Solved <Process has already exited> pops up. Avast won't work.

Tank · 2009/07/23

[Resolved] <Process has already exited> pops up. Avast won't work.

Hello everyone,
I have an old Pc running Windows 98 on C: and Windows 2000 SP4 on E: (one HD, dual boot). The problem occurs when using Windows 2000. A window pops up as win2k is loading the desktop.

Title bar: "Program error"

Message: "<Process has already exited> has generated errors and will be closed by Windows. You will need to restart the program. "

This window keeps popping up with seemingly increasing frequency whether I click on its only "Cancel" button or not.

It seems to only affect Internet Explorer (IE6) as when it opens this pop up will immediately appear and close the browser(again independent of my clicking on it). Firefox will open but will not load any site.

I tried to scan with Avast but after the memory test it tells me that an "internal error has occured" and asks me to provide information, etc.

I've downloaded DDS on win98 and pasted it on Win2k. Then I ran DDS on Win2k.
Subsequently, I ran the free Malwarebytes and it didn't detect any infections.

Lastly (from the EVENT VIEWER), I noticed that the pop up seemed to generate the following which may be of help:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Date: 7/23/2009
Time: 12:08:52 PM
User: N/A
Computer: TANCREDI
Description:
The Windows Management Instrumentation service terminated unexpectedly. It has done this 16 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Below is the DDS file.

DDS (Ver_09-06-26.01) - FAT32x86
Run by Tancredi1 at 11:33:08.86 on Thu 07/23/2009
Internet Explorer: 6.0.2800.1106

============== Pseudo HJT Report ===============

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [SpybotSD TeaTimer] e:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [avast!] e:\progra~1\alwils~1\avast4\ashDisp.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: WRNotifier - WRLogonNTF.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\tancre~1.tan\applic~1\mozilla\firefox\profiles\bjjsbzj5.default\

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-07-23 11:33 16,384 a------- e:\winnt\system32\Perflib_Perfdata_4c0.dat
2009-07-23 11:30 16,384 a------- e:\winnt\system32\Perflib_Perfdata_1fc.dat
2009-07-23 10:29 16,384 a------- e:\winnt\system32\Perflib_Perfdata_1f0.dat
2009-07-23 10:18 16,384 a------- e:\winnt\system32\Perflib_Perfdata_1f4.dat
2009-07-17 15:40 16,384 a------- e:\winnt\system32\Perflib_Perfdata_434.dat
2009-07-16 23:44 16,384 a------- e:\winnt\system32\Perflib_Perfdata_1ec.dat

==================== Find3M ====================

2008-08-21 20:52 21,952 ----h--- e:\program files\folder.htt
2008-08-21 20:52 271 ----h--- e:\program files\desktop.ini
2003-06-18 12:00 32,528 a------- e:\winnt\inf\wbfirdma.sys

============= FINISH: 11:34:52.07 ===============

Thanks in advance for any help on resoving this problem!

Tancred

broni · 2009/07/23

Is this a whole file?
I've never ran it on Win 2K, so I'm not sure.

Tank · 2009/07/23

Yes, I too thought the DDS file was rather small. Before the files were produced DDS showed:

EDB.EXE can`t read startup: no such file or directory
Could not find E:\Docu...\...\rarSFX1\Startup
FINDSTR: cannot open svclist.dat

Since my post I have found other peculiarities:

Add\Remove Programs will generate the pop up and will be closed.

The pop up also occurs in safe mode both with and without networking.

When the pop up appears, Task Manager shows it and indicates its related process as drwtsn32.exe

So I looked into drwtsn32.exe and found log file which I've PARTIALLY pasted below.

Internet Explorer will not close if I disable the Network card (LAN) connection

I also found that if I log on as Administrator, the pop up still appears but Firefox works (for now).

