Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

nicetry007

3 Posts

1457

January 4th, 2007 18:00

Dr Watson Postmortem Debugger: screen freezes

At times my computer screen freezes and I'm not able to click on anything even though my mouse pointer can move around. I cannot even turn off my computer, in which case I have to press the power button. Another thing I have noticed is that a certain process called "agent.exe" runs all the time and even if I try ending the task, it reappears. Sometimes when I try to terminate "agent.exe" I get the usual microsoft message. The message also says that "Dr Watson Postmortem Debugger" has failed. I do not know what that means. I ran Hijackthis and here is the logfile for it.

Logfile of HijackThis v1.99.1
Scan saved at 2:49:48 PM, on 1/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\prasad\Desktop\setups\utorrent.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



Thanks for your time and help in advance.

RKinner

2 Intern

 • 

5.9K Posts

January 4th, 2007 19:00

agent.exe does not show in your log and there are many of them out there so I can't tell if it's a good guy or not.  Start, Search, For Files or Folders then in the top box put in agent.exe  and under More Advanced Options check the first three then Search.
 
When it finds one, rightclick on it and select Properties then Version.  What version number and what company owns the file?
 
Also note the full path where the file is found.  Should be something like: C:\windows\system32\agent.exe.
 

Also run Hijackthis and select Misc Tools, then Open ADS Spy.  Uncheck the Quick Scan option and then press SCAN.  When it finishes does it find anything?  If so press Save Log then save the log somewhere and it will open in notepad.  Copy the text and past it into your next reply.
 
You can also try:
Check for High CPU Usage:
When it is running slow: Close all active programs then rightclick on the clock and select Task Manager then select Processes. Click once or twice on the CPU column heading until you get the bigger numbers at the top in that column.  What are the top three processes and what % do they each take.  What does it say for CPU usage at the bottom of the window?

Blacklight Rootkit Detector:
Download Blacklight trial from here: http://www.f-secure.com/blacklight/
Hit "I accept." It will take you to the download page. Download blbeta.exe and save it to the Desktop. Once saved... double click blbeta.exe (you may not be able to see the .exe) to install the program. Click Accept Agreement and click Scan This app may trigger a warning from your antivirus. Let the driver load. Wait for it to finish. If it displays any items...don't do anything with them yet. Just hit exit (close) It will drop a log on Desktop that starts with fsbl....big number
Please post contents of log in your next reply.
 
Ron
 
 

nicetry007

3 Posts

January 4th, 2007 22:00


@RKinner wrote:
"agent.exe does not show in your log and there are many of them out there so I can't tell if it's a good guy or not. Start, Search, For Files or Folders then in the top box put in agent.exe and under More Advanced Options check the first three then Search.
When it finds one, rightclick on it and select Properties then Version. What version number and what company owns the file?
Also note the full path where the file is found. Should be something like: C:\windows\system32\agent.exe."



MY REPLY:
I searched for agent.exe and found a few entries of which only one had the file name "AGENT.EXE-00ED4190.pf". its path is C:\WINDOWS\Prefetch
I checked its properties and it didn't have any version or company name. It was created yesterday at 3:09:08pm.


"Also run Hijackthis and select Misc Tools, then Open ADS Spy. Uncheck the Quick Scan option and then press SCAN. When it finishes does it find anything? If so press Save Log then save the log somewhere and it will open in notepad. Copy the text and past it into your next reply."

MY REPLY:
Hijackthis scan gave nothing



"You can also try:
Check for High CPU Usage:
When it is running slow: Close all active programs then rightclick on the clock and select Task Manager then select Processes. Click once or twice on the CPU column heading until you get the bigger numbers at the top in that column. What are the top three processes and what % do they each take. What does it say for CPU usage at the bottom of the window?"

MY REPLY:
usage of CPU by "agent.exe" is in bursts(every ~15sec). Its maximum usage is about 44% of CPU. Memory usage - 10,980K

"Blacklight Rootkit Detector:
Download Blacklight trial from here: http://www.f-secure.com/blacklight/
Hit "I accept." It will take you to the download page. Download blbeta.exe and save it to the Desktop. Once saved... double click blbeta.exe (you may not be able to see the .exe) to install the program. Click Accept Agreement and click Scan This app may trigger a warning from your antivirus. Let the driver load. Wait for it to finish. If it displays any items...don't do anything with them yet. Just hit exit (close) It will drop a log on Desktop that starts with fsbl....big number
Please post contents of log in your next reply.
Ron"




MY REPLY:
Here is the logfile

01/04/07 18:56:59 [Info]: BlackLight Engine 1.0.55 initialized
01/04/07 18:56:59 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/04/07 18:56:59 [Note]: 7019 4
01/04/07 18:56:59 [Note]: 7005 0
01/04/07 18:57:13 [Note]: 7006 0
01/04/07 18:57:13 [Note]: 7011 3648
01/04/07 18:57:13 [Note]: 7026 0
01/04/07 18:57:13 [Note]: 7026 0
01/04/07 18:57:17 [Note]: FSRAW library version 1.7.1021
01/04/07 19:01:14 [Note]: 7007 0

RKinner

2 Intern

 • 

5.9K Posts

January 5th, 2007 02:00

It must be a bad guy if it can hide that well.   You did let it finish I hope?   The one in prefetch is not the original.  Just a little shortcut that XP uses to boot faster.  You can delete it but until we find the original it will come back.
 
