DrWaton Postmortem Debugger

[Revolutiontt]

Hi Tom's Hardware,



First of all i'd like to clarify just simply what this thread is regarding, (In atleast what I can) considering I hardly know myself.

Clarification

Ok, well it was about a year or so ago when a friend of mine infected my computer with a complete bastard of a virus. So I decided well I suppose i'll just format, not to long after literally 10 - 15 formats I did believe it was gone (It was a virus that infecting every exe file on my computer then if I was to take those exe files anywhere else obviously it would start again).

Now I did not ever determine just what this virus was named (Nor did I even really investigate it at all much back then) i simply formatted and thought well to hell with this thing if it doesn't want to be removed by almost any bloody Anti-Virus program that I have used.

Things were fine for a year or so though recently in the past few months the same friend has started giving me files and what not again (Mostly media files though via a external HDD).

Lately my virus programs AVG & NOD32 (I switch quite often because I don't believe AVG works very well and NOD32 seems to bloody well completely ruin any port-forwarding via uTorrent anyways that's another story).

The virus programs have started picking up Trojan alerts in my system volume folders, which brings me to think that could definitely be the way this Trojan gets around (Since it goes via Flash-drives & External HDD's and what not)

Now finally we are getting back to where this topic title was originated (DrWatson Postmortem Debugger) i've recently read quite a few articles on several websites on the net saying that it's possible that DrWatson Postmortem Debugger can be used as a mask for Trojans's....


AceBot

AceBot...... supposedly one of the largest virus's and most bastard of them all out there (atleast for SP2) it's probably quite old now, I am running SP3 though i'm wondering since I was running SP2 at one point in time is it possible that the virus is still effecting me?


Conclusion

In the past few weeks i've been experiencing some serious malfunctions in my computer i'll list as many as I can think of.


[In order of most common]

1. All around computer speed just being decreased in some cases taking literally 1 - 3 minutes to open ANY application.

2. Windows Live Messenger crashing very often. (This sometimes triggers the DrWatson Error)

3. My browser can only access HTTPS websites not ANY HTTP website at all.

4. Alot of my Java application also seem to crash & error quite a lot.

5. AVG crashed and was asking for error reports to be send to AVG.


To conclude what i'm really asking for is your opinion & help regarding anything that is wrong with my computer.


Logs


HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 2:25:53 AM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\drivers\itech4\itech.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\CronoSoft\Quick Hide Windows\qhw.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\bootcd\wintools\autorun.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Aaron\Desktop\Extreme Virus Removal\HijackThis\HijackThis.exe

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [itech4] C:\WINDOWS\system32\drivers\itech4\itech.exe
O4 - HKLM\..\Run: [Malwarebytes Piracy] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /piracy
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Quick Hide Windows] C:\Program Files\CronoSoft\Quick Hide Windows\qhw.exe -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: SoundMAX Control Panel.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drivers\itech4\imonlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drivers\itech4\imonlsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url=http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238633442281]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238633442281[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{73F6C600-AF72-41B3-BFBE-F97DD489C94B}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3BA4602-0A62-4FCC-A61A-96EF6B5C7664}: NameServer = 203.12.160.35,203.12.160.36
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: MBAMService - Malwarebytes - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Service.exe" -service (file missing)
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

ESET NOD32 Antivirus

[b]Date:[/b] 4/7/2009 
[b]Time:[/b] 4:28:20 PM 
[b]Directory:[/b] C:\System Volume Information\_restore{D3695F7F-6197-4762-9134-CA0B8E551470}\RP43\A0013337.exe
[b]Size:[/b] 126976
[b]Reason:[/b] probably a variant of Win32/Agent Trojan


[b]Date:[/b] 4/7/2009 
[b]Time:[/b] 4:23:25 PM 
[b]Directory:[/b] C:\System Volume Information\_restore{D3695F7F-6197-4762-9134-CA0B8E551470}\RP27\A0011389.dll
[b]Size:[/b] 590792
[b]Reason:[/b] Win32/Adware.WhenU.SaveNow application

Malwarebytes' Anti-Malware

Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/7/2009 12:02:19 AM
mbam-log-2009-04-07 (00-02-19).txt

Scan type: Quick Scan
Objects scanned: 75378
Time elapsed: 11 minute(s), 0 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\WINDOWS\services.exe (Backdoor.Bot) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\services.exe (Trojan.Agent) -> Delete on reboot.