Application exception occurred:
App: iexplore.exe (pid=324)
When: 8/22/2008 @ 08:09:24.629
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: TANCREDI
User Name: Tancredi1
Number of Processors: 1
Processor Type: x86 Family 6 Model 6 Stepping 5
Windows 2000 Version: 5.0
Current Build: 2195
Service Pack: 4
Current Type: Uniprocessor Free
Registered Organization:
Registered Owner: Tancredi

*----> Task List <----*
0 Idle.exe
8 System.exe
128 smss.exe
160 csrss.exe
180 winlogon.exe
208 services.exe
220 lsass.exe
404 svchost.exe
428 spoolsv.exe
480 aswUpdSv.exe
496 ashServ.exe
516 svchost.exe
588 regsvc.exe
600 MSTask.exe
632 WinMgmt.exe
680 svchost.exe
972 Explorer.exe
1036 ashDisp.exe
1088 ashWebSv.exe
1112 ashMaiSv.exe
324 IEXPLORE.exe
380 drwtsn32.exe
0 _Total.exe

(00400000 - 00412000)
(77F80000 - 77FFB000)
(7C4E0000 - 7C599000)
(77E10000 - 77E75000)
(77F40000 - 77F7C000)
(77C70000 - 77CBA000)
(7C2D0000 - 7C332000)
(77D30000 - 77DA1000)
(7C1B0000 - 7C2C2000)
(77B50000 - 77BD9000)
(782F0000 - 78538000)
(77A50000 - 77B47000)
(76E10000 - 76ED7000)
(775A0000 - 77626000)
(779B0000 - 77A4B000)
(78000000 - 78045000)
(76EE0000 - 76EEB000)
(77840000 - 7787E000)
(770C0000 - 770E3000)
(77640000 - 776B2000)
(77820000 - 77827000)
(759B0000 - 759B6000)
(76C00000 - 76C74000)
(76D90000 - 76DE3000)
(75D50000 - 75DD2000)
(75050000 - 75058000)
(75030000 - 75044000)
(75020000 - 75028000)
(74FD0000 - 74FEE000)
(75010000 - 75017000)
(774E0000 - 77513000)
(774C0000 - 774D1000)
(77530000 - 77552000)
(77830000 - 7783E000)
(75AB0000 - 75AB5000)
(7C0F0000 - 7C152000)
(75170000 - 751BF000)
(7C340000 - 7C34F000)
(751C0000 - 751C6000)
(75150000 - 7515F000)
(77950000 - 7797A000)
(77980000 - 779A4000)
(782C0000 - 782CC000)
(77340000 - 77353000)
(77520000 - 77525000)
(77320000 - 77337000)
(773B0000 - 773DF000)
(77380000 - 773A3000)
(77880000 - 7790E000)
(77360000 - 77379000)
(777E0000 - 777E8000)
(777F0000 - 777F5000)
(75AF0000 - 75D32000)
(75AC0000 - 75AE8000)
(75E60000 - 75E7A000)
(77570000 - 775A0000)
(77560000 - 77568000)
(77400000 - 77408000)
(77410000 - 77423000)
(75D40000 - 75D46000)
(75DE0000 - 75E57000)
(76620000 - 76631000)
(75160000 - 7516C000)
(75210000 - 75225000)
(751D0000 - 75208000)
(76DF0000 - 76E01000)
(6E800000 - 6E81A000)
(6A830000 - 6A8B1000)
(6B3D0000 - 6B40C000)
(6E490000 - 6E49A000)
(75AA0000 - 75AA8000)
(69190000 - 6919E000)
(651C0000 - 65203000)
(6E320000 - 6E332000)
(30000000 - 303AF000)
(77440000 - 774B8000)
(77430000 - 77440000)
(76B30000 - 76B6E000)
(76710000 - 76719000)
(76FA0000 - 76FAF000)
(773E0000 - 773F5000)

State Dump for Thread Id 0x3ec

eax=000001f2 ebx=00000000 ecx=0006cbdc edx=00b56fa0 esi=00b56640 edi=0006cbdc
eip=76e87383 esp=0006d680 ebp=0006d698 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

function: <nosymbols>
76e87372 55 push ebp
76e87373 8bec mov ebp,esp
76e87375 83ec08 sub esp,0x8
76e87378 53 push ebx
76e87379 56 push esi
76e8737a 57 push edi
76e8737b 55 push ebp
76e8737c fc cld
76e8737d 8b5d0c mov ebx,[ebp+0xc] ss:00ae757e=????????
76e87380 8b4508 mov eax,[ebp+0x8] ss:00ae757e=????????
FAULT ->76e87383 f7400406000000 test dword ptr [eax+0x4],0x6 ds:00a7a0d8=????????
76e8738a 0f8588000000 jne 76e87418
76e87390 8945f8 mov [ebp+0xf8],eax ss:00ae757e=????????
76e87393 8b4510 mov eax,[ebp+0x10] ss:00ae757e=????????
76e87396 8945fc mov [ebp+0xfc],eax ss:00ae757e=????????
76e87399 8d45f8 lea eax,[ebp+0xf8] ss:00ae757e=????????
76e8739c 8943fc mov [ebx+0xfc],eax ds:00a79ee6=????????
76e8739f 8b730c mov esi,[ebx+0xc] ds:00a79ee6=????????
76e873a2 8b7b08 mov edi,[ebx+0x8] ds:00a79ee6=????????
76e873a5 83feff cmp esi,0xff
76e873a8 7467 jz 76e90111
76e873aa 8d0c76 lea ecx,[esi+esi*2]

