Options
HSA so I did HJT BUT.....
Hi. I was having problems with the computer shutting down and rebooting mysteriously -- usually in the middle of my Earthlink Protection Control Center virus scan. It would not allow me to do a chkdsk /f on run because it said that the "volume was in use by another process". I thought that was odd. Anyway, It would let me run AdWare SE all the way through but not Spybot without rebooting.
I first tried going to ctl-alt-del and killing suspicious-looking processes. That didn't help much except I saw a file called ADSSER~1.EXE which looked suspicious so I did a Google on it and got your site and thread #18846 written by Dexter from Vancouver. It was very helpful and I followed it the best I could including downloading HJT and about:Buster and get_active_services etc. All these things worked fine and I made lots of log files but it still did the reboot thing eventually right in the middle of programs. One problem I had was as I was running HJT early on when I first found the bad files in the HJT listing (such as R3 - Default URLSearchHook is missing) I just deleted them. Later I realized that I wasn’t supposed to do that until later.
I’ve now followed all the steps except I can’t find any bad files with Buster or anything…. So did I fix it and I just have another problem or what? Help…
Here is the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:05:14 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\AuthFw.exe
C:\WINDOWS\system32\msiexec.exe
C:\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sycamoreeducation.com/index.php?schoolid=1108
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149867190531
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
C:\HiJackThis\hijackthis0625zzz.log, 6/25/2006, 11:16 PM
Here is the MS error message I get every time when it reboots by itself:
June 26, 2006, 10am error message when I logged in:
... something about a critical error and then I get this detail:
C:\DOCUME~1\Eric\LOCALS~1\Temp\WER9fff.dir00\Mini062506-07.dmp
C:\DOCUME~1\Eric\LOCALS~1\Temp\WER9fff.dir00\sysdata.xml
BCCode : 100000d1 BCP1 : 610D262D BCP2 : 00000007 BCP3 : 00000000
BCP4 : F71D3C36 OSVer : 5_1_2600 SP : 2_0 Product : 768_1
airclick
I first tried going to ctl-alt-del and killing suspicious-looking processes. That didn't help much except I saw a file called ADSSER~1.EXE which looked suspicious so I did a Google on it and got your site and thread #18846 written by Dexter from Vancouver. It was very helpful and I followed it the best I could including downloading HJT and about:Buster and get_active_services etc. All these things worked fine and I made lots of log files but it still did the reboot thing eventually right in the middle of programs. One problem I had was as I was running HJT early on when I first found the bad files in the HJT listing (such as R3 - Default URLSearchHook is missing) I just deleted them. Later I realized that I wasn’t supposed to do that until later.
I’ve now followed all the steps except I can’t find any bad files with Buster or anything…. So did I fix it and I just have another problem or what? Help…
Here is the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:05:14 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\AuthFw.exe
C:\WINDOWS\system32\msiexec.exe
C:\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sycamoreeducation.com/index.php?schoolid=1108
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149867190531
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
C:\HiJackThis\hijackthis0625zzz.log, 6/25/2006, 11:16 PM
Here is the MS error message I get every time when it reboots by itself:
June 26, 2006, 10am error message when I logged in:
... something about a critical error and then I get this detail:
C:\DOCUME~1\Eric\LOCALS~1\Temp\WER9fff.dir00\Mini062506-07.dmp
C:\DOCUME~1\Eric\LOCALS~1\Temp\WER9fff.dir00\sysdata.xml
BCCode : 100000d1 BCP1 : 610D262D BCP2 : 00000007 BCP3 : 00000000
BCP4 : F71D3C36 OSVer : 5_1_2600 SP : 2_0 Product : 768_1
airclick
0
Comments
Lets see if we can help you.
Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.
- Double click on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.