Boot into Safe Mode by restarting and when the maker's logo appears start tapping the F8 key.  Keep tapping until it tells you it is going into safe Mode.  If it doesn't show you the menu then hit F8 one more time.  Select the Command Prompt option and log in as usual.  You will come to a black screen.  Type:
 
cd \
(this changes the folder to C:\ which you should see in the prompt)
attrib -r -h -s agent.exe
(It may not find it but try the next line anyway)
dir /a agent.exe
 
cd \windows
attrib -r -h -s agent.exe
dir /a agent.exe
 
cd \windows\system32
attrib -r -h -s agent.exe
dir /a agent.exe
 
If it finds agent.exe in either of the three folders then do
 
del /f agent.exe
mkdir agent.exe
 
before going on to the next folder.  This removes the file and puts a directory with the same name in its place.  This keeps the file from coming back.
 
Did you find it in any of the three folders?
 
Ron
 

nicetry007

3 Posts

January 5th, 2007 15:00


@"RKinner wrote:
It must be a bad guy if it can hide that well. You did let it finish I hope? The one in prefetch is not the original. Just a little shortcut that XP uses to boot faster. You can delete it but until we find the original it will come back."

REPLY:
I deleted the file from prefetch. You were right about it reappearing in prefetch. But it never showed up on task manager.

"Boot into Safe Mode by restarting and when the maker's logo appears start tapping the F8 key. Keep tapping until it tells you it is going into safe Mode. If it doesn't show you the menu then hit F8 one more time. Select the Command Prompt option and log in as usual. You will come to a black screen. Type:
cd \
(this changes the folder to C:\ which you should see in the prompt)
attrib -r -h -s agent.exe
(It may not find it but try the next line anyway)
dir /a agent.exe
cd \windows
attrib -r -h -s agent.exe
dir /a agent.exe
cd \windows\system32
attrib -r -h -s agent.exe
dir /a agent.exe
If it finds agent.exe in either of the three folders then do
del /f agent.exe
mkdir agent.exe
before going on to the next folder. This removes the file and puts a directory with the same name in its place. This keeps the file from coming back.
Did you find it in any of the three folders?
Ron"



REPLY:
I couldn't find agent.exe in either of the directories. I did not take any action, that is, I didn't create any directories under the name of agent.exe. I restarted the computer in the normal mode and checked for agent.exe in the task manager and still couldn't find it. I suppose the process S24EvMon.exe has nothing to do with agent.exe for it now uses up 10% of the CPU constantly.


RKinner

2 Intern

 • 

5.9K Posts

January 5th, 2007 22:00

Let's try AVG/Evido.  Maybe it can find something.
 
. Go here and Download AVG Anti-Spyware
( 30 day free trial version) Save it to Your Desktop
 
Double Click AVG Anti-Spyware-setup
(It will create its own folder)
Once the program starts You will be at the Status menu
  • Under "Your computers Security"
    Click change status on Resident shield to inactive
    Click Update now (next to last update)
    After the update loads
    Under Automatic updates Uncheck download and install updates automatically(recommended)
    (you can always select maual updates the next day)
At the top toolbar Click Scanner Then the settings tab
  • Under How to act? Set default action for detected malwareTo Quarantine
    Under how to scan All boxes should be checked
    Under Possibly unwanted software All boxes should be checked
    Under reports Select Automatically generate report after every scan
    Uncheck Only if threats were found
    Under what to scan Scan every file should be highlited
Exit AVG(But do not run it yet)

2. Reboot into Safe Mode
This can be done by
  • Restart your PC, and after it starts, but before you see the Windows Splash screen
    Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
    Use your arrow keys and select Safe Mode and then Enter
  • Run AVG Anti-Spyware
    • Click scanner
      Select Complete system scan
Once the scan finishes
  • Select Apply all actions (The items found will be quarantined)
    Click save report as (Another window will open)
    Save it to your desktop
    (By default It will be saved in the AVG folder as)
    C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports
Exit AVG
3.
Reboot your PC in Normal Mode->>Re run Hijackthis and post a fresh Hijackthis log.
  • Double click the report-scan txt. you saved to your desktop
    It will open in Notepad
    Copy and paste that report as a reply to this thread
Your reply should include
  • a fresh hijackthis log
    your report_scan.txt from AVG
You may have to post the results in more than one reply since the AVG log usually contains a lot of TrackingCookies which we don't care about.  This is a typical TrackingCookie entry:
 
C:\Documents and Settings\Dan Perez\Cookies\dan perez@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
You can delete them all before you post the log if you want to.
 
Ron

Was this post helpful?

View All

No Events found!

Top