free doesn't report on disc and I don't want to buy Pro if we don't know what the problem is.

eventid seems to just chat and I don't know what to do with it.

I am up to date with all certificates including rootkit.

Beginning to understand Freddy Mercury's "I'm going slightly mad...


----------



## Gamajobert (Mar 7, 2009)

Just had a thought - if you want to "capture" my computer and have a look around I have no objections.


----------



## Rollin' Rog (Dec 9, 2000)

I don't know what's up with hutil, is this the file you downloaded, and did you unzip the the file so that the exe is in a folder of its own?

http://www.samsung.com/global/business/hdd/support/downloads/Hutil210_FDD.zip

HDTune free can generate the standard S.M.A.R.T health report as well as do a general scan.

Speedfan may also be helpful, since freezes may be due to overheating. It can do drive health reports as well.

If your motherboard supports temp monitoring, we should see what the CPU temps are. Look for rises of more than 35 c from a cold boot, especially when doing scanning or heavy CPU usage.

http://www.almico.com/speedfan.php

I don't do the remotes, sorry 

Can you summarize for me what is currrently the problem?

Is it primarily freezes or slow performance?

Have you tried "Clean Boot" troubleshooting?

CLEAN BOOT TROUBLESHOOTING technique

First, restart in Safe Mode if necessary -- (tap the f8 key promptly on startup and choose the Safe Mode option from the boot menu) or Normal mode

Then:

Run *msconfig* and select the "Services" tab. *Check "Hide Microsoft Services"* and then disable the rest. Also uncheck "load startup group" on the general page.

http://support.microsoft.com/kb/929135 << written for Vista, but applies equally well to XP

Now restart and test the issue at hand

If no problems, run *msconfig* and recheck half the disabled items on the Services tab. Test again. If the problem recurs, UNcheck half the items you just checked to narrow down the culprit.

If the problem didn't occur, check the other half, so all the Services are enabled -- proceed to do this on the startup tab as well.

Get the idea? You want to isolate the problem to a specific startup if possible.

Note: if you already have items unchecked under msconfig > startups and are in "selective" startup mode - you should note what these are before beginning. They will need to be de-selected again.

I don't do the "remotes", sorry


----------



## Gamajobert (Mar 7, 2009)

Wow - that is some post - thank you for all the time you are spending on this.

Whilst typing this I had a screen freeze (but not mouse freeze) when I tried to copy and paste. Could open Start menu but that immediately froze also. Using Crl/Alt/Del, ended task and was able to reload Forum without restart.

So, primary problem is screenfreeze (with or without mouse freeze). Often the freeze is during games but can be at Start Up/Restart - either at Welcome screen or there is just a black screen ie before Welcome.

Will continue in case freeze


----------



## Gamajobert (Mar 7, 2009)

Continued:

Samsung FDD - same problem (I uninstalled previous attempt - latest unzips to an EXE (which when doubleclicked brings up a small black screen for about 3 seconds before it diasappears) and a small file with an Adobe logo, which Adobe doesn't recognise, nor Wordpad, nor IE.

Found trial version of HD Tune Pro - found one error (damaged area) at 4161 MB (LBR852260). Temp 44 on both Tune Pro and Speedfan. Also ran Health - all sections flagged OK.

Cleanboot - I think maybe something is missing in your instructions just before "http support" - can you check please.


----------



## Rollin' Rog (Dec 9, 2000)

Did you read the full instructions on using Hutil here >> http://www.samsung.com/global/business/hdd/support/utilities/Support_HUTIL.html

Scroll about a third of the way down, there are versions both for a floppy boot or a CD boot. It might be best to use the CD (ISO) one. You will need Burning Software that recognizes the ISO extension automatically (you don't just copy these normally).

Using the ISO version is then very easy, you just put a writable CD in the drive, open the ISO file which should open your burner, and once the burn is completed, reboot to the CD

Be careful there, if you use it there is one potential selection that can erase the drive; you just want the diagnostic.

Were you able to see any CPU temps on Speedfan?

Monitoring these, especially during heavy CPU use, such as gaming (you can create a chart) would be useful.

The fact that HDTune is reporting a bad block is not good. Whatever chkdsk fixed it does not mean that the files were replaced or fixed themselves, only that the corrupt cells were cleared of data.

>> The Clean Boot link opens for me, nothing wrong with it <<

The MS instructions are quite similar to the ones I give. If there is something specific you don't understand, just ask.

Going back to your Event Log errors, you had a problem with Windows Automatic Update, are you still having it?

You say your root certificates are up to date, does that mean that you reinstalled them from the link I posted? Because if you didn't, you can't count on that after having had corrupt sectors on your drive.

You should also run *services.msc* and make sure BITS (Background Intelligent Transfer Service) is present, set to Automatic startup and running.

This is required for Automatic Updates to work properly


----------



## Gamajobert (Mar 7, 2009)

OK - I have BITS - but I don't recall any problem with Windows updates, indeed I installed from the icon just a few days ago.

Yes I reinstalled Root certificates.

Speedfan showed CPU as 44 and main fan as 54-55 during the test. I can tell if there is any real overheating as my leg is next to the tower, and also I can put my hand on it - I do this frequently because there is a dust problem and I have clean out every 3/4 months.

ISO - how do I check if I have Burning Software?

I don't understand your ref to Clean Boot - what do you want me to do?.

