Welcome to the Dell Community Forum (DCF).
* Does this issue also occur in safemode? If not, some software running in the background in normal mode is the culprit.
* Restart the computer
* At the first beep (older systems) or on the blue Dell screen (new systems), tap the F8 key (do not hold it down)
* At some point, the Advanced Options menu will appear
* Scroll to and select Safe Mode [press the Enter key]
* At the operating system listing [press the Enter key]
* Windows will start in Safe Mode. Close any boxes that may open, just get to the desktop
Below is the log... also i was looking at task manager and the CPU usage is up around 90% steadily... is this related? im sorry for bringing up another topic if it indeed is but i was wondering if they could be related...
thanks everyone!
Logfile of HijackThis v1.97.7 Scan saved at 2:47:56 PM, on 4/16/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
I show all your O17 entries to be registered to Everyones Internet, Inc - If you have nothing to do with them, please be sure to delete all the O17 entries.
with respect to the posted forum... http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=8556 you mean that all i should delete is
what were you saying about the first part? im sorry i just want to make sure i dont delete anything i shouldnt... thanks for your time!
That is correct - Delete all the O17 entries and reboot. Kontiki is a valid progrma, only if it is at least at version 2.0. Generally you can check that by going into the program and doing a "help" => "About".
here is my new log... the cpu usage is still high and the screen still has the whole.
Logfile of HijackThis v1.97.7 Scan saved at 6:34:55 PM, on 4/16/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
First...forget about tracking down any more entries in Hijackthis for the moment. It has revealed your biggest threat...a VBS Trojan mentioned by Chris that Hijackthis spotted in the 017 lines. Despite removing those entries you have a high chance there are still many elements of the Trojan on your system. It attacks unpatched machines...in other words you might have failed to get the Microsoft security patch in October 2003.
How to tell if you're missing this patch easily? Copy and paste the javascript line into your URL box (the one that says http://forums.us.dell.etc...
javascript:navigator.appMinorVersion
Click Go or press Enter. The results will tell you what Hotfixes you have on the machine. If you don't see Q828750 you are unprotected from that Trojan and you may well have had it for a long time.
So go get the patch and install it. Next follow the directions at this Google thread. I agree 100% with what is said there. You should then get updates for your Mcafee and do a full system scan. If it finds the Trojan then you're ready to try the Symantec removal tool. Why not a Mcafee tool?...they don't have one to my knowledge. Next see instructions for disabling System Restore and running the tool here). Forget the stuff about the Digital signature part.
After running the Tool and rebooting scan again with McAfee. Still see the trojan there with Mcafee? Run the Brown tool referenced in the Google article. Reboot and rescan with Mcafee. still there? Only manual removal remains and the Symantec instructions are the best. Rescan after doing a manual edit (warning...editing the Registry is not for novices so you may need help and I mean in person to do this.)
Get the all clear? Then re-enable System Restore and repost here with a new hijackthis log.
As for your screen 'Hole" issue...it is entirely possible to have software and hardware problems at the same time. Hopefully it is just video driver corruption and a reinstall of the proper drivers will correct it. The question is...does the 'hole" appear in Safe Mode'? If so you're probably looking at hardware problems...video card or monitor. Replace with a known working monitor. Hole still there? Replace with known working video card or put a video card in system if you have integrated video on the motherboard. If you add an adapter card for video you will need to disable onboard video in the Setup screens upon boot.
DELL-Chris M
Community Manager
•
56.9K Posts
0
April 16th, 2004 15:00
Welcome to the Dell Community Forum (DCF).
* Does this issue also occur in safemode? If not, some software running in the background in normal mode is the culprit.
* Restart the computer
* At the first beep (older systems) or on the blue Dell screen (new systems), tap the F8 key (do not hold it down)
* At some point, the Advanced Options menu will appear
* Scroll to and select Safe Mode [press the Enter key]
* At the operating system listing [press the Enter key]
* Windows will start in Safe Mode. Close any boxes that may open, just get to the desktop
PGPhantom
76 Posts
0
April 16th, 2004 15:00
Most likely - As suggested - A backgound app, probably java or something.
Can you please download HijackThis from here http://www.spywareinfo.com/downloads/tools/HijackThis.exe install it into c:\\HJT. Run it, click on scan, save log and please post your entire log here for analysis.
That way we can see if there are any rogue startup apps running.
needthehelp
7 Posts
0
April 16th, 2004 17:00
Below is the log... also i was looking at task manager and the CPU usage is up around 90% steadily... is this related? im sorry for bringing up another topic if it indeed is but i was wondering if they could be related...
thanks everyone!
