Hi all. I am in Zambia and visiting my Daughter Amanda and family. A friend of Amanda x 2 have got problems. The PC`s often re boot and a pop up window from reputedly MS informs them that their pc/s have recently had a problem and would they like to report it to MS. I have a suspicion that this is related to pirate soft ware. They have asked me to assist, and with your invaluable assistance I would like to try. The soft ware has been purchased in local stores! but???? is it genuine. ie Windows Office 2000. I will appreciate any assistance and advice.

Those pop-ups that want to send error info to Microsoft are normal XP behaviour when the pc freezes, or other problem occur. You'll need to concentrate on what is happening prior to the 'error send report' screen appears.

Also, if they are the XP pop-ups that are spawned due to application crashes and the like, you should be able to find some Dr Watson log files on the PC. Additionally, the Event Viewer will provide insight as to what is going on.

Have not been present when it occurs but will check it out shortly. OS is Windows XP, I think ;)

Have not yet had chance to physically check the above problem, but will do so next week once all the monthly acc`s are completed. Will it be possible to down load HJT without useing a zip file to open it ??? Did I read Paleo Pete correctly, if one shuts down a pc for + - 4 mins and disconnect from the power source (mains) it some times helps to clear such problems, or did I miss interpret him ?? :o

The second mirror (and possibly others) on this page contains the executable version of HJT:

http://kotaguy.malwareremoval.com/

Did I read Paleo Pete correctly, if one shuts down a pc for + - 4 mins and disconnect from the power source (mains) it some times helps to clear such problems, or did I miss interpret him ?? :oI think I misinterpreted Pete completely...I disconnected and then kicked mine for +/- 4 mins...

It didn't stop the pop-ups, but I felt tremendously better for a while...actually, it was rather refreshing! :D

Thanx all, specially whyzman, have had a mubi few days (Gastric Enteritis) and that cheered me up LM*AO even :D :D

The idea behind shutting down for a few minutes is to clear any malicious files/programs resident in memory. Normally it should only take 30 seconds or so, but I like to wait about 5 minutes to be positive. To be doubly sure you can unplug the machine and then hold the power on button down for 10-20 seconds.

This allows the stored electrical charge to drain from the capacitors, which can let malicious programs (like viruses) stay resident in memory during a "warm" reboot. That doesn't happen often but it does happen, so completely draining the power is a good way to be sure it's gone.

For the type of error message you describe this might be something you can do to be certain nothing remains in memory after rebooting, but probably is not necessary. Usually the only time I'm that particular about it is when I know I'm dealing with a virus or trojan or some of the nastier spyware like CoolWebSearch that is really difficult to remove. For a lot of those I just go ahead and use something like the Ultimate Boot CD that boots from CD into a Linux OS. The only problem I've had with that is Linux can't write to NTFS drives, therefore can't rename or delete files...

Thanx Pete! Whyzman! Now you know Re-boot does not mean useing your feet! lol ;) ;) :D

Now you know Re-boot does not mean useing your feet! lol ;) ;) :DThanks for the clarification stefanus! Dual boot, however, does mean with both feet...correct?

Here is an HJT log of one of the pc`s I have mentioned. Took some time but!!! Thanx for help.

Logfile of HijackThis v1.99.1
Scan saved at 11:00:49, on 23/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX04.187\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mecer.co.za
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.10.22.65:9877
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mecer.co.za
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094772130203
O17 - HKLM\System\CCS\Services\Tcpip\..\{47BD613C-2F4F-405B-A7A2-6D44CFAE95FB}: NameServer = 217.30.16.2,217.30.16.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{47BD613C-2F4F-405B-A7A2-6D44CFAE95FB}: NameServer = 217.30.16.2,217.30.16.3
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

This is the only thing in you log that is unusual, but I think it is legit:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.10.22.65:9877

The rest looks fine... You can run some deeper scans if you would like...

Thanx Budfred! I would prefer to run some deeper scans. How can I acheive this??

I'd start with Ewido:

Please download, install, and update the NEW free version of Ewido trojan scanner (http://www.ewido.net/en/download/):

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

From the main ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful")

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.


Then you can do an MWavScan:

Try running an MWavScan... It will produce a log in the lower window that has the bad list and you will need to use Ctrl-C to copy it and then paste it here for review.... If the list is extremely long, you can just paste the lines that begin with the word "File" since those are the ones we need to be most concerned about...

http://www.mwti.net/products/mwav/mwav.asp

It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...

And finish with a rootkit scan:

http://www.f-secure.com/blacklight/

If none of them find anything, it is not likely to be malware...

Once again thanx! I will only be able to access the pc on Monday 26th Sept. There is also one off TIFile/s that refuses to be deleted. I will post it here. I do not want to open it incase I realy open a can of worms.

Ewido scan as @ shewn date

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:08:07, 26/09/2005
+ Report-Checksum: 2185FDE

+ Scan result:

:mozilla.6:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\tz2zstld.default\coo kies.txt -> Spyware.Cookie.Atdmt : Ignored
:mozilla.7:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\tz2zstld.default\coo kies.txt -> Spyware.Cookie.Addynamix : Ignored
:mozilla.16:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\tz2zstld.default\coo kies.txt -> Spyware.Cookie.Doubleclick : Ignored
:mozilla.17:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\tz2zstld.default\coo kies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.18:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\tz2zstld.default\coo kies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.20:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\tz2zstld.default\coo kies.txt -> Spyware.Cookie.Mediaplex : Ignored
:mozilla.21:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\tz2zstld.default\coo kies.txt -> Spyware.Cookie.Bluestreak : Ignored
:mozilla.25:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\tz2zstld.default\coo kies.txt -> Spyware.Cookie.Dbbsrv : Ignored
C:\Documents and Settings\user\Cookies\user@atdmt[2].txt -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\user\Cookies\user@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Ignored
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Ignored
C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Ignored
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@atdmt[1].txt -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Ignored

Go ahead and fix those cookies with Ewido if you haven't already done so... Then do the MWavScan and follow up with the rootkit scan...

I was not to sure about the data/mozilla/firefox ones etc. The others, C:\ Documents and settings, doubleclick etc I recognised and fixed them.

Those are just where FireFox is keeping some cookies... Nuke 'em...