Thanks in advance,

RevolutionTT.

 

[pat mcgroin]

This will keep you busy for a while.

First you have an amazing amount of stuff running at all times.
Start with Utorrent. Unless you are actively using it TURN IT OFF..
Peer Guardian with Utorrent is a good thing.
A FIREWALL with P2P is also a good idea.
Enough of that.

The following may seem harsh but I dont mean for it to be. So please explain where you can.

I see a WD drive manager. What does that do for you?
Same with the cronosoft\quickhide hide windows (wife?porno?)

Most of the following can be turned off until you need it (including Utorrent)
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\drivers\itech4\itech.exe (not sure what this is)
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
ITunes


Also what is this E:\bootcd\wintools\autorun.exe
Is this part of Alchohol or are you running Linux?
And this as it says at the top you are on IExplorer
C:\Program Files\Mozilla Firefox\firefox.exe why is that running.


Ok we are at line 48 now if you're keeping track.

BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Ill see if I can find more on this cause it seems bad when there is no identity.

As for bonjour Im not sure what it does. I know it has to do with Apple and Ipods but I have turned it off and the kids havent bitched yet so maybe try it.

Lines 57 to 70 explain where the program is launced from.(same items as above)
Most you can goto start|run|msconfig|startup and uncheck them.

Basically we are at line 70

I think the malware bytes took care of the trojan that you had but I think the main reason for your slowdown is the maazing amount of stuff you have running all of the time.
Almost all of the things I mentioned (except the noted ones) can be turned off and will restart when required. eg. real player only needs to start when a real file is encountered and will do it by itself.

Please turn these things off and repost a hijack this log and we can go from there.

 

[Revolutiontt]

This will indeed keep me busy for a while i'm guessing....

uTorrent

uTorrent will have to be the main exception from all of this since I am seeding 24/7 to have atleast a 1:1 ratio.


//*****Regarding your comment earlier saying "The following may seem harsh but I dont mean for it to be. So please explain where you can. " Please do not think anything you say will effect me in anyway, i know you're simply here to help and i'm very grateful of that.*****//


Western Digital Drive Manager

The Western Digital Drive Manager that is running is for my External 500 gig HDD, though I suppose when the external is not plugged in it is a very good idea to shut it off.


Quick Hide Windows

"Wife?Porno?" No, this is merely for people who use the same network as me and complain about the internet going slow so what I do is use it to hide uTorrent, otherwise they will close it down.


Idle Programs

Most of the following can be turned off until you need it (including Utorrent)
1. C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

2. C:\Program Files\iTunes\iTunesHelper.exe

3. C:\Program Files\Common Files\Real\Update_OB\realsched.exe

4. C:\WINDOWS\system32\drivers\itech4\itech.exe (not sure what this is)

5. C:\Program Files\iPod\bin\iPodService.exe

6. C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

7. ITunes

1. Done, that's purely the application that Alcohol uses to mount images I believe.

2. Done.

3. Done (Don't really like RealPlayer i've always used VLC & JetAudio though the new RealPlayer with media downloading is quite good)

4. I have no idea what this thing is either it has in fact been linked to a program running as "Services.exe" and been detected as a Trojan on AVG.

5. Done.

6. Done.

7. Done.


Hiren's BootCD WinTools 1.1

Also what is this E:\bootcd\wintools\autorun.exe
Is this part of Alchohol or are you running Linux?
And this as it says at the top you are on IExplorer
C:\Program Files\Mozilla Firefox\firefox.exe why is that running.

That's Hiren's BootCD being mounted by PowerISO, it's quite a nifty little program I used it to obtain Data off a completely stuffed up HDD & I had it running yesterday to see if it could help me out with this malware.


