Hello,
my computer keeps freezing while I'm online. I have windows xp with
integrated SP 1. Now, when I'm surfing my computer freezes and
sometimes I hear ZZZZZZZZZZZZZZZZZZZZZ coming out of my speakers,
sometimes I don't. Sometimes this happens after being online for like
5 minutes, sometimes for like 40 minutes, sometimes for like 2 hours.
First, I thought that maybe my CPU is over heating so I've installed
program to monitor CPU heat, and it gets arround 40. I'm not sure this
is a hardware problem. I've notices that this happens only while
surfing (and not while talking over IM or while not doing anything). I
use IE 6.0 with SP1 and I thought that IE was a problem; I've
installed Opera and same thing happens.
What is wrong in this picture?
Regards,
Chuck |
Request for Question Clarification by
sublime1-ga
on
09 May 2004 13:08 PDT
chuck...
Have you looked at error logs? Go to Start -> Settings ->
Control Panel -> Administrative Tools -> Event Viewer, and
look under System Log and Application Log, and post what
you find there, please.
sublime1-ga
|
Request for Question Clarification by
sublime1-ga
on
09 May 2004 13:11 PDT
A user's guide on posting a clarification is on skermit-ga's
site, here:
http://www.christopherwu.net/google_answers/answer_guide.html#how_clarify
sublime1-ga
|
Clarification of Question by
chuck555129-ga
on
09 May 2004 13:54 PDT
I do have errors under System log, and just this one keeps repeating.
Source = Service Control Manager and as I can use, most of the time
it's even # 7000 if that means anything to you. Also, most of the
times just before that error there is "Information" and source =
RemoteAccess and most of the times it's even # 20158. Under
Application log I have application hang / error from time to time, but
it's not that often so i'm guessing that's not it.
Did this helped at all?
Regards,
Chuck
|
Clarification of Question by
chuck555129-ga
on
09 May 2004 13:57 PDT
One more thing, when I click on that Service Control Manager error and
choose propreties I get this in description field.
"The OMSCAN service failed to start due to the following error:
The system cannot find the file specified.
And that Remote Access shows up when I connect online via dial-up.
Regards,
Chuck
|
Request for Question Clarification by
sublime1-ga
on
09 May 2004 15:19 PDT
chuck...
It would be helpful in researching the errors if you can
copy and paste the exact text. This is the easiest way
to locate the same problem, and a possible solution, which
has been posted somewhere on the internet.
The only reference I find for OMSCAN mentions the possibility
that this is related to HP Open Mail server or, possibly,
scanner software, such as Omnipage:
http://www.derkeiler.com/Newsgroups/microsoft.public.windowsxp.security_admin/2002-07/6735.html
You may be able to find where OMSCAN is being called for
by going to Start -> Run and typing msconfig and hitting
Enter. Then look on the Startup tab on the resulting window
and look for something related.
Aha!
Cancel that. I just did a search for:
""remote access" 20158
://www.google.com/search?q=%22remote+access%22+20158
The first search result is a spammy looking page titled
'Access My Home Pc at Omnicomtech.com'.
If you click on it, it eventually redirects to the
Omnicomtech.com homepage, which talks about software
for connecting to the internet.
A search for Omnicomtech.com on Google Groups returns
some pages which indicate Omnicom may be dealing in
what's called 'warez', or hacker software:
http://groups.google.com/groups?q=omnicomtech.com
The following page especially suggests this:
http://groups.google.com/groups?q=omnicomtech.com&hl=en&lr=&ie=UTF-8&oe=UTF-8&c2coff=1&safe=off&selm=337782b0befbf8e9659d72418bb34bb5%40xganon.com&rnum=3
My guess is that you have intentionally or unknowingly
downloaded and installed their software, and it is
interfering with the functioning of your system.
You should be able to regain control of your system
by going to Go to Start -> Settings ->
Control Panel -> Administrative Tools -> Services,
and finding Remote Access Connection Manager and
Remote Access Auto Connection Manager, right-clicking
on each and selecting Properties. Then click on
'Stop' to stop the services. Also set the startup
type to 'Disabled'. If Windows is unable to stop
the services, reboot with them disabled, and you
should have control of your computer. Then uninstall
any software from Omnicomtech.com.
