Serial Port Quit Working [HJT Log]

Hi, I have a PC that is a 16 channel Digital Video Recorder system, its' mostly used to record video from security cameras. I also use it to program my cordless Symbol P370 bar code scanner.

A few weeks ago I put this machine on the net...within one day it had almost 200 adware/viruses on it!

I used two free programs from Microsoft to try and rid them, then reinstalled XP, then upgraded to SP2, then installed Symantic System Works. [these anti-virus apps are still finding adware on this machine almost everyday...even though the Firewall is on and I haven't used it to surf the web! Don't understand that at all]

But now the serial port seems to have stopped working and I can't communicate with my bar code scanner (the scanners cradle connects to the PC via serial).

Anyone know why? Any suggestions? Is there a way I can test the serial port?

Thanks,
Jeff

 

Jeff - it sounds very much like you are still harboring a critter and probably one that is communicating out to the wide world without your permission. It could easily pass the firewall since it would start a conversation from within.

I'm going to move this thread to the security section for the time being and see what advice you get there. No sense in trying to fix anything else until you are clean.

Probably best to wait until you have a machine with no critters and if the serial port is still hosed, start a new thread in hardware.

 

If you are using Windows XP firewall, here is something you do not know. It lets anything running on your computer connect out, including ad/spyware and viruses. What it does do is block unsolicited incoming connections, unless something was given an Exception. An application given an Exception is allowed to hold a port open.
Would you post a HijackThis log?

 

I'll try and do the Hijack log.....just wish I was 100% sure it's not my cradle. The cradle is new and worked a few weeks ago. But I can't be sure the serial port is not communicating with it, all my MCL-Designer software tells me is that it can't upload to the termial (the P370)

Could adware (or Symantic System Works) really stop the port from working?

Are there any XP serial port apps that could monitor the serial port activity and tell me if my cradle is at least talking/responding to the PC? [I'm more of a Mac guy...and not up on a lot of Windows stuff]

Thanks,
Jeff

 

Thanks Pete...I'll check those out. The other thing going on now is it takes a LOT longer to shut down. And yesterday I had an odd thing happen, I opened the control panels and when I clicked on the Firewall control panel (located in the third row down and farthest right) all the control panels in the first three rows got selected...then my keyboard quit working too until I restarted. Never had these problems until all this stuff with the adware happened and I did the re-install, SP2 upgrade and antivirus software....frustrating (and I need to get this scannner back working)

 

ugggg...now if I hold down the DEL key at boot to access the BIOS or hold down the Shift key when Windows starts (to keep my DVR software from loading, which I need to do on occasion) my keyboard and mouse quit working! I finally had to pull the power cord to get it to start up Ok again.

I just don't have the time to deal with this. Can I re-install Windows and delete the adware somehow? Somehow the two free Microsoft virus apps and System Works aren't getting them all....but wiping the drive and reinstalling my apps would be a major hassle (...and I can't see a way to copy my apps to my D: partition!).

Very Very Frustrated
Jeff

 

Ok, here is the HiJack log.

Is it possible Symantics if monitoring and or blocking the serial port somehow...thinking there may be a modem attached to it? I looked around the setup screens for Systems Works but saw no option for that, but I could have missed it.

