System errors after upgrading to SP2

Question

Hi all,   I turned on automatic updates and got the SP2 install for XPPro PC. Now, I have major problems. I can't open IE or Explorer or anything from the desktop or start menu, it just hangs, and sometimes I get a DrWatson error message 'DrWatson Postmortem Debugger'.   I have researched this elsewhere, and have followed advice about spyware, viruses etc and have used many programs (spybot, adaware, CWShredder, trendmicro online, Norton etc etc...) and am definitely clean now. No change in the problem. Here is my HJT log, if anyone could offer any advice I would be very grateful... thanks!   -------------------------   Logfile of HijackThis v1.99.1 Scan saved at 08:05:11, on 24/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe E:\WINDOWS\System32
vsvc32.exe E:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe E:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\WINDOWS\system32\wuauclt.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\Explorer.EXE E:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe E:\PROGRA~1\MICROS~3\GAMECO~1\common\swtrayv4.exe E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe E:\WINDOWS\System32\ezSP_Px.exe E:\Program Files\Common Files\Real\Update_OBealsched.exe E:\WINDOWS\system32\GSICON.EXE E:\WINDOWS\system32\DSLAGENT.EXE E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\WINDOWS\system32\RUNDLL32.EXE E:\WINDOWS\system32\cmd.exe E:\WINDOWS\system32\wuauclt.exe E:\Program Files\Netscape\Netscape\Netscp.exe E:\Documents and Settings	hisuser\Desktop\HijackThis.exe N3 - Netscape 7: user_pref('browser.startup.homepage', 'http://home.netscape.com/bookmark/7_1/home.html'); (E:\Documents and Settings	hisuser\Application Data\Mozilla\Profiles\default\191olibh.slt\prefs.js) N3 - Netscape 7: user_pref('browser.search.defaultengine', ''); (E:\Documents and Settings	hisuser\Application Data\Mozilla\Profiles\default\191olibh.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - E:\WINDOWS\webdir.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SideWinderTrayV4] E:\PROGRA~1\MICROS~3\GAMECO~1\common\swtrayv4.exe O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] E:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [TkBellExe] 'E:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [QuickTime Task] 'E:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE O4 - HKLM\..\Run: [HGTXPEI] E:\WINDOWS\System32\FirstReboot.exe O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint O4 - HKLM\..\Run: [Zone Labs Client] 'E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe' O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VPN Client.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_04\bin
pjpi142_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_04\bin
pjpi142_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...Bridge-c112.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...l_v1-0-3-18.cab O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/loader.cab O20 - Winlogon Notify: ckpNotify - E:\WINDOWS\SYSTEM32\ckpNotify.dll O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32
vsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - E:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - E:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

RKinner · Answer

Get a copy of winsockxpfix.exe before you do anything. This is just a safety
item in case you can't get on the internet afterwards. You don't run it until
afterwards and then only if you can't get back on the internet.
You just run it and things should work OK after it reboots your system.

http://www.iup.edu/house/resnet/winfix.shtm

Get DelDomain.inf from:

http://www.mvps.org/winhelp2002/restricted.htm and then right click on it and Install.

Download the Hoster from:

www.funkytoad.com/download/hoster.zip

Unpack to your desktop and run it. Select Restore Original Hosts.

Download the file, UnHookExec.inf, and save it to your Windows desktop. Do not run it at this time, download it only.

http://securityresponse.symantec.com/avcenter/UnHookExec.inf

If you cannot connect to the Internet from an infected computer:
Download to an uninfected computer, and then save it to a floppy disk.

http://securityresponse.symantec.com/avcenter/UnHookExec.inf

Get Pocket Killbox

http://www.bleepingcomputer.com/files/killbox.php

and unpack it to your desktop.

Also download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet.

Now shutdown and reboot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.

Locate the downloaded UnHookExec.inf file, either on the Windows desktop or the floppy disk.

Right-click the UnHookExec.inf file and click Install. (This is a small file. It does not display any notice or boxes when you run it.)

Run HijackThis and just do a Scan only. Check then Fix
Checked the following:

O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - E:\WINDOWS\webdir.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...Bridge-c112.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/loader.cab
O20 - Winlogon Notify: ckpNotify - E:\WINDOWS\SYSTEM32\ckpNotify.dll

Wait 60 seconds and repeat the scan. Did any of the above come back? IF so
leave HijackThis up and right click on the clock and select Task Manager. Then
Processes. Find Explorer.exe, right click on it and select End Process. The
desktop will disappear but HijackThis should still be there. IF you don't see
it switch to Applications in Task Manager and highlight it there then press
Switch To or just double click on it. Check and Fix Checked the above again.
Restart Explorer by Task Manager, File, New Task(Run), explorer.exe, OK.

Now run ccleaner.exe. On the first page, uncheck everything but the two lines
that have the word Temporary in them then Run Cleaner.

Run Killbox and select the Delete on Reboot Option then type or paste into the Full path of File to Delete box:
E:\WINDOWS\SYSTEM32\ckpNotify.dll
Select the Unregister .DLL option and then the red button. Agree that you want to delete the file on reboot and let it reboot.

You may also want to look at:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.o.html

Look under: 5. To reverse the changes made to the registry

Verify that your registry does not need these changes.

Reboot into normal mode and run another HijackThis log and post it as a reply. Let's
see how we did.

Ron

ghall12345 · Answer

Many thanks for the reply.

FYI, the entry that caused the problem was this one.

O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - E:\WINDOWS\webdir.dll

Not many of the software virus trackers knew about it, it was hard to track down.

Virus & Spyware

Was this post helpful?