Could the "bad" disc section be repaired by using the XP Pro disc to repair? Or is there a Samsung site for this purpose (I've looked but can't find one)?


----------



## Gamajobert (Mar 7, 2009)

Just rsn Speedfan during a Hearts game (the only interactive game played on this computer). CPU was up to 72% with max temp around 65 C.


----------



## Rollin' Rog (Dec 9, 2000)

The temp under high CPU usage may be getting to a borderline zone, if over 70 I would be much more concerned.

If you've done any burning you should know if you have something. This is usually Roxio, Nero, or something similar.

If you click the downloaded and unzipped .iso file and it opens a burning program, you are fine. Just follow the burning program's instuctions from there.

If not, you can use a freebee like DeepBurner >>

http://www.deepburner.com/index.php?r=download

I like the portable version, but it does not install anything or associate file types, so you will have to open Deepburner manually and select the ISO interface rather than just run the ISO file directly.

For the Clean Boot test, just follow the instructions exactly as I gave them or follow the instructions on the MS link.

You might check to see whether the hard drive is under warranty. If it is, then you would probably need to confirm the drive is bad by running the Samsung test.

Windows can lock out bad sectors on a drive, but it can't "fix" them because it is a hardware problem.


----------



## Gamajobert (Mar 7, 2009)

Burned Hutil to CD Rom - then opened My Computer and double clicked CD - there was zip. Double clicked on zip and file immediately appeared. Double clicked on file - NOTHING - obviously looping at 5 sec intervals. Eventually "Program not responding message" - but couldn't close without rebooting. Tried 3 times with same result. Tried again in Safe mode - same result but this time :

Error signature.
AppName:explorer.exe
AppVer:6.0.2900.5512
ModName:zipfldr.dll
ModVer:6.0.2900.5512
Offset:00021a8f

Opened technical data - huge amount of numbers (too long to handcopy and cannot copy/paste) but saw Checksum 0x00102b2c

Before I try Clean Boot - any suggestions?


----------



## Gamajobert (Mar 7, 2009)

Forgot to add - Samsung site is hopeless re: warranty. Blogs say it is 39 months but I will check with my supplier once they open. Again, the Samsung site offers a diagnostic possibility in its Customer Support section - of course, it doesn't work!


----------



## Gamajobert (Mar 7, 2009)

Supplier says warranty is 12 months and has now expired. They are looking for programs to repair the disk and I will let you know if they come up with something.


----------



## Gamajobert (Mar 7, 2009)

This is an extract from something called HD-Workbench. Should I try it?

The read/write surface scan is non-destructive, but there is one exception: in case 'bad' areas are detected HD-Workbench will try to persuade the hard disk's internal error management to replace these bad areas with sectors from the spare sector pool. In such event the data within the bad areas is lost.


----------



## Rollin' Rog (Dec 9, 2000)

I'm not familiar with the latter program; not sure I would try it unless I had all critical material backed up and could do a clean install if necessary. I would do that before running Hutil as well

But this method you used on Hutil is wrong >>



> Burned Hutil to CD Rom - then opened My Computer and double clicked CD - there was zip. Double clicked on zip and file immediately appeared. Double clicked on file - NOTHING - obviously looping at 5 sec intervals. Eventually "Program not responding message" - but couldn't close without rebooting. Tried 3 times with same result. Tried again in Safe mode - same result but this time :


Here it appears you copied/burned the zipped Hutil program to the CD.

You don't want to do that. You must UNZIP the downloaded zipped program first and there find

*Hutil210.iso(For CD ROM Drive)*

I do not know why they named it that way, You must RENAME it *Hutil210.iso*

Now, if you have a burning program which supports the ISO extension, you only need to open the ISO file and your burning program should open. You cannot just copy or burn the ISO file as you normally would

If one doesn't, then you can use Deepburner.

Once the ISO file is properly burned on the CD, you must REBOOT with the CD in the drive. If it boots back to Windows, either the CD was not burned correctly or the CD drive is not first in the BIOS boot order -- which would have to be changed.


----------



## Gamajobert (Mar 7, 2009)

Sorry Rog - I give up. Tried numerous ways to instal Hutil210.iso - just can't do it. Always the unzipped folder produces file Huril210.iso (For CD ROM Drive) - which cannot be opened. Tried with disk in/out, tried before and after installing Deepburner(which has me totally mystified). Going for a VERY large vodka - either that or cut my wrists!


----------



## Rollin' Rog (Dec 9, 2000)

I am trying to tell you that the file so named:* Hutil210.iso(For CD ROM Drive)* cannot be opened until you right click on it and rename it:

*Hutil210.iso*

Since the primary topic issue here seems to be "freezing" in any event, I need some more input on what is meant there.

Do these freezes always require a forced shutdown and restart of the computer, or do they still allow use of the mouse or keyboard?

Have you tried the "clean boot" troubleshooting approach yet?


----------



## Gamajobert (Mar 7, 2009)

Sorry Rog it's just not happening - let's abandon Hutil. I haven't tried Clean Boot yet - was hoping Hutil would solve the problem. As Clean Boot looks like a long exercise I will do it over the weekend.