Let me know where this takes you...
sublime1-ga
|
Request for Question Clarification by
sublime1-ga
on
09 May 2004 17:48 PDT
chuck...
I've been researching this some more, and I have good reason
to believe that someone is accessing your computer using
remote access software. The suggestions I gave you should
work to restore your control of your computer, but I just
wanted to let you know the likely severity of this threat.
Someone with this degree of access can literally take your
system over and lock you out completely, setting things up
so that, even when you reboot, you don't have the control
to restore the system. They can literally take over
Administrative permissions and lock you out from making
restorative changes. The sooner you act, the better.
sublime1-ga
|
Chuck...
Although I don't usually like to post a formal answer to
a question involving a computer problem which has not
been finally resolved, I will do so in this case, since
I'm all but certain that your computer is being attacked
from a remote location, using remote access software,
which is quite likely a warez version of Omnicomtech
software.
For the sake of completeness, I will repeat here the
steps I have asked you to take so far:
--------------------------------------------------------
Have a look at your error logs. Go to Start -> Settings ->
Control Panel -> Administrative Tools -> Event Viewer, and
look under System Log and Application Log, and post what
you find there, please.
It would be helpful in researching the errors if you can
copy and paste the exact text. This is the easiest way
to locate the same problem, and a possible solution, which
has been posted somewhere on the internet.
---------------------------------------------------------
You posted:
"I do have errors under System log, and just this one keeps repeating.
Source = Service Control Manager and as I can use, most of the time
it's even # 7000 if that means anything to you. Also, most of the
times just before that error there is "Information" and source =
RemoteAccess and most of the times it's even # 20158. Under
Application log I have application hang / error from time to time,
but it's not that often so i'm guessing that's not it."
and
"One more thing, when I click on that Service Control Manager error
and choose propreties I get this in description field.
'The OMSCAN service failed to start due to the following error:
The system cannot find the file specified.
And that Remote Access shows up when I connect online via dial-up."
---------------------------------------------------------
The only reference I find for OMSCAN mentions the possibility
that this is related to HP Open Mail server or, possibly,
scanner software, such as Omnipage:
http://www.derkeiler.com/Newsgroups/microsoft.public.windowsxp.security_admin/2002-07/6735.html
You may be able to find where OMSCAN is being called for
by going to Start -> Run and typing msconfig and hitting
Enter. Then look on the Startup tab on the resulting window
and look for something related.
Aha! Cancel that. ***Actually, don't cancel looking at the
Startup tab in msconfig. You may still be able to determine
the location being sought by Windows for the OMSCAN file
which it isn't able to locate.***
I just did a search for:
""remote access" 20158
://www.google.com/search?q=%22remote+access%22+20158
The first search result is a spammy looking page titled
'Access My Home Pc at Omnicomtech.com'.
If you click on it, it eventually redirects to the
Omnicomtech.com homepage, which talks about software
for connecting to the internet.
A search for Omnicomtech.com on Google Groups returns
some pages which indicate Omnicom may be dealing in
what's called 'warez', or hacker software:
http://groups.google.com/groups?q=omnicomtech.com
The following page especially suggests this:
http://groups.google.com/groups?q=omnicomtech.com&hl=en&lr=&ie=UTF-8&oe=UTF-8&c2coff=1&safe=off&selm=337782b0befbf8e9659d72418bb34bb5%40xganon.com&rnum=3
***On closer examination, the page above suggests that the
Orion group of hackers has succeeded in producing a 'warez'
version of Omnicom.tech's remote access software, which
would make it widely available for free to wannabe hackers.
Combined with a worm or trojan which could be delivered in
any number of ways, this would allow a hacker to take over
control of your computer, as indicated in this post on the
PCbanter.com forums, noting a Remote Access event ID 20158:
"I have also discovered the same problem. So, check this
out. Even with 2 firewalls and Norton. I ran a scan and it
came up with a Backdoor.IRC.Zcrew virus! A Trojan Horse.