broni · 2009/07/23

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

Tank · 2009/07/23

Ok here it is:

ComboFix 09-07-23.02 - Administrator 07/24/2009 0:57.1.1 - FAT32x86
Running from: e:\documents and settings\Administrator\Desktop\ComboFix.exe
.
/wow section - STAGE 32A

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\Installer\1431e34.msi
c:\windows\Installer\148e988.msi
c:\windows\Installer\14bbf1.msi
c:\windows\Installer\1fcf734.msi
c:\windows\Installer\23278c.msi
c:\windows\Installer\41bbae.msi
c:\windows\Installer\48ca8.msi
c:\windows\Installer\8bff4.msi
c:\windows\Installer\b821c.msi
e:\winnt\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-24 07:17 . 2009-07-24 07:17 -------- d-----w- e:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-24 06:48 . 2009-07-24 06:48 -------- d-----w- e:\program files\Support Tools
2009-07-24 06:37 . 2009-07-24 06:37 16384 ----a-w- e:\winnt\system32\Perflib_Perfdata_1f8.dat
2009-07-24 06:32 . 2009-07-24 06:32 -------- d-----w- E:\PerfLogs
2009-07-24 04:08 . 2009-07-24 04:08 -------- d-----w- e:\program files\Netscape
2009-07-23 18:48 . 2009-07-23 18:48 3775175 ----a-w- e:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-23 18:30 . 2009-07-23 18:30 16384 ----a-w- e:\winnt\system32\Perflib_Perfdata_1fc.dat
2009-07-23 17:29 . 2009-07-23 17:29 16384 ----a-w- e:\winnt\system32\Perflib_Perfdata_1f0.dat
2009-07-23 17:18 . 2009-07-23 17:18 16384 ----a-w- e:\winnt\system32\Perflib_Perfdata_1f4.dat
2009-07-17 22:40 . 2009-07-17 22:40 16384 ----a-w- e:\winnt\system32\Perflib_Perfdata_434.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 20:36 . 2008-12-22 17:49 38160 ----a-w- e:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2008-12-22 17:49 18456 ----a-w- e:\winnt\system32\drivers\mbam.sys
2008-08-22 03:52 . 2008-08-22 03:52 21952 ---h--w- e:\program files\folder.htt
2008-12-22 17:37 . 2008-08-23 00:49 134648 ----a-w- e:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[-] 2002-08-29 14:14 529680 E7A52A434116BC4CD9C9EA57F4BD63AC e:\winnt\system32\comctl32.dll
[7] 2002-08-29 14:14 529680 9EDC93CC795DFF919C6CD953912838A9 e:\winnt\system32\dllcache\comctl32.dll

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! "= "e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Synchronization Manager "= "mobsync.exe" - e:\winnt\system32\mobsync.exe [2003-06-18 111376]

R3 NtApm;NT Apm/Legacy Interface Driver;e:\winnt\system32\DRIVERS\NtApm.sys [1999-09-25 9104]
S1 aswSP;avast! Self Protection; [x]
S2 aswMon;avast! Standard Shield Support; [x]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;e:\winnt\Firebird\bin\fbguard.exe [2006-01-17 65536]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;e:\winnt\Firebird\bin\fbserver.exe [2006-01-17 1527895]

.
.
------- Supplementary Scan -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
FF - ProfilePath - e:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2l23cs8o.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 01:05
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(184)
e:\winnt\system32\wzcdlg.dll
e:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-07-24 1:08
ComboFix-quarantined-files.txt 2009-07-24 08:08