Logfile of HijackThis v1.97.7
Scan saved at 2:47:56 PM, on 4/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jACKIE_c\Local Settings\Temporary Internet Files\Content.IE5\9ZZZ9LKQ\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [A0L Instant Messenger] A0L.exe
O4 - HKLM\..\RunServices: [A0L Instant Messenger] A0L.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.230.208.134/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37839.6960416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C60FF22F-38AF-4E09-9D96-DCA0553D9E15}: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
needthehelp
7 Posts
0
April 16th, 2004 17:00
PGPhantom
76 Posts
0
April 16th, 2004 19:00
Ah, problem seen and found - Now let's fix it for you.
As long as you have the updated version [2.0] of Kontiki the following entries are not a threat,
http://www.safer-networking.org/index.php?...tail=2003-02-09
C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab
in HijackThis (With all programs closed) delete:
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C60FF22F-38AF-4E09-9D96-DCA0553D9E15}: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
I show all your O17 entries to be registered to Everyones Internet, Inc - If you have nothing to do with them, please be sure to delete all the O17 entries.
PGPhantom
76 Posts
0
April 16th, 2004 19:00
That is correct - Delete all the O17 entries and reboot. Kontiki is a valid progrma, only if it is at least at version 2.0. Generally you can check that by going into the program and doing a "help" => "About".
ChrisRLG
3.9K Posts
0
April 16th, 2004 19:00
Re those 017 lines
read this http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_QHOSTS.A&VSect=T
it is a known virus and should be removed.
needthehelp
7 Posts
0
April 16th, 2004 19:00
i cant fin kontiki on my computer so do you by any chance know where i could get a downloadable version of it?
ChrisRLG
3.9K Posts
0
April 16th, 2004 20:00
needthehelp
7 Posts
0
April 16th, 2004 21:00
here is my new log... the cpu usage is still high and the screen still has the whole.
Logfile of HijackThis v1.97.7
Scan saved at 6:34:55 PM, on 4/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jACKIE_c\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [A0L Instant Messenger] A0L.exe
O4 - HKLM\..\RunServices: [A0L Instant Messenger] A0L.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.230.208.134/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37839.6960416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
PGPhantom
76 Posts
0
April 17th, 2004 00:00
Texruss
3.4K Posts
0
April 17th, 2004 00:00
Nice Dell user icon! *'-)
First...forget about tracking down any more entries in Hijackthis for the moment. It has revealed your biggest threat...a VBS Trojan mentioned by Chris that Hijackthis spotted in the 017 lines. Despite removing those entries you have a high chance there are still many elements of the Trojan on your system. It attacks unpatched machines...in other words you might have failed to get the Microsoft security patch in October 2003.
http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp
How to tell if you're missing this patch easily? Copy and paste the javascript line into your URL box (the one that says http://forums.us.dell.etc...
javascript:navigator.appMinorVersion
Click Go or press Enter. The results will tell you what Hotfixes you have on the machine. If you don't see Q828750 you are unprotected from that Trojan and you may well have had it for a long time.
So go get the patch and install it. Next follow the directions at this Google thread. I agree 100% with what is said there. You should then get updates for your Mcafee and do a full system scan. If it finds the Trojan then you're ready to try the Symantec removal tool. Why not a Mcafee tool?...they don't have one to my knowledge.
Next see instructions for disabling System Restore and running the tool here). Forget the stuff about the Digital signature part.
After running the Tool and rebooting scan again with McAfee. Still see the trojan there with Mcafee? Run the Brown tool referenced in the Google article. Reboot and rescan with Mcafee. still there? Only manual removal remains and the Symantec instructions are the best. Rescan after doing a manual edit (warning...editing the Registry is not for novices so you may need help and I mean in person to do this.)
Get the all clear? Then re-enable System Restore and repost here with a new hijackthis log.
As for your screen 'Hole" issue...it is entirely possible to have software and hardware problems at the same time. Hopefully it is just video driver corruption and a reinstall of the proper drivers will correct it. The question is...does the 'hole" appear in Safe Mode'? If so you're probably looking at hardware problems...video card or monitor. Replace with a known working monitor. Hole still there? Replace with known working video card or put a video card in system if you have integrated video on the motherboard. If you add an adapter card for video you will need to disable onboard video in the Setup screens upon boot.
HTH,
Texruss