My computor is no longer MY COMPUTOR! My CD tray opens and
closes all by it's self, My number lock goes on and off.
My mouse was set backwards. My display on screen was
inverted. My passwords stolen. I was fired as Admistrator
on my own Computor! The list goes on and on."
http://www.pcbanter.net/showthread/t-116778.html
Someone with this degree of access can literally take your
system over and lock you out completely, setting things up
so that, even when you reboot, you don't have the control
to restore the system. They can literally take over
Administrative permissions and lock you out from making
restorative changes. The sooner you act, the better.
My guess is that you have intentionally or unknowingly
downloaded and installed their software, and it is
interfering with the functioning of your system.
You should be able to regain control of your system
by going to Go to Start -> Settings ->
Control Panel -> Administrative Tools -> Services,
and finding Remote Access Connection Manager and
Remote Access Auto Connection Manager, right-clicking
on each and selecting Properties. Then click on
'Stop' to stop the services. Also set the startup
type to 'Disabled'. If Windows is unable to stop
the services, reboot with them disabled, and you
should have control of your computer. Then uninstall
any software from Omnicomtech.com.
Also uncheck any entries on the msconfig Startup
tab which reference OMSCAN.
And, since this may have been accomplished in conjunction
with a worm or trojan, it is vital that you do a thorough
scan on your system. You haven't yet mentioned having an
antivrus program installed, so you can use one of the
following free online scans:
AntiVir
http://www.free-av.com/
Bit Defender
http://www.bitdefender.com/scan/licence.php
Trend Micro
http://housecall.trendmicro.com/housecall/start_corp.asp
Since your computer has been so compromised, you
could also likely benefit from using any or all of
the following anti-adware & spyware programs to
clean up your system:
AdAware
http://www.lavasoftusa.com/software/adaware/
Bazooka Spyware Scanner
http://www.kephyr.com/spywarescanner/
BHODemon
http://www.definitivesolutions.com/bhodemon.htm
CWShredder
http://www.spywareinfo.com/~merijn/downloads.html
Spybot Search & Destroy
http://security.kolla.de/
Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html
WinPatrol
http://www.winpatrol.com/
Please do not rate this answer until you are satisfied that
the answer cannot be improved upon by way of a dialog
via the "Request for Clarification" process. I will be glad
to continue providing you further assistance based on the
feedback you provide me.
sublime1-ga |
Request for Answer Clarification by
chuck555129-ga
on
10 May 2004 11:49 PDT
Hi...
I've first tried to stop and disable Remote Access Connection Manager and
Remote Access Auto Connection Manager but when I do that, I can't
longer connect online via dial-up. I click on the connect icon and
nothing shows up, but when I turn on Remote Access Connection Manager
and
Remote Access Auto Connection Manager it connects fine.
I've installed Norton AntiVirus and downloaded virus definitions, ran
the scan. I had same worm in 5 different files call " W32.Gaobot.AFJ
". Norton removed the files and after that I've done some checking on
that worm and have found some "tutorials" on how to remove it. I've
check registry and have found left peaces of it and deleted them. I
thought for a moment that this was solution to my problem, but I was
wrong.
Just few minutes ago, my computer freezed again. I look at logs later
and there is still that "Service Control Manager" error, about a
minute after I connect online. I have this in the description field:
"The OMSCAN service failed to start due to the following error:
The system cannot find the file specified.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp."
And it's always this same error msg.
Please advise!
Regards,
Chuck
|
Clarification of Answer by
sublime1-ga
on
10 May 2004 14:10 PDT
Chuck...
Yes, I suspected you might have a worm of the nature you
found. The W32.Gaobot.AFJ worm is a very complex and
insidious worm. I doubt that just running Norton and
deleting the identified files will restore your system.
The Symantec (Norton) security bulletin on this worm is
several pages long, and removal is a complex operation.