I've summed up the programs that are inside Hiren's BootCD with a few screenshots that I have just taken.

Main Window:

AntiSpyware:

Backup:

Cleaners:

Optimizers:

Process:

Recovery:

Repair:

Startup:

Sysinfo:

Testing:

Tweakers:

Other:

I now regret taking the time to do those, but anyway onto the next part.


Linux

No I am not running Linux, here's a quick system summary since it may be useful for future reference also.

(Please point out if the computer is actually pretty *** and that I don't even really have enough ram to be running all these programs)

Quick System Summary

Regarding the Internet Explorer question, well whatever pointed out that I was using that was wrong.... I rarely ever use it unless to perform manual windows updates.

Ok we are at line 48 now if you're keeping track.

Trying to atleast.

BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Ill see if I can find more on this cause it seems bad when there is no identity.

Please do so because I have no idea what that is.


Bonjour

Nor am I sure what this program does, so I shall close it. (Highly doubt it's any threat though but will need to be closed for optimal performance)

Lines 57 to 70 explain where the program is launced from.(same items as above)
Most you can goto start|run|msconfig|startup and uncheck them.

This is just to inform me about lines 57 - 70 are regarding?


Ok, before I post the new HijackThis log i'm wondering how to disable all these programs from startup? I know the basic ones that have their own options menu where I can get into and disable it from start up but i'm referring to more so iTunesHelper, iTunesiPodservice, AppleMobileService & StarWindServiceAE just basically all that crap that only my kids use.


You will see in the log below that ipodservice, AppleMobileservice and all that crap stated above is in fact still running though? Even after i've ended the process? Seems pretty odd.....

(I'm not 100% sure if they are running though i'll post a screenshot of my processes taken literally like 2 seconds after the HijackThis scan)


http://www.freeimagehosting.net/uploads/67fba79d87.png


HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 1:16:27 PM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\CronoSoft\Quick Hide Windows\qhw.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\bootcd\wintools\autorun.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ntvdm.exe
C:\DOCUME~1\Aaron\LOCALS~1\Temp\JkDefrag.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Aaron\Desktop\Extreme Virus Removal\HijackThis\HijackThis.exe

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [itech4] C:\WINDOWS\system32\drivers\itech4\itech.exe
O4 - HKLM\..\Run: [Malwarebytes Piracy] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /piracy
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Quick Hide Windows] C:\Program Files\CronoSoft\Quick Hide Windows\qhw.exe -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: SoundMAX Control Panel.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drivers\itech4\imonlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drivers\itech4\imonlsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url=http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238633442281]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238633442281[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{73F6C600-AF72-41B3-BFBE-F97DD489C94B}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3BA4602-0A62-4FCC-A61A-96EF6B5C7664}: NameServer = 203.12.160.35,203.12.160.36
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: MBAMService - Malwarebytes - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Service.exe" -service (file missing)
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

Thanks once again for the response and the help so far

RevolutionTT.

 

[pat mcgroin]

Ok that looks somewhat better, and yes the less things that are running the better off you will be as most of your 2 megs. memory are always in use and therefore so is your HDD swapfile constantly moving things in and out to memory.
So programs will take longer to load and to function.


First when I run Utorrent I dont generally seed much. I know it says that you should
but I havent really seen my speeds go up due to that. In fact my speeds seem to go down as all of my bandwidth is consumed with the uploading.
I am only on a 2MB connection. Generally if you have many seeds you will get a download rate.
Also having running 24/7 means you have a much better chance of getting caught as I did. Peer Guardian helps but it isnt foolproof. Going through a proxie is better as it is harder to trace.

As for the unidentified BHO at line 48 it has something to do with MSN Messenger.
Being a BHO it probably only runs when Messenger does so no big deal.

Is your External HDD on a USB setup?
If so you may be able to disable that (line 25 newest hijack log).
I have that drive and a Maxtor drive external and dont have that running.
I think it may have to do with the backup feature of the drive, so you should be able to turn that off until you need it.