Pre-Run: 1,232,719,872 bytes free
Post-Run: 1,266,253,824 bytes free

83

Here is HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:34 AM, on 7/24/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINNT\system32\cisvc.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Firebird\bin\fbguard.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Firebird\bin\fbserver.exe
E:\WINNT\system32\cidaemon.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\WINNT\system32\CF23577.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\notepad.exe
E:\WINNT\explorer.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\WBEM\WinMgmt.exe
E:\WINNT\system32\drwtsn32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - E:\WINNT\Firebird\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - E:\WINNT\Firebird\bin\fbserver.exe

--
End of file - 3067 bytes

Tank · 2009/07/23

Hello broni,
It's a bit late here in Brazil (1:22 am) and I'm beginning to get double vision so I'll check out for tonight. Thanks for the help and I hope the last logs (ComboFix and HijackThis) may shed some light. Good night and thanks again.
Tank

broni · 2009/07/23

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
folder.htt located @ e:\program files
Post scan results.

Also, reinstall Avast, and see, if it'll run.

broni · 2009/07/23

I didn't see your last reply, so.....Good Night

Tank · 2009/07/24

Hello broni,
I uploaded the file and the results are at the end of this message. I also reinstalled Avast but it still will not open. The On-access scanner and VRDB generator icons are where they should be but the scanner won't load (internal error, etc.).

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.03 -
AhnLab-V3 5.0.0.2 2009.04.03 -
AntiVir 7.9.0.129 2009.04.03 -
Antiy-AVL 2.0.3.1 2009.04.03 -
Authentium 5.1.2.4 2009.04.03 -
Avast 4.8.1335.0 2009.04.02 -
AVG 8.5.0.285 2009.04.03 -
BitDefender 7.2 2009.04.03 -
CAT-QuickHeal 10.00 2009.04.03 -
ClamAV 0.94.1 2009.04.03 -
Comodo 1097 2009.04.03 -
DrWeb 4.44.0.09170 2009.04.03 -
eSafe 7.0.17.0 2009.04.02 -
eTrust-Vet 31.6.6434 2009.04.03 -
F-Prot 4.4.4.56 2009.04.02 -
F-Secure 8.0.14470.0 2009.04.03 -
Fortinet 3.117.0.0 2009.04.03 -
GData 19 2009.04.03 -
Ikarus T3.1.1.49.0 2009.04.03 -
K7AntiVirus 7.10.690 2009.04.01 -
Kaspersky 7.0.0.125 2009.04.03 -
McAfee 5572 2009.04.02 -
McAfee+Artemis 5572 2009.04.02 -
McAfee-GW-Edition None 2009.04.03 BlockReason.0
Microsoft 1.4502 2009.04.03 -
NOD32 3985 2009.04.03 -
Norman 6.00.06 2009.04.02 -
nProtect 2009.1.8.0 2009.04.03 -
Panda 10.0.0.14 2009.04.03 -
PCTools 4.4.2.0 2009.04.02 -
Prevx1 V2 2009.04.03 -
Rising 21.23.41.00 2009.04.03 -
Sophos 4.40.0 2009.04.03 -
Sunbelt 3.2.1858.2 2009.04.03 -
Symantec 1.4.4.12 2009.04.03 -
TheHacker 6.3.4.0.300 2009.04.03 -
TrendMicro 8.700.0.1004 2009.04.03 -
VBA32 3.12.10.2 2009.04.02 -
ViRobot 2009.4.3.1676 2009.04.03 -
VirusBuster 4.6.5.0 2009.04.02 -
Additional information
File size: 21952 bytes
MD5 : 607deaa5af5ebb9b1018f9599e438962
SHA1 : 48afa6a59abc18d68a3576e57ccbdc7d90f02399
SHA256: aff4c440f9278fe955e74065fac78ad5dbf8a4a26dd8f3e4c7ba9d292c89d480
TrID : File type identification
Warning: file seems to be plain text/ASCII
TrID is best suited to analyze binary files!
100.0% (.HTML) HyperText Markup Language (3000/1/1)
ssdeep: 384:r0Aiuie8iviYkZtgy3mQDEiCiui9iSvici1iLvMMT6:r0d/exqYkZt33mKr/s5RkLE
PEiD : -
RDS : NSRL Reference Data Set

( Compaq )

