Dr. Watson Brought Friends

[Ontology]

I've tried a number of the suggestions I've found around here for this problem, but nothing seems to have worked. Hence my direct appeal. I downloaded Windows updates from Microsoft and a problem developed on the reboot: I can't open any programs or access anything in 'My Computer'. Initially, whenever Windows opened, I received a message that Digstream.exe would need to close. That has since stopped. Now, anytime I run anything from the desktop or windows explorer, Dr Watson Postmortem Debugger encounters an error and closes, freezing windows. Opening any other program (firefox, word, etc.) immediately leads to that program encountering an error and needing to close.

I've run adaware se, AFT Cleaner, and a few other things. Nothing seems to have worked. HJT log is below. Any help would be immensely appreciated.

(if this should be posted elsewhere, please let me know. this was simply where i'd seen the issue raised before)


Logfile of HijackThis v1.99.1
Scan saved at 1:56:13 AM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\HJT\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/ga...mmon/ieell.cab
O20 - Winlogon Notify: msldr32 - C:\WINDOWS\SYSTEM32\msldr32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Program Files\F-Secure Internet

Security\fswsclds.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

edit: i moved HJT into its own folder and rescanned

[mark]

Hi Ontology,
Welcome to HFT

Re-Run ATF-Cleaner .
Choose the cleaning options for each browser you use......as well as the "Windows" cleaning options.

Run the cleaners regularly,....daily,...and before any Anti-spyware and Anti-virus scans.



Next,...
Please Download the trial version of AVG Anti-Spyware Free from here and install it.

Launch AVG Anti-Spyware from the new icon on your desktop,.. just double-click it.

You will need to update AVG Anti-Spyware to the latest definition files.

On the left hand side of the main screen click Update and then click on Start Update.
The update will start and a progress bar will show the updates being installed.

Do not run a scan yet.

Reboot into Safe Mode later,... and then run an AVG Anti-Spyware scan.


Also,....Ad-Aware can also be ran in Safe Mode.




1.

Close ALL Internet Explorer Windows, ,,,,,,,only have HijackThis running.
Open HijackThis and run a scan, and then tick the boxes for the below entries, then click on "Fix checked"

O20 - Winlogon Notify: msldr32 - C:\WINDOWS\SYSTEM32\msldr32.dll



2.
Reboot to Safe Mode.....

and

MAKE SURE YOU CAN SEE HIDDEN FILES and FOLDERS,.....


Then delete the below file:

C:\WINDOWS\SYSTEM32\msldr32.dll



3.
Then Run AVG Anti-Spyware while still in Safe Mode.......

Click" Complete System Scan" to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Also use the "Save Report" and save the log file with a date.


Reboot computer

Let me know if "msldr32.dll" deletes OK.

Please post back a new HijackThis log and the AVG Anti-Spyware log......and if computer is running better.



How to reboot to Safe Mode -->(reboot and repeatably tap F8 immediately after BIOS screen ( the Bios screen is the first black and white screen you see).... then choose Safe Mode from menu)


How to show HIDDEN FILES and FOLDERS--> http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Cheers.

[Ontology]

I couldn't find how to save the AVG report. It did detect and delete one 'trojan downloader' at 'c:\windows\msxmidi.exe' That was the extent of the log.


HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:09:57 PM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/ga...mmon/ieell.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Program Files\F-Secure Internet

Security\fswsclds.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

The computer seems to be running better. No more Dr. Watson errors. See anything else that needs fixing?

[mark]

Hi Ontology,

The log looks OK.
You appear to have installed AVG Antivirus, which is good.
But also download and update and run AVG Anti-spyware from the same link.

Both programs are free and very good.
Dont run 2 antivirus or two firewalls at the same time,... but you can have multiple anti-spyware programs installed.

Cheers

[Ontology]

Got it right. Here's the AVG report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:58:10 PM 12/16/2006

+ Scan result:



HKLM\SOFTWARE\AzEntretienCo -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\AzEntretienCo\AzEntretien -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AzEntretien.Loader -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AzEntretien.Loader.1 -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AzEntretien.Loader\CLSID -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AzEntretien.Loader\CurVer -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Wallpaper.WallpaperManager -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Wallpaper.WallpaperManager.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Wallpaper.WallpaperManager\C LSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Wallpaper.WallpaperManager\C urVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1708537768-838170752-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{0D2DEF3A-F4F1-42EC-AC4F-132E7BA6E292} -> Adware.MWSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1708537768-838170752-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{F65B197F-8260-4D52-909A-F70118E646EB} -> Adware.MWSearch : Cleaned with backup (quarantined).
C:\WINDOWS\uninstaller.exe -> Adware.WildMedia : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\WebRecomendada.dll.tcf -> Dialer.DialWeb : Cleaned with backup (quarantined).
HKU\S-1-5-21-1708537768-838170752-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{2559D0B1-AF60-4BD5-965D-0E51383A6367} -> Hijacker.Generic : Cleaned with backup (quarantined).
:mozilla.107:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\ayq7qars.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.51:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\ayq7qars.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.52:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\ayq7qars.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.53:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\ayq7qars.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.54:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\ayq7qars.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.97:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\ayq7qars.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.61:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\ayq7qars.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.62:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\ayq7qars.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.63:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\ayq7qars.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.64:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\ayq7qars.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\WINDOWS\system32\wapisvsu.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

As I noted, it was a Windows Update that seemed to start the problem. Now windows is wanting to download another update. Should I just accept it or is there anything I can do first to ensure doing so won't cause another problem?

thanks.

[mark]

Hi Ontology,

It is Microsofts monthly update time.
I have just downloaded suggested updates from Microsoft via Automatic Updates and no problems.
It may have been a corrupt file downloaded or it may have been some of the malware that has been cleaned out.
There were at least 2 bad files that we deleted that will cause problems.

Below is a link to System Restore.
Create a System Restore point when your computer is running good........and use that System Restore point to return your computer to the happy state if any download / new install goes wrong.


Restore the Operating System to a Previous State in Windows XP

and

How to use System Restore


Cheers