On freezes - there are various:

* on boot - either black screen or at Welcome screen - cursor does not move

* during game - cursor moves but cannot action anything - cntr/alt/delete doesn't have any effect, it just shows the 2 default (Hearts score page and game in progress) screens are running

* yesterday I was in Forum and wanted to Search, there was a freeze as soon as I opened the Search default - Search was active (I could move the cursor but not get any action) but Forum not (Cursor wouldn't move). This was the first time this dual effect was present. 

* when I want to copy/paste often there is a freeze on copy click

* when I end a Hearts game sometimes there is a freeze on the exit click


----------



## Gamajobert (Mar 7, 2009)

Decided to start the Clean Boot with the intention of then letting the computer run for a few hours before moving to second stage. Two problems. The first is after I made the changes and restarted, a message appeared saying that some of the changes could only take effect if in Administrator account (I am the Administrator but never mind). So, repeated the process under Administrator, restarted and got the SAME message. Restarted and undid changes - restarted and got the SAME message. Restarted in my name.

Second problem related to your instruction in post *71>

"Also uncheck "load startup group" on the general Page.

http://support.microsoft........"

There is nothing to tell me what to do next (after Page) or how to load the http - please clarify.


----------



## Rollin' Rog (Dec 9, 2000)

These are the Clean Boot instructions, just do this from your normal Administrave account, not the built-in formal Administrative account.

The http link to Microsoft is only for reference purposes, you can also view their instructions at that link.

I don't know exactly why you are getting the message, but ignore it, the change will probably take place anyway. There are some security programs that may cause it.

CLEAN BOOT TROUBLESHOOTING technique

First, restart in Safe Mode if necessary -- (tap the f8 key promptly on startup and choose the Safe Mode option from the boot menu) or Normal mode

Then:

Run *msconfig* and select the "Services" tab. *Check "Hide Microsoft Services"* and then disable the rest. Also uncheck "load startup group" on the general page.

Now restart and test the issue at hand

If no problems, run *msconfig* and recheck half the disabled items on the Services tab. Test again. If the problem recurs, UNcheck half the items you just checked to narrow down the culprit.

If the problem didn't occur, check the other half, so all the Services are enabled -- proceed to do this on the startup tab as well.

Get the idea? You want to isolate the problem to a specific startup if possible.

Note: if you already have items unchecked under msconfig > startups and are in "selective" startup mode - you should note what these are before beginning. They will need to be de-selected again.

http://support.microsoft.com/kb/929135 << written for Vista but apples equally to XP

-----------------------------------------------

Also, since this is a freezing issue, it would be helpful if we can monitor temps.

Install SpeedFan and see if it will detect and monitor CPU core temps. Let me know if anything is above 70 c or rises more than 35 c from a cold boot >>

http://www.almico.com/speedfan.php

*additional suggestion* >>

You might want to test using a newly created User Account. To do this open the User Accounts interface in the Control Panel and create a new one for yourself there and give it Administrative rights.

Log into that new User Account on reboot.


----------



## Gamajobert (Mar 7, 2009)

Something very strange happened at 00.15 on Friday morning. I was playing Hearts when suddenly the task bar and the bar above it went crazy for a few seconds. This was immediately followed by a noticeable increase in screen brightness (I never thought it was dim) and the speed of my game doubled (I never thought it was slow). From then until half an hour ago - no freezes! The only changes made in the 12 hours prior to the "crazy" was I started to change the settings for Clean Boot per instructions. Before I try this again I thought you would like to look at the log below.

Applications

Event Type: Error
Event Source: SecurityCenter
Event Category: None
Event ID: 1802
Date: 4/24/2009
Time: 2:39:22 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 08 80 ...

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 4/22/2009
Time: 2:59:54 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Faulting application googletoolbarmanager_0531c63a913cc9d1.exe, version 5.0.2124.6042, faulting module googletoolbarmanager_0531c63a913cc9d1.exe, version 5.0.2124.6042, fault address 0x000a5e43.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 67 6f 6f ure goo
0018: 67 6c 65 74 6f 6f 6c 62 gletoolb
0020: 61 72 6d 61 6e 61 67 65 armanage
0028: 72 5f 30 35 33 31 63 36 r_0531c6
0030: 33 61 39 31 33 63 63 39 3a913cc9
0038: 64 31 2e 65 78 65 20 35 d1.exe 5
0040: 2e 30 2e 32 31 32 34 2e .0.2124.
0048: 36 30 34 32 20 69 6e 20 6042 in 
0050: 67 6f 6f 67 6c 65 74 6f googleto
0058: 6f 6c 62 61 72 6d 61 6e olbarman
0060: 61 67 65 72 5f 30 35 33 ager_053
0068: 31 63 36 33 61 39 31 33 1c63a913
0070: 63 63 39 64 31 2e 65 78 cc9d1.ex
0078: 65 20 35 2e 30 2e 32 31 e 5.0.21
0080: 32 34 2e 36 30 34 32 20 24.6042 
0088: 61 74 20 6f 66 66 73 65 at offse
0090: 74 20 30 30 30 61 35 65 t 000a5e
0098: 34 33 0d 0a 43..

System

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 4/26/2009
Time: 8:43:11 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 4/26/2009
Time: 8:42:38 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer has automatically configured the IP address for the Network Card with network address 0017317D07A1. The IP address being used is 169.254.179.251.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/26/2009
Time: 8:42:33 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y...

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/26/2009
Time: 8:42:05 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...

Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 51
Date: 4/25/2009
Time: 10:40:59 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 04 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 8e 00 bc 00 00 00 00 ..¼....
0028: 95 a1 06 00 00 00 00 00 ¡......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @......
0040: 00 20 0a 12 80 01 20 40 . ... @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 90 d6 f8 18 cb f7 fe .Öø.Ë÷þ
0058: 00 00 00 00 40 8c c5 fe [email protected]Åþ
0060: 00 00 00 00 47 00 5e 00 ....G.^.
0068: 2a 00 00 5e 00 47 00 00 *..^.G..
0070: 08 00 00 00 00 00 00 00 ........
0078: 70 00 02 00 00 00 00 0a p.......
0080: 00 00 00 00 04 02 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 4/25/2009
Time: 8:49:15 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Server
Event Category: None
Event ID: 2504
Date: 4/25/2009
Time: 8:48:46 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{16AEC2AE-2C0D-4C5A-A66B-44D576DECFD6}.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: aa 05 00 00 ª...

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 4/25/2009
Time: 8:48:43 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer has automatically configured the IP address for the Network Card with network address 0017317D07A1. The IP address being used is 169.254.179.251.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/25/2009
Time: 8:48:37 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y...

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/25/2009
Time: 8:48:09 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 4/24/2009
Time: 8:01:40 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 4/24/2009
Time: 6:54:44 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ......
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 7
Date: 4/24/2009
Time: 5:59:45 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The device, \Device\Harddisk0\D, has a bad block.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ......À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 80 16 04 01 00 00 00 .......
0028: c1 ec 0b 00 00 00 00 00 Áì......
0030: ff ff ff ff 00 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @......
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: 18 ff 3a 01 80 23 91 fe .ÿ:.#þ
0058: 00 00 00 00 e0 e4 af fe ....àä¯þ
0060: 02 00 00 00 40 0b 82 00 [email protected].
0068: 28 00 00 82 0b 40 00 00 (..[email protected]
0070: 80 00 00 00 00 00 00 00 .......
0078: f0 00 03 00 00 00 00 0b ð.......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 51
Date: 4/24/2009
Time: 2:50:34 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 04 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 6e 55 bc 00 00 00 00 .nU¼....
0028: 05 d7 00 00 00 00 00 00 .×......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @......
0040: 00 20 0a 12 80 01 20 40 . ... @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 70 77 fe 00 7b d3 82 .pwþ.{Ó
0058: 00 00 00 00 f8 c3 8b 82 ....øÃ
0060: 00 00 00 00 b7 2a 5e 00 ....·*^.
0068: 2a 00 00 5e 2a b7 00 00 *..^*·..
0070: 20 00 00 00 00 00 00 00 .......
0078: 70 00 02 00 00 00 00 0a p.......
0080: 00 00 00 00 04 02 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 51
Date: 4/24/2009
Time: 2:50:34 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 04 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 6e 55 bc 00 00 00 00 .nU¼....
0028: 05 d7 00 00 00 00 00 00 .×......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @......
0040: 00 20 0a 12 80 01 20 40 . ... @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 70 77 fe 00 7b d3 82 .pwþ.{Ó
0058: 00 00 00 00 f8 c3 8b 82 ....øÃ
0060: 00 00 00 00 b7 2a 5e 00 ....·*^.
0068: 2a 00 00 5e 2a b7 00 00 *..^*·..
0070: 20 00 00 00 00 00 00 00 .......
0078: 70 00 02 00 00 00 00 0a p.......
0080: 00 00 00 00 04 02 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 51
Date: 4/24/2009
Time: 2:43:51 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 8e 3d 00 00 00 00 00 .=.....
0028: 47 72 00 00 00 00 00 00 Gr......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @......
0040: 00 20 0a 12 40 03 20 40 . [email protected] @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 00 00 00 00 7b d3 82 .....{Ó
0058: 00 00 00 00 f8 c3 8b 82 ....øÃ
0060: 00 00 00 00 c7 1e 00 00 ....Ç...
0068: 28 00 00 00 1e c7 00 00 (....Ç..
0070: 08 00 00 00 00 00 00 00 ........
0078: 70 00 02 00 00 00 00 0a p.......
0080: 00 00 00 00 04 02 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 4/24/2009
Time: 2:39:22 PM
User: NT AUTHORITY\SYSTEM
Computer: JMHENDER-EAC4C7
Description:
The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/24/2009
Time: 2:37:00 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y...

Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 51
Date: 4/24/2009
Time: 12:57:54 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 0e c2 6e 05 00 00 00 ..Ân....
0028: ba 74 11 00 00 00 00 00 ºt......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @......
0040: 00 20 0a 12 40 03 20 40 . [email protected] @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 00 00 00 08 e5 f1 fe .....åñþ
0058: 00 00 00 00 c0 f5 da fe ....ÀõÚþ
0060: 00 00 00 00 07 61 b7 02 .....a·.
0068: 28 00 02 b7 61 07 00 00 (..·a...
0070: 40 00 00 00 00 00 00 00 @.......
0078: 70 00 02 00 00 00 00 0a p.......
0080: 00 00 00 00 04 02 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 51
Date: 4/24/2009
Time: 12:46:01 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 04 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 4e 16 bc 00 00 00 00 .N.¼....
0028: 84 c2 10 00 00 00 00 00 Â......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @......
0040: 00 20 0a 12 80 01 20 40 . ... @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 00 c1 f8 80 2d cf f8 ..Áø-Ïø
0058: 00 00 00 00 08 10 d0 f8 ......Ðø
0060: 00 00 00 00 27 0b 5e 00 ....'.^.
0068: 2a 00 00 5e 0b 27 00 00 *..^.'..
0070: 08 00 00 00 00 00 00 00 ........
0078: 70 00 02 00 00 00 00 0a p.......
0080: 00 00 00 00 04 02 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 4/24/2009
Time: 12:33:18 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ......
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Warning
Event Source: Print
Event Category: None
Event ID: 8
Date: 4/24/2009
Time: 11:31:01 AM
User: JMHENDER-EAC4C7\John Henderson
Computer: JMHENDER-EAC4C7
Description:
Printer HP LaserJet 1100 (MS) was purged.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 4/24/2009
Time: 8:01:38 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 4/24/2009
Time: 8:01:06 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer has automatically configured the IP address for the Network Card with network address 0017317D07A1. The IP address being used is 169.254.179.251.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/24/2009
Time: 8:01:00 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y...

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/24/2009
Time: 8:00:33 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 4/24/2009
Time: 8:00:25 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017317D07A1. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...


----------



## Gamajobert (Mar 7, 2009)

Sorry - forgot to mention. When I woke on Friday (after the "crazy") I ran HD Tune again - it still shows the bad sector.


----------



## Rollin' Rog (Dec 9, 2000)

Most of the warnings are DHCP errors, (failure to connect). I see these often when I have a computer in standby and unless you have connectivity problems continuing can be ignored.

However you show contiuning "Disk" errors such as:



> Event Type: Warning
> Event Source: Disk
> Event Category: None
> Event ID: 51


http://www.microsoft.com/technet/su...em&ProdVer=5.0&EvtID=51&EvtSrc=disk&LCID=1033
Chkdsk should be run again, and if these "Disk" errors continue after that, you are just going to have to start backing up what you can and consider a drive replacement.

You will need reinstallation media if you do that. This might be obtained from the computer vendor if they did not include it originally.

By the way, after running chkdsk again I think it would be a good idea to ensure your Virtual Memory is "Systems Managed"; check to see if it is, and if not, make it so. This should, on reboot, flush the existing page file, and if chkdsk has locked out any bad sectors they will not be used again for virtual memory storage.

Instructions here:

http://www.pcdoctor-guide.com/wordpress/?p=3156


----------



## Gamajobert (Mar 7, 2009)

Ok did that inc. Systems Managed. Chkdsk was very fast but I did catch "restoring missing files". No more freezes since my last post. I can live with a freeze every 48 hours. Thanks again for all your time and interest.


----------



## Gamajobert (Mar 7, 2009)

Goodness me - just noticed I am now a Senior Member - when do I expect my pension?


----------



## Rollin' Rog (Dec 9, 2000)

Well I hope things work out for you, and you are most welcome for the help.

I will continue to monitor for a few days to see if you want or need any further suggestions.


----------



## Gamajobert (Mar 7, 2009)

Had a freeze during first Hearts game this morning. Ran chkdsk again - it again said "restoring missing files". So, I immediately created new System restore point and back up - then formatted external HD. Now rebuilding Ceedo data.


----------



## Cookiegal (Aug 27, 2003)

And thanks from me too Rog. :up:


----------



## Gamajobert (Mar 7, 2009)

This is part of a reply to a friend. 

Don't you watch the news? We are on the verge of civil war! But yes. I'm watching the snooker - don't know the result for Ding Dong yet. Hip - spent the morning in the Oncology bloody hospital again. Looks OK but new lesion needs external treatment (not op thank goodness). Gave the surgeon Scotch I brought back from Heathrow last year and he didn't charge for the examination - see the Scots have some use after all!! But external treatment will be expensive.

F - Obama - decides to have NATO exercise in Georgia next week - maniac - doesn't he watch the news? Strained relationship USA/Russia, very strained relationship Georgia/Russia. I ask you!

Stress level is very high here - all major streets blocked - see photie (this is the main street in Tbilisi -5 minute walk from our apartment (and my f bank is just to the right and hence closed). The "opposition" leaders are all idiots - I hope the army steps in. Yours - not hopefully.


----------



## Gamajobert (Mar 7, 2009)

During reinstalling Ceedo I picked up Seagate tools for Windows and show the log of the 2 tests I ran. Whilst not very helful it shows the failure point as almost immediate

--------------- SeaTools for Windows v1.1.1.0 ---------------
4/28/2009 9:25:28 AM
Model: SAMSUNG SP0842N
Serial Number: S0DWJ1JL913859
Firmware Revision: BH100-45
Long DST - Started 4/28/2009 9:25:28 AM
Long DST - FAIL 4/28/2009 9:25:44 AM
Identify - Started 4/28/2009 9:29:13 AM
Identify - Pass 4/28/2009 9:29:14 AM
Long Generic - Started 4/28/2009 9:30:48 AM
Long Generic - FAIL 4/28/2009 9:32:04 AM
SMART - Pass 4/28/2009 9:51:18 AM
Short DST - Started 4/28/2009 9:51:39 AM
Short DST - FAIL 4/28/2009 9:51:55 AM


----------



## Gamajobert (Mar 7, 2009)

In Sea Tools there is an Advanced. It talks about overwriting the bad sector with zeros and trying to replace it with spare (forgot the word). Should I try it? It has all the usual warnings about losing data.