Jeff

==============
Logfile of HijackThis v1.99.1
Scan saved at 11:13:30 AM, on 8/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hpnra.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\d?dplay.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\drieqi.exe
C:\Program Files\hrut\rtwr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Jeff\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: url
O1 - Hosts: ROUTINE_CHECKIN
O1 - Hosts: btg.btgrab.com/
O1 - Hosts: 1024
O1 - Hosts: 2895485184
O1 - Hosts: 29797746
O1 - Hosts: 849973984
O1 - Hosts: 29724321
O1 - Hosts: *
O1 - Hosts: ctr
O1 - Hosts: 1
O1 - Hosts: btg.btgrab.com/
O1 - Hosts: 1024
O1 - Hosts: 2895485184
O1 - Hosts: 29797746
O1 - Hosts: 850123984
O1 - Hosts: 29724321
O1 - Hosts: *
O1 - Hosts: dly
O1 - Hosts: 0
O1 - Hosts: btg.btgrab.com/
O1 - Hosts: 1024
O1 - Hosts: 2895485184
O1 - Hosts: 29797746
O1 - Hosts: 850123984
O1 - Hosts: 29724321
O1 - Hosts: *
O1 - Hosts: fme
O1 - Hosts: 0
O1 - Hosts: btg.btgrab.com/
O1 - Hosts: 1024
O1 - Hosts: 2895485184
O1 - Hosts: 29797746
O1 - Hosts: 850123984
O1 - Hosts: 29724321
O1 - Hosts: *
O2 - BHO: (no name) - {69552EC3-7B9C-0030-001E-1C00D82777C8} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E69AA8D7-3A12-2F92-1737-1D53418501EE} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [jaheagi] c:\windows\system32\drieqi.exe r
O4 - HKCU\..\Run: [Ovzb] C:\WINDOWS\System32\d?dplay.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Ccpo] C:\Program Files\hrut\rtwr.exe
O4 - Global Startup: DVR.lnk = C:\DVR\DVR.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

First unzip HJT into it's own folder, it works better this way.

Go to Start\Run, type in Services.Msc and press Enter. Locate this in the list.

System Startup Service

Left click on it, and Stop the service. Then right click on it, select Properties. Then set to Disable. Close the Services window.

Disable System Restore.

Open HJT, and click on 'Open misc tools section', then click on "Delete a file on reboot', a File Open window will appear. Copy/Paste the following into it.

C:\WINDOWS\System32\d?dplay.exe

Then click on Open, and you will be prompted to reboot, select No at this time. Do the same for these.

C:\WINDOWS\svcproc.exe
C:\WINDOWS\Nail.exe
c:\windows\system32\drieqi.exe
C:\Program Files\hrut\rtwr.exe

Rescan with HJT, and remove these items.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: url
O1 - Hosts: ROUTINE_CHECKIN
O1 - Hosts: btg.btgrab.com/
O1 - Hosts: 1024
O1 - Hosts: 2895485184
O1 - Hosts: 29797746
O1 - Hosts: 849973984
O1 - Hosts: 29724321
O1 - Hosts: *
O1 - Hosts: ctr
O1 - Hosts: 1
O1 - Hosts: btg.btgrab.com/
O1 - Hosts: 1024
O1 - Hosts: 2895485184
O1 - Hosts: 29797746
O1 - Hosts: 850123984
O1 - Hosts: 29724321
O1 - Hosts: *
O1 - Hosts: dly
O1 - Hosts: 0
O1 - Hosts: btg.btgrab.com/
O1 - Hosts: 1024
O1 - Hosts: 2895485184
O1 - Hosts: 29797746
O1 - Hosts: 850123984
O1 - Hosts: 29724321
O1 - Hosts: *
O1 - Hosts: fme
O1 - Hosts: 0
O1 - Hosts: btg.btgrab.com/
O1 - Hosts: 1024
O1 - Hosts: 2895485184
O1 - Hosts: 29797746
O1 - Hosts: 850123984
O1 - Hosts: 29724321
O1 - Hosts: *
O2 - BHO: (no name) - {69552EC3-7B9C-0030-001E-1C00D82777C8} - (no file)
O2 - BHO: (no name) - {E69AA8D7-3A12-2F92-1737-1D53418501EE} - (no file)
O4 - HKLM\..\Run: [jaheagi] c:\windows\system32\drieqi.exe r
O4 - HKCU\..\Run: [Ovzb] C:\WINDOWS\System32\d?dplay.exe
O4 - HKCU\..\Run: [Ccpo] C:\Program Files\hrut\rtwr.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Reboot into Safe Mode.
Delete all files and folders located in these folders.
C:\Windows\Prefetch
C:\Windows\Temp
C:\Documents and Settings\Jeff\Local Settings\Temp

Delete this folder.