You should review this page to ensure that there are
not other changes (such as a re-written HOSTS file)
which need to be addressed:
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.afj.html
Additionally, on the same page it is noted that this worm:
"Connects to a remote IRC server and awaits commands from
the remote attacker. The backdoor allows the attacker to
perform the following actions on a compromised system:
Run commands
Retrieve files via FTP and HTTP
Retrieve data from the registry
Restart the computer
List processes
Kill a particular process
Terminate Windows services
Perform HTTP, ICMP, SYN, and UDP floods
Retrieve email addresses stored on the computer
Retrieve a list of email addresses via HTTP
Retrieve a given URL
Sniff HTTP, FTP, and IRC traffic
Steal the Windows product ID and the CD keys of various
video games"
This being the case, even if the worm has been removed,
the hacker who planted it may have found a way into
your system that is still functional after the worm has
been removed. You note that the error message says that
it is still looking for the OMSCAN service. Again, this
may be related to a warez version of Omnicomtech.com
remote access software having been installed on your
system. It appears that the file is now missing, which
is good, but you need to find what process is calling it.
Again, have a look in msconfig on the Startup tab and see
if you can identify any unusual program which doesn't look
like something you installed, especially something with the
word OMNI in it. Look at the location where this file is
supposed to be located, and see what that directory relates
to.
Make sure you've installed all the Microsoft fixes for the
security issues which are exploited by the worm you had,
noted at the top of the Symantec page:
"DCOM RPC Vulnerability (described in Microsoft Security
Bulletin MS03-026) using TCP port 135.
Workstation Service Buffer Overrun Vulnerability (described
in Microsoft Security Bulletin MS03-049) using TCP port 445.
Windows XP users are protected against this vulnerability
if Microsoft Security Bulletin MS03-043 has been applied.
Windows 2000 users must apply MS03-049.
Exploits the Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (described in Microsoft
Security Bulletin MS04-011)."
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.afj.html
If all of the above does not resolve the issue, please
go to the following page and download Hijack This and
Startup List, run them and post the resulting logs here,
and I'll see what I can find from them:
http://www.spywareinfo.com/~merijn/downloads.html
sublime1-ga
|
Request for Answer Clarification by
chuck555129-ga
on
11 May 2004 10:05 PDT
I've downloaded security patches WindowsXP-KB824105-x86-ENU and
WindowsXP-KB828035-x86-ENU ... I've installed them but that didn't
helped. Here are the logs you've asked for. I hope it helps.
StartupList report, 5/11/2004, 6:57:09 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\Desktop\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\WINDOWS\vcdplayx.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
PGPtray.lnk = ?
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PtiuPbmd = Rundll32.exe ptipbm.dll,SetWriteBack
Ptipbmf = rundll32.exe ptipbmf.dll,SetWriteCacheMode
CTSysVol = C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
CTDVDDET = C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
CTHelper = CTHELPER.EXE
AsioReg = REGSVR32.EXE /S CTASIO.DLL
SBDrvDet = C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
UpdReg = C:\WINDOWS\UpdReg.EXE
WinampAgent = "C:\Program Files\Winamp\Winampa.exe"
VirtualDrive = C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
vcdplayx = "C:\WINDOWS\vcdplayx.exe"
ScanRegistry = C:\W
BigDogPath = C:\WINDOWS\VM_STI.EXE VideoCAM Web V2
DAEMON Tools-1033 = "C:\Program Files\D-Tools\daemon.exe" -lang 1033
ASUS Probe = C:\Program Files\ASUS\Probe\AsusProb.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
RemoteCenter = C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat
5.0\Reader\ActiveX\AcroIEHelper.ocx -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll -
{BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[shizmoo Class]
InProcServer32 = C:\Program Files\shizmoo\icq_webgames\odyssey_webmoo8.dll
CODEBASE = http://playroom2.icq.oberon-media.com/odyssey_web8.cab
[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.3758101852
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 6,066 bytes
Report generated in 0.062 seconds
------------------------ That was Startup List, and here goes log from
Hijack This:
Logfile of HijackThis v1.97.7
Scan saved at 7:01:21 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\WINDOWS\vcdplayx.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = myst2k.net:5821
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = solair.eunet.yu
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CTSysVol] C:\Program
Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program
Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [VirtualDrive] C:\Program
Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VideoCAM Web V2
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program
Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program
Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) -
http://playroom2.icq.oberon-media.com/odyssey_web8.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.3758101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA79E1DE-F976-4683-BF7A-F2314CA295F7}:
NameServer = 194.247.192.33 194.247.192.1
|
Clarification of Answer by
sublime1-ga
on
11 May 2004 12:15 PDT
Chuck...
You did a good job of posting the logs. I don't see
anything that's obviously malicious, but there are
a few things I can say.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\
Microsoft Office\Office10\OSA.EXE
This is an MS Office Startup that runs in the background.
It is a resource hog and you could afford to uncheck it.
It may be that your system freezing has nothing to do with
the Service Control Manager error, and is a result of
low resources.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = myst2k.net:5821
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = solair.eunet.yu
These two are proxy settings for MS Internet Explorer.
If you knowingly use a proxy for your browser, and these
are familiar to you, that's fine. If not, you should
check them for HijackThis to delete. Proxy settings
are always a conscious decision, so if you're not
aware of them, that's a bad sign. Proxy settings
allow you to connect to websites anonymously, masking
your IP address from the site you're visiting. Using
a proxy could be slowing your browser connections.
OMSCAN does not show up in either of the logs, so
this implies it is being called for by some hidden
registry entry. When I searched more on OMSCAN this
morning, I found a reference to an OMSCAN service
which is set up when LifeView Video Card Software
is installed, in conjunction with a LifeView 98 TV
Card. The reference, from the Windows XP Software
Compatability Service, notes:
"Lifeview have put out new drivers for XP even though the
number is lower. It is a beta driver, 10345 and this seems
to work fine except that on my computer it installs a
program called OMSCAN which causes the computer to stop
at a blue screen when turned on cold. After a reset it will
boot to the black screen, I let windows load normally and
everything is fine. The lifeview TV program works.
The Event Viewer will state a problem with OMSCAN not
loading so I deleted the two references to OMSCAN in the
registry that can be deleted (there are another three
called legacy_omscan, but these can not be deleted). The
computer will start properly from cold start and the
Lifeview program works. So I do not see the purpose of
the OMSCAN references in fact Event Viewer will state
that the files for it can not be found.
Also the uninstall of the lifeview software does not
seem to work and I have to manually update the drivers
in the device manager for the card ignoring messages
about these drivers being older and not certified."
http://208.57.82.170/extra/guestbook.asp?page=43
There is an email link beneath the post where you can
contact the author of the post. Are you at all familiar
with the Lifeview TV Card? If not, I would scan the
registry for OMSCAN entries and delete them.
I don't know if you are comfortable with editing the
registry, but the next step would be to go to Start ->
Run, type in regedit and hit enter. Then do a search
for OMSCAN, and see what results you get. If you're
not comfortable editing the registry, find a buddy
who is, or come back here and tell me exactly what
you find.
Finally, one other program that you can run, which
scans your system and produces a log and feedback
about the results, is:
Bazooka Spyware Scanner
http://www.kephyr.com/spywarescanner/
Though I don't see anything nasty in the logs
you've provided, it never hurts to get a third
opinion.
sublime1-ga
|
Request for Answer Clarification by
chuck555129-ga
on
11 May 2004 14:39 PDT
HijackThis deleted those 2 proxy servers, and also OSA.EXE.
A friend of mine explained me how to edit the registry and I've found
2 folders call OMSCAN with some "files" in it and I have deleted both.
I'm not familiar with the Lifeview TV Card though.
I'm not sure if this helped, I guess I'll know if my computer doesn't
frezee in the next 10 hours. I just wanted to let you know that I've
deleted those files.
Regards,
Chuck
|
Clarification of Answer by
sublime1-ga
on
11 May 2004 15:32 PDT
Chuck...
Yes, thanks for keeping me informed. With the OMSCAN
registry entries gone, you shouldn't get the Service
Control Manager errors any more. And if you were
unaware of the proxy settings, and have deleted them,
that should greatly help your internet connection.
sublime1-ga
|