Compaq Operating System CD: __0x004f

broni · 2009/07/24

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

Tank · 2009/07/26

Hello again broni,
I ran the command (combofix /u) but all it did was open the folder ComboFix. I couldn't identify any uninstall file within that folder so I wasn't able to uninstall Combofix. As it seems an important step I'll wait for further instructions as to how to uninstall ComboFix.
Thanks
Tank

broni · 2009/07/26

Delete Combofix, Qoobox folders,and Combofix.txt file from C:
Delete Combofix from your desktop

Tank · 2009/07/27

Ok, I ran drWeb and the complete scan found 4 items. I clicked on cure and these items were deleted. Then I rebooted and did HJT scan. The pop up still appears. Also, the viruses found by drWEb were in the C: partition which is the win98. The E: partition is the one with win2k showing the pop up etc.
Here are the logs:

SnAgOS.EXE;C:\WINDOWS\SYSTEM;Probably MULDROP.Trojan;Incurable.Deleted.;
pskill.exe;C:\WINDOWS\SYSTEM32;Tool.Prockill;Incurable.Deleted.;
gbiehabn.dll;C:\WINDOWS\Downloaded Program Files;Probably BACKDOOR.Trojan;Incurable.Deleted.;
gbiehabn.dll[1].updc;C:\WINDOWS\Temporary Internet Files\Content.IE5\CXURC1MV;Probably BACKDOOR.Trojan;Incurable.Deleted.;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:26 AM, on 7/27/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINNT\system32\cisvc.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Firebird\bin\fbguard.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\WINNT\Firebird\bin\fbserver.exe
E:\WINNT\Explorer.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\WBEM\WinMgmt.exe
E:\WINNT\system32\drwtsn32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - E:\WINNT\Firebird\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - E:\WINNT\Firebird\bin\fbserver.exe

--
End of file - 3080 bytes

broni · 2009/07/27

OK. Your computer is malware free, so the last step would be...

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

Now, regarding the error.
I hope this script works in Win 2K...

Please download VEW and save it to your Desktop: http://images.malwareremoval.com/vino/VEW.exe

Double-click VEW.exe then under Select log to query, select:
Application
System

Under Select type to list, select:
Error

Click the radio button for Number of events
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

In Notepad, click Edit > Select all then Edit > Copy
Reply to this post, click in the reply window and press Ctrl+V on your keyboard to paste the log.

Tank · 2009/07/27

Hi, when I clicked run on VEB, I immediately got the infamous pop up and right after it another pop up:

Title: Dr Watson Fatal Error

Content: Dr Watson was unable to attach to the process. It is possible that process exited before Dr Watson could attach to it.

Windows 2000 returned error code=2
The system cannot find the file specified.

Then I clicked ok and a pop up from VEW informed:

Run-time error '429'
Active X component can't create object

I tried running VEW two more times but I kept getting the last pop up.

On the bright side, ever since I ran the cleaner, I don't get the pop up all the time. It only appears when I try to open Internet Explorer or Add/Remove programs and when it appears, it is immediately followed by the other I described above(Content: Dr Watson was unable to attach to the process. It is possible that process exited before Dr Watson could attach to it.)

broni · 2009/07/27

Try to disable Dr Watson: http://support.microsoft.com/kb/188296
It's useless anyway.
Restart computer afterwards.

Tank · 2009/07/27

Ok. I've disabled Dr Watson. IE explorer will complain of some error and so will Add/Remove programs before they close, but all in all, considering this old Pc, I can get by with firefox. Could you suggest a decent free antivirus that will work on win2k? Avast will refuse to run.

And many thanks for your help. I can at least navigate without worries and annoyances.

Good night broni!

broni · 2009/07/27

Avast should run with no problem on Win 2K. It works on mine.
What's happening?

Tank · 2009/07/27

Well, the on-access scanner icon is active erratically, and when I click to scan I get an internal error that Avast recommends I send in with details to help the development of the program. However, I'm beginning to feel there is some hardware problem such as a bad memory chip. Every now and then I get an Application Error from WinMgmt.exe that says "The instruction at "0x77fcc663" referenced memory at "0x4d000079 ". The memory could not be "written ".

broni · 2009/07/27

That kind of error may be caused by some infection, but....we ran all scans already.

Try to run VEW one more time.
If no go, and since your computer is clean, I'll have no option but send you to regular Windows section, since the access to HJT board is very limited.

Log in or Sign up

Solved <Process has already exited> pops up. Avast won't work.

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

Tank Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved <Process has already exited> pops up. Avast won't work.

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

Tank Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Tank Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches