Nagging Problem

[bsb]

I have got a AMD Athlon 2800, 512 MB running XP on it. Facing two problems

1. If my computer is idle for more than 15-20 second I get a message (exception) which says
"Resource manager::getArchiveStream - unable to find file in archive: config\stages\ssManifest.xml"

2. I keep getting an html page (BronkA) and a dialog box short of thing in a strange language which probably wants me to click on 'ok'. Neverthless, it goes off with ctrl+F4. I could find the location of html file but deleting it is of no use as it rebuild the page everytime I restart.

Nothing serious so far but it is too nagging to get these things again and again. The log file of 'HijackThis' is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 12:03:23 AM, on 13/09/06
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
D:\Program Files\Raxco\PerfectDisk\PDSched.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Huawei\MT841\dslagent.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\program files\Spyware Doctor\swdoctor.exe
D:\program files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Documents and Settings\BSB\Local Settings\Application Data\winlogon.exe
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
D:\program files\ATI Technologies\ATI.ACE\CLI.exe
D:\program files\ClickTray Calendar\ClickTray.exe
D:\program files\OpenOffice.org1.1.1\program\soffice.exe
C:\Documents and Settings\BSB\Local Settings\Application Data\services.exe
C:\Documents and Settings\BSB\Local Settings\Application Data\lsass.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\program files\Opera75\opera.exe
D:\program files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\ping.exe
C:\WINDOWS\System32\ping.exe
C:\WINDOWS\System32\ping.exe
C:\WINDOWS\System32\ping.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\ZipGenius 5\zipgenius.exe
C:\DOCUME~1\BSB\LOCALS~1\Temp\ZGTemp\HijackThis.ex e

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.rd.yahoo.com/slv/ycheck/as/*http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.rd.yahoo.com/slv/ycheck/as.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.zdnetindia.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://in.rd.yahoo.com/slv/ycheck/as...om/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\program files\Yahoo!\Messenger\Companion\Installs\cpn\yt.d ll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - D:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT841\dslagent.exe
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKLM\..\RunServices: [Gate Personal Firewall] systpl.exe
O4 - HKLM\..\RunServices: [Microsoft World Service] winworld.exe
O4 - HKLM\..\RunServices: [Microsoft Debug Service] debug32.exe
O4 - HKLM\..\RunServices: [Dev Gnu Cpp] devcpp.exe
O4 - HKLM\..\RunServices: [Windows Smart Manager] smart.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\program files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Microsoft World Service] winworld.exe
O4 - HKCU\..\Run: [Gate Personal Firewall] systpl.exe
O4 - HKCU\..\Run: [Windows Smart Manager] smart.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\program files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\BSB\Local Settings\Application Data\smss.exe"
O4 - Startup: OpenOffice.org 1.1.1.lnk = D:\program files\OpenOffice.org1.1.1\program\quickstart.exe
O4 - Startup: ClickTray Calendar.lnk = D:\program files\ClickTray Calendar\ClickTray.exe
O4 - Startup: Empty.pif = ?
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = D:\program files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.zdnetindia.com
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/download...ameManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4625B2A1-41AD-406B-AB3A-87FCDB0E3D42}: NameServer = 218.248.255.145 61.1.96.71
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

Can somebody please advise me, what to do.

BSB

check out hijackthis.de for some help

[gary4gar]

try remove the following processes
C:\Documents and Settings\BSB\Local Settings\Application Data\winlogon.exe
C:\Documents and Settings\BSB\Local Settings\Application Data\services.exe
C:\Documents and Settings\BSB\Local Settings\Application Data\lsass.exe
O4 - HKLM\..\RunServices: [Microsoft World Service] winworld.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

[Vishal Gupta]

Also fix these:

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\BSB\Local Settings\Application Data\smss.exe"
O4 - Startup: Empty.pif = ?
O4 - Global Startup: SATARaid.lnk = ?

[slagad]

I don't know if this will work, but after following the above steps clean your Registry with a good software, like SYstem Mechanic.

[bsb]

Hi!,

I am sorry but none of the above worked.... can you suggest something more.

Regards,

bsb

[sakumar79]

These entries

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O17 - HKLM\System\CCS\Services\Tcpip\..\{4625B2A1-41AD-406B-AB3A-87FCDB0E3D42}: NameServer = 218.248.255.145 61.1.96.71

seems fishy. Any clues what they are?

First, enter safe mode. Fix up as informed by gary4gar and Vishal Gupta. Then, fix these two entries after making sure they are not needed. Then, if problem continues rerun HijackThis and post a fresh log.

Could you also inform what antivirus and anit-spyware software you are using to check for problems? Also, do you have a firewall especially if you are on broadband?

Arun

Arun

[anandk]

ur comp has been infected with the W32.Netsky malware and winworld.exe, added by an unidentified IRC worm with backdoor capability, amongst other things. copy-paste ur logfile in www.hijackthis.de to get complete analysis.

download install and updated any 2 of the following anti-spyware :
adaware, ewido, windows defender, spyware sweeper, spyware doctors, spybot, xoftspy.

go into safe mode and run their scans. then run any good junk cleaner like say 'ccleaner' to clear up ur residual pc junk. reboot.

if need be, while in safe mode,delete
C:\Documents and Settings\BSB\Local Settings\Application Data\lsass.exe C:\Documents and Settings\BSB\Local Settings\Application Data\services.exe
C:\Documents and Settings\BSB\Local Settings\Application Data\winlogon.exe

should help !

[Ramakrishnan]

Use spyware remover Xoftspy SE. Your PC is infected with spyware.