----------



## Gamajobert (Mar 7, 2009)

Sorry about post 96 - a little emotional - you can imagine the stress of a duff computer on top of this.


----------



## Rollin' Rog (Dec 9, 2000)

It shows fails and I can't really predict what the consequences of overwritting the sectors would be.

How well backed up are you with regard to personal files, and can you do a full reinstall if that were necessary?


----------



## Gamajobert (Mar 7, 2009)

I'm fully backed up. I did a full reinstal from the XP Pro disk in January but the freezes continued.


----------



## Gamajobert (Mar 7, 2009)

Could I try to repair from the disk? Is so, how?


----------



## Gamajobert (Mar 7, 2009)

Just had a thought- maybe the XP disc is damaged - can I run chkdsk on it without risk?


----------



## Rollin' Rog (Dec 9, 2000)

Chkdsk only runs on drives, not optical disks.

If you are confident of being able to do a reinstall I would go ahead and run the drive vendor's utility. You may have to do a "clean" install however, not just a "repair" install if Windows fails to boot afterwards.


----------



## Gamajobert (Mar 7, 2009)

Before I try with the CD - I notice at start up there is Windows Recovery Console option. It talks about "repair" but is for advanced users and needs an Administrator entry. Should I give this a try and if so how?


----------



## Rollin' Rog (Dec 9, 2000)

It's good to have that, but for this issue there is nothing there for you. If you could not boot Windows normally or in safe mode, it can be used to run chkdsk and other commands that might repair boot time faults.


----------



## Gamajobert (Mar 7, 2009)

Booted from XP Pro CD - then R for repair. It took me to the Recovery Console. I know you said no point but I thought I would let it run anyway - it didn't run at all - just loaded Windows normally - I had to shut down fast in case a second partition was being created. No idea what to do next. 
By the way have been monitoring temps - fan runs to 70 degrees depending on what program I'm using, but HDD is fairly constant at 44.


----------



## Rollin' Rog (Dec 9, 2000)

Well you still have the option of running the drive vendor's utility that you mentioned. Are you still getting freezes?

But I don't know what happened when you tried to load the Recovery Console.

Pressing 'r' for "repair" should have gotten you to a password prompt which can be ignored if you did not create one.

http://commandwindows.com/recovery.htm

Once you are actually in the Recovery Console, you are in a "command prompt" window, not "normal" windows.

70c is a bit on the warm side so I don't know if there is a problem there, but if you see more than that the answer is probably yes. If normal programs cause a rise to 70c, then intensive scanning or graphics processing will probably cause a greater rise.


----------



## Gamajobert (Mar 7, 2009)

Something strange happening - everytime I try to open the last page of this thread, I am asked to log in again. Am adding this to the bottom of page 7 and hope it transmits properly.

Anyway, read the WRC and "Fixmbr Repairs the master boot record of the specified disk" seems to be the only function which might be relevant - if you agree then I will try via the CD again. 

The dealer still has not come up with anything helpful, but I suspect he is about to go bust - like many businesses in Tbilisi.

On temp I am due a clean in the next week or so, and will see if that makes a difference - but had a full clean about 3 months ago and freezes continued. On freezes - yes, many - but today I don't really know as I can't get my Hearts to load fully (gets to Match found - then closes). I think I've answered your points but can't check as I'll have to start again.


----------



## Gamajobert (Mar 7, 2009)

Goodness me - it worked. I await your answer re WRC.


----------



## Rollin' Rog (Dec 9, 2000)

I'd leave the WRC out of it and try to get the temps down with a good cleaning.

There is nothing wrong with your MBR or you wouldn't be able to boot at all.

About the only other thing that might be relevant here is a vendor drive utility that might be able to overwrite or lock out the affected sectors. Not sure if chkdsk already has done this, I believe it is supposed to.

The question now is are you still getting "Disk" errors in the Event Viewer; if not, then the disk is probably not now an issue.


----------



## Gamajobert (Mar 7, 2009)

Ran chkdsk again - same message "restoring missing files". Unfortunately HD Tune has expired, so can't check with that. Let's leave things until after the clean up - I know you have limited time.


----------



## Gamajobert (Mar 7, 2009)

Follow up - installed HD Tune again. Same result - damaged segment.


----------



## Rollin' Rog (Dec 9, 2000)

HD Tune "expired"? You must have installed the "Pro" version. Not sure what that does that the free version doesn't, but there is a free version.

The damaged segment will probably always show up with it, but I am still not sure if Windows can use it.

So the real test is whether you continue to see "Disk" errors in the event viewer. If you do, then Windows has a problem with it that cannot be fixed by chkdsk.

Remember the Event Viewer can be accessed by running *eventvwr.msc*

Disk errors will show in the System log.


----------



## Gamajobert (Mar 7, 2009)

On HD Tune had installed trial of Pro - now using free version.