C:\Program Files\hrut

Then reboot into Normal mode, and then enable System Restore. Please post a new HJT log.

 

Thanks Mark, I did all that then tried to reboot Safe Mode and get these screens...
http://woodinsexpress.com/nowindows/IMG_4876s.JPG
http://woodinsexpress.com/nowindows/IMG_4878s.JPG
http://woodinsexpress.com/nowindows/IMG_4880s.JPG
....it won't boot in Safe Mode as you can see from the last screen.

When I try to boot with XP normally then I these screens..
http://woodinsexpress.com/nowindows/IMG_4882s.JPG
http://woodinsexpress.com/nowindows/IMG_4883s.JPG
http://woodinsexpress.com/nowindows/IMG_4884s.JPG
...and the machine shuts down.

How do I either get it to boot in Safe Mode or get XP to quit shutting down the computer?

Sorry the pictures are so crappy...next time I'll mount the camera on something...

Thanks,
Jeff

 

How do I either get it to boot in Safe Mode or get XP to quit shutting down the computer?
The answer to that is in the first screen shot. Look for "Disable automatic restart on system failure ".

That third screen shot is normal when XP is booting up into Safe Mode, and it is slower.

 

>>That third screen shot is normal when XP is booting up into Safe Mode, and it is slower.<<

ahhhh, you are correct sir! If you wait long enough it does indeed load.

All files and folders deleted except this one. I was unable to find this file, or the Local Setting directory in this path:
C:\Documents and Settings\Jeff\Local Settings\Temp

....also, upon normal restart I get the "Can't find C:\WINDOWS\Nail.exe...." message and Windows shuts down again. hummm??

Thanks for the help,
Jeff-

 

This is frustrating. Now not only can't I use this PC to program my Symbol scanner, now it no longer functions as our DVR for our security cameras....

What if I reinstall XP....then SP2 again?

In the mean time, I do have access to a Dell GX280, but it has no serial or parallel port (I need the parallel port to for the Symbol software hardware key). Can you guys suggest a good Serial/Parallel combo card for the Dell that is highly compatible with XP? Then maybe I can at least get the scanner working.

Thanks,
Jeff

 

Good news and bad.....when I was finally able to get under the desk and get better access to the GX280 I discovered it did have both a serial and parallel port. But I still can't upload my app to the P370 scanner. But it would appear my inability to do that has nothing to do with XP or my DVR's serial port....still testing the Symbol hardware...which DID work a few weeks ago....

Sooo....now I just need to get XP and my DVR PC back up and running...

If I re-install my original XP on a machine with XP and the SP2 update, what happens?

Jeff

 

Hi Pete,

I don't want to reformat the whole drive. I have 200GB of video and some of my apps on there.

If this were an OS 9 Mac I could boot OS 9 from a CD, run disk utilities if I wanted to and just re-install the OS. You can't do that with XP? [...don't ask me about OS X, I think it was a dumb move for Apple...but what do I know, maybe it was a good move for Apple $, bad move for Mac users...talk about a weird OS when things go wrong...]

Anyway, you can't just install a new copy of XP on the drive and delete the old one?

There is no way to stop XP from automatically shutting down the system because it can't find one file (that XP does not even need to run)? How can you work on the system if it keeps shutting down? This is dumb.

But I do appreciate the help,
Jeff

 

What file tells XP to look for Nail.exe? I can't boot in "Safe Mode" and edit or delete that file?

 

Thanks Pete, I'll try and work on this this weekend. Oh, and I finally got the bar code scanner programmed! Apperantly one or more of the default values deep in the scanner got messed up somehow, causing it to not want to communicate properly.

Thanks...
Jeff