Regarding the programs that you aren't sure how to turn off you can click the start button and then run.
Type msconfig and ok. Then go to the startup tab and you will see most of the things that start automatically when you turn on your computer. Just uncheck the boxes of the things that you dont want to start.
If you aren't sure, leave some on and we will deal with them later.
The worst that can happen is something wont work and we can turn them back on.

The itech.exe process seems to be missing in the recent hijack log so possibly whatever you turned off took care of it.
I googled it and didnt really get a satisfying answer but it could have to do with a bluetooth device. Do you have one of those?
If not look for it in startup and uncheck it.

Once you uncheck these things in startup and reboot you will see a message
saying that you have started in a diagnostic setup or some damn thing like that.
Just tell it OK. It will then take you to the Msconfig page again so just close it.
You will also see a checbox to "Dont show me this warning again"
Dont check that box just yet so that if you need to get back there you wont have to look for it. When everything is done, then you can check the box.

As for everything below line 69 in the newest log dont worry about those just yet as many will disappear when the ones on top disappear.


The Hirans boot cd looks pretty interesting. Im going to look into that for myself.
I have several of those things now but to have them in one package would be pretty helpful.

One last thing. It still shows that you are running both Iexplorer and Firefox.
Is someone else on the network using that at the same time or do you have that set to come on in some way. Having both at the same time consumes alot of memory.

Once we get this sorted out you will think you have a new computer.

 

[Revolutiontt]

First of all i'd just like to say thanks once again for taking the time to view my thread.


uTorrent

The only reason why I leave uTorrent open for seeding is for the shear fact that I'm a member of a private torrent tracker (a small community) of which I like to seed for (also having my own profile/ratio)

I really don't care much about my ISP viewing what I am downloading (in all honestly I don't care at all)

External HDD

Yes, my External HDD is a on a USB setup.


Automatic Startup Programs

Thank you, that gives me a much more advanced interface from which I can set to my own personal settings quite simpler.


iTech.exe

Yes, i did in fact take care of that it turns out it was my son running that process
he claims it was for a game called Runescape.


Warning Box

Will do.


Hiren's BootCD

Yes, it's been proclaimed as "A profession in one program"


Iexplorer & Firefox

I have no idea why both are running, i've just checked my processes 2 seconds ago and iexplorer isn't running.
(If you have any ideas or anymore advice on this please tell me)


Once again thanks so much for all your advice & help,


RevolutionTT.

 

[pat mcgroin]

Possibly you aren't running Iexplorer.
I just asked because it states that on top of the hijack log so I though that is what you were on.

As for runescape here is a good description I found in case you wonder what he's doing and the Itech makes sense.
Maybe Ill turn my kid onto that game. He's pretty into world of Warcraft.
http/en.wikipedia.org/wiki/RuneScape

Also I have a few questions about private trackers that maybe we can discuss through the PM feature and not in a open forum because it wasnt my isp that had a problem with it they just told me about it.
If you arent worried about things there must be a reason. wink wink.

Also no problem with the help I'm laid off and real bored.
I like the thought of being helpful.

 

[Revolutiontt]

Lol, as do I 90% of the time i'm just helping out in IRC.

Regarding the private trackers, we can discuss it via MSN if you like.

aaron-nagy@hotmail.com


Though if you prefer PMing from this forum i'm fine with that also.

 

[pat mcgroin]

Yeah on the forum is easier for me as I dont generally run MSN.
Not to say i wont I just never had a reason so I dont really know how.
Same with skype. I just use it for phone calls.

Give me a little while as I booted into XP to try and get some settings for someone else Im trying to help and Ill give it a try.

 

[Revolutiontt]

All good contact me via whichever you like (preferably in the next hour or so since it's 6 am and I have to go out soon)

 

[pat mcgroin]

PMd you from here

 

[BrEd]

Hi there,

I think you guys should check out OPSWAT.com there are 2 or 3 products that may be a match. I think that OESIS Framework provides a single interface to many antivirus and AVG is in that list. Another option is, I think, Metascan which is more for ISV.
I also found that AVG is certified by OPSWAT.

I hope this helps.
Regards,

Brian