System

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 5/5/2009
Time: 8:26:22 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 7
Date: 5/5/2009
Time: 9:50:58 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The device, \Device\Harddisk0\D, has a bad block.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ......À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 17 04 01 00 00 00 ........
0028: 52 b1 00 00 00 00 00 00 R±......
0030: ff ff ff ff 00 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @......
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: d8 62 d4 00 78 c3 b5 fe ØbÔ.xÃµþ
0058: 00 00 00 00 40 b2 b5 fe [email protected]²µþ
0060: 02 00 00 00 80 0b 82 00 ......
0068: 28 00 00 82 0b 80 00 00 (.....
0070: 40 00 00 00 00 00 00 00 @.......
0078: f0 00 03 00 00 00 00 0b ð.......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 5/5/2009
Time: 8:26:21 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 5/4/2009
Time: 2:51:22 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 5/4/2009
Time: 11:53:42 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The MBAMSwissArmy service failed to start due to the following error: 
The system cannot find the file specified. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 5/4/2009
Time: 9:32:15 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 5/3/2009
Time: 8:00:37 PM
User: JMHENDER-EAC4C7\John Henderson
Computer: JMHENDER-EAC4C7
Description:
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service WSearch with arguments "" in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 5/3/2009
Time: 7:46:15 PM
User: NT AUTHORITY\SYSTEM
Computer: JMHENDER-EAC4C7
Description:
The server {6A972E27-93E2-4F98-8367-4101B2073814} did not register with DCOM within the required timeout.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 5/3/2009
Time: 4:58:48 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The IP address lease 10.0.0.5 for the Network Card with network address 0017317D07A1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Applications

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 5/5/2009
Time: 2:33:41 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 5/5/2009
Time: 2:33:41 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 5/5/2009
Time: 2:33:40 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 5/5/2009
Time: 2:33:40 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 5/4/2009
Time: 11:16:07 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 5/4/2009
Time: 11:16:07 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 5/4/2009
Time: 9:47:50 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.18702, fault address 0x000a9c51.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 38 2e 30 2e 36 30 e 8.0.60
0028: 30 31 2e 31 38 37 30 32 01.18702
0030: 20 69 6e 20 6d 73 68 74 in msht
0038: 6d 6c 2e 64 6c 6c 20 38 ml.dll 8
0040: 2e 30 2e 36 30 30 31 2e .0.6001.
0048: 31 38 37 30 32 20 61 74 18702 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 30 61 39 63 35 31 000a9c51
0060: 0d 0a ..

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 5/3/2009
Time: 11:00:44 AM
User: NT AUTHORITY\SYSTEM
Computer: JMHENDER-EAC4C7
Description:
Windows saved user JMHENDER-EAC4C7\John Henderson registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. 
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 5/3/2009
Time: 1:57:50 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 38 re.exe 8
0020: 2e 30 2e 36 30 30 31 2e .0.6001.
0028: 31 38 37 30 32 20 69 6e 18702 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 5/2/2009
Time: 2:05:55 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Hanging application psi.exe, version 1.0.0.3, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 70 73 69 2e 65 78 psi.ex
0018: 65 20 31 2e 30 2e 30 2e e 1.0.0.
0020: 33 20 69 6e 20 68 75 6e 3 in hun
0028: 67 61 70 70 20 30 2e 30 gapp 0.0
0030: 2e 30 2e 30 20 61 74 20 .0.0 at 
0038: 6f 66 66 73 65 74 20 30 offset 0
0040: 30 30 30 30 30 30 30 0000000

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 5/1/2009
Time: 7:19:07 PM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Hanging application speedfan.exe, version 4.37.0.236, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 73 70 65 65 64 66 speedf
0018: 61 6e 2e 65 78 65 20 34 an.exe 4
0020: 2e 33 37 2e 30 2e 32 33 .37.0.23
0028: 36 20 69 6e 20 68 75 6e 6 in hun
0030: 67 61 70 70 20 30 2e 30 gapp 0.0
0038: 2e 30 2e 30 20 61 74 20 .0.0 at 
0040: 6f 66 66 73 65 74 20 30 offset 0
0048: 30 30 30 30 30 30 30 0000000

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 5/1/2009
Time: 8:32:12 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
Hanging application psi.exe, version 1.0.0.3, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 70 73 69 2e 65 78 psi.ex
0018: 65 20 31 2e 30 2e 30 2e e 1.0.0.
0020: 33 20 69 6e 20 68 75 6e 3 in hun
0028: 67 61 70 70 20 30 2e 30 gapp 0.0
0030: 2e 30 2e 30 20 61 74 20 .0.0 at 
0038: 6f 66 66 73 65 74 20 30 offset 0
0040: 30 30 30 30 30 30 30 0000000


----------



## Gamajobert (Mar 7, 2009)

"Expert" coming to clean and look at HD tomorrow. Fingers crossed.


----------



## Gamajobert (Mar 7, 2009)

OK - squeeky clean - HD removed, cleaned (underside was dirty) and reseated. Temps during Hearts 67 max with HDD between 42-44. No freezes yet but I'm not holding my breath.


----------



## Rollin' Rog (Dec 9, 2000)

Cleaning the computer or hard drive does not fix the actual disk, which is still bad >>

Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 7
Date: 5/5/2009
Time: 9:50:58 AM
User: N/A
Computer: JMHENDER-EAC4C7
Description:
The device, \Device\Harddisk0\D, has a bad block.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Also, to resolve this error:



> Event Type: Warning
> Event Source: Userenv
> Event Category: None
> Event ID: 1517


You should install this >>

http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

As for the "crypt32" errors, I don't know what to suggest other than what I did in my first posts.


----------



## Gamajobert (Mar 7, 2009)

Thanks Rog - I've installed as suggested. On Errors - I opened the file but frankly have no idea what to do with it. So far, no freezes since clean.


----------



## Rollin' Rog (Dec 9, 2000)

Well I'd say hang in there then, but be thinking about getting a new drive.

I personally wouldn't take any risks unless something was an ongoing and persistent problem.

It seems like the freezes may have been heat related.


----------



## Gamajobert (Mar 7, 2009)

No freezes. Surprised if heat related as still working at mid-upper 60's - whatever - no freezes. I wondered if if could be to do with either the re-seating of the hard drive, or simply the unconnecting and reconnecting of all the feed cables (preparatory to the cleaning) - particularly the large scart. Anyway, thanks again for all the help - I hope I don't have to bother you again.


----------



## Rollin' Rog (Dec 9, 2000)

Yes that could have helped, so just keep fingers crossed and I will continue to monitor for a few days atleast 

You can also feel free to PM me later if you like.


----------



## Gamajobert (Mar 7, 2009)

No freezes since Monday. Never thought we would solve this problem. Thanks a million.


----------



## Cookiegal (Aug 27, 2003)

That's great. I'm glad Rog worked it out for you. 

Thanks Rog! :up:


----------



## Rollin' Rog (Dec 9, 2000)

Very cool 

Glad to help 

PS, you can mark this thread "Solved" if you feel all is well ...


----------



## Gamajobert (Mar 7, 2009)

Cookiegal - just realised that I forgot to thank you - so THANK YOU


----------



## Cookiegal (Aug 27, 2003)

That's OK. I actually claimed some of those million thanks you posted to Rog, who deserved them all but I didn't think he'd miss 100,000 or so.


----------



## Cookiegal (Aug 27, 2003)

I'd like to see a new HijackThis log and let me know what you did about the infected Hearts program please.


----------



## Gamajobert (Mar 7, 2009)

This is getting like Alice in Wonderland.

The post to which you have replied is missing! I checked under "Not logging in properly" but it's not there either and I can't remember under which thread I posted it. I logged straight into Forum today via my desktop Forum icon - but I'll now try again via the email links.


----------



## Gamajobert (Mar 7, 2009)

Curioser and curioser. My last post is missing (Alice in Wonderland ref). Went back to email and clicked on links to both your posts - straight into Forum on each but the "infected hearts" post still not there.

Maybe it will help you if I explain exactly what was happening in Hearts. I entered via the desktop icon created via Favourites. The first default is the hearts page saying "Welcome" but not with my name on it. Click on Go and (sometimes) it would move to my site (Genglish-gent). Most times it opened a new default saying "Go back to Hearts page and sign in" - this would happen several times before I was signed in -often it didn't sign in at all, so I would uninstall via Search, delete Msn cookies via CCleaner, then reinstall Hearts after reboot. Yesterday, I opened the Hearts page from the desktop but instead of clicking on Go - went to Free Games, then clicked on Hearts and got straight in (did it several times to make sure it wasn't a one-off). After your posts today I did the same again and got straight into the game via Free Games.

Cookiegal - to avoid confusion, would it be a good idea to start a new thread "infected Hearts"?

HJT below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:50 AM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\John Henderson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\John Henderson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games - Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)
--
End of file - 8765 bytes


----------



## Gamajobert (Mar 7, 2009)

Again odd - I posted a long reply +HJT - not here. Another HJT below:
If this one "takes" I will again send data on Hearts.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:32 AM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\John Henderson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN\Toolbar\3.0.1203.0\msntask.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\John Henderson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games - Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)
--
End of file - 8917 bytes


----------



## Gamajobert (Mar 7, 2009)

Dear God - now original post is there!


----------



## Gamajobert (Mar 7, 2009)

Some additional data on hearts (I already posted this but way back).

The freezes here were not the kind where the cursor locks - instead the cursor would move but nothing would react to the clicks. Tried ctrl/alt/del but Task Manager only showed 2 processes running - the Welcome Genglish Gent Hearts page and the running game page. I tried switching back and forward and sometimes this freed things up but mostly didn't.


----------



## Cookiegal (Aug 27, 2003)

But what is it that's telling you the Hearts game is infected?


----------



## Gamajobert (Mar 7, 2009)

Didn't realise you had transfered my thread to here - only just seen it. Will check this post goes then answer the question.


----------



## Gamajobert (Mar 7, 2009)

Goodness me - all that stress for nothing.

OK - I have no evidence that the game is/was infected. All I knew was that the "freezes" were only happening when I D/L the game in the normal way. Now however, the "freezes" are also happening when I D/L in the new way - see post 133. Have only had one "normal" freeze in the last 3 weeks.


----------



## Cookiegal (Aug 27, 2003)

Gamajobert said:


> Didn't realise you had transfered my thread to here - only just seen it. Will check this post goes then answer the question.


This thread has never been moved.


----------



## Gamajobert (Mar 7, 2009)

Something is going on - when I looked in "Search my posts", then "screen freeze" - there were no recent posts - hence my PM to you. When I looked in Security and HJT Forum I found them and sent the above reply. Now I'm back in "screen freeze" under Search my posts, and all posts are here (I'm not sure where "here" is).

So, was there anything in HJT?


----------



## Cookiegal (Aug 27, 2003)

I don't have a clue. I never use those functions.

You can click on your username and select the option to find your posts there or click on Quick Links and select the option to view your subscribed threads.


----------

