Frustrated is the best word to describe how I feel about my Dell pc. I was having what I thought was virus activity so I reinstall windows. Followed everything to the letter as far keeping virus and malware out. As soon as I completed install I installed firewall, Avast and then spybot ect. before connecting to the internet and installing updates. Avast is new for me. I used AVG for years before reinstall. The issues of suspicion are with IE 7 crashing and various programs crashing including BSOD when windows started this morning. Now I don’t know if these are bugs or virus/malware related issues or not But windows blue screen is vary common for this machine after reinstalling windows. There are programs of suspicion as well that I’m wonder may be causing at some of these issues such as klite codec pac and foxit reader. I apologize in advance if any of the forgoing information is not clear but and am tired and frustrated with dealing with these repeating issue with this machine. Also since Avast, Spybot, and Avg/ewido antispyware have not detected or have since removed and infected files I have sought help from another known online source by the name of pcpitstop. I came across the name of thier site in trouble shooting these problems so I decided to give them a try. But when I started the scan I didn’t disable avast and it detected what it said was virus/worm or malware by the name win32:kuang2. Now my first thought was I just didn’t turn off Avast before the scan right? But why would detect an actual virus not suspicious activity? Anyway frankly thats the least of my problems right now. I will attach a hjt log and a list of running programs from task mgr. I would like to thank any and all who post advice and make sense out of this. Thank you, your help is greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:12 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196548102001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196575334171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

–
End of file - 4730 bytes

Hi frustrated2,

There is little comfort in the conclusion that your hjt log seems as clean as a baby’s buttocks, so I fear you should contact someone about your Dell hardware. Alas, these things happen. So you need the repair man, not the antimalware man.

polonus

Hmm… maybe you’re right. It just seems as though reinstalling windows cures all ails a puter though. I guess I’m having trouble accepting the fact that it’s hardware problem not software. I’m now questioning if I performed the install right, meaning I deleted the partition and formatted the hdd but the browser ie7 is performing the same way before reinstall. p.s. I like the emotik komputer knuppelen.gif thats exactly the way I feel >:(

Not only does your HJT log look clean it is one of the shortest I’ve seen in a while.

When you ran pcpitstop scan I don’t know what AV engine it uses (but could be panda) virus signature files and I suspect that it is detecting an unencrypted virus signature file rather than a specific virus infection.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

Is there anything in the windows event viewer that might be of help ?

The BSOD has some information on it, not very user friendly admittedly, but as much information of that could also be helpful, primarily the stop error code, example, 0x0000007E, etc. There might also be something like this, al caps with _ underscore separating the words, DRIVER_IRQL_NOT_LESS_OR_EQUAL, etc.

Okay I have to take a breathe now. What I just spent a half hour typing and looking up info was deleted because the file attached exceeded the maximum size allowed.

This is what Avast log record at the time of detection:
12/11/2007 12:18:28 PM SYSTEM 1888 Sign of “Win32:Kuang2” has been found in “http://www.pcpitstop.com/antivirus/PitPav.cab\PitPav.exe\$[14358]\Pavdll.dll” file.

Also you asked about the windows event viewer. well you’re right not very user friendly. But I found several errors nothing matching what you described and since I don’t know the time that it happened I’m having trouble looking it up. It blue screen at startup so I don’t know where to look in the application folder or system folder of the event viewer. You actually might have been referring to the information on the screen at the time it happened but since installing this video card Ati x800 gto every time the puter does something at startup like an Avast scan or the welcome screen the screen is split. ??? So I don’ t know what was on the screen. By the way thanks for posting I greatly appreciate your help.

Well that certainly looks like pcpitstop uses the panda engine (pav = panda anti virus) and unencrypted signatures file pavdll.dll, so the detection is good in one respect it detected a signature, but it is isn’t a true virus but avast can’t determine that.

The above would have been detected by the web shield since it is a URL and it should have given one option abort connection so that PitPav.cab (archive file) containing the .exe file containing the dll signature file shouldn’t have been downloaded completely before detection. Even so it might have been a very large file which exceeded the default max file size or chest size. These default sizes can be modified, right click the avast ‘a’ icon, Program settings, Chest.

BSODs don’t show up in the event viewer as by their nature the crash stops any log being created. I was hoping that there might have been persistent errors relating to one application, either in the Application or System section of the event viewer. Unfortunately any BSOD information has to be manually recorded as there is no log to record it.

I have in the past taken a digital photo of BSODs but you have to edit the image or reduce the resolution/quality of the picture taken or they are huge files.

Thanks again for posting your comments and once again your help is greatly appreciated. There were many events in the system and application event viewer. I don’t know if you need me to copy and post these events. Most definitely finding the cause of BSOD would help solve problems on my computer but with the limited experience I have that will be difficult and money is tight right now. So I can’t afford to take it in for service. Basically this forum seems to be my only alternative. There are other reasons why I think these problems are software related, such as, red “X’s” appearing where images should be on a web page. I used to think it was the security settings I have set in internet explorer which is set to medium. But it just seems unlikely to me that this is the reason, but again with my limited exp. I don’t know for sure. Almost forgot, I wanted to ask if you have advise on how solve the split screen issue at startup. For example this happens when I do an Avast boot scan. I sure its the video card causing this but when the desktop is up video is fine so it can’t be the resolution right?

One other thing I wanted to mention is pages seem to take a longer time to load. I don’t know if these incidences are random in all cases but some are for example: right now I have three or four pages open doing more than one task at a time and when I open this page add this post my home page which is msn took over a minute to load. Some pages take over three minutes and often time out.

No don’t post them, it is just to try and see if there was any common recurring problem with one application or system function.

Red crosses in place of images is a common problem in IE or it used to be I don’t know if that has been inherited by IE7. The previous versions suffered and clearing the browser cache was the usual suggested resolution. I don’t know if that will work with IE7 I don’t use it and try to avoid IE6 like the plague also, I much prefer Firefox, unfortunately that wouldn’t be related to any BSOD.

Sorry I haven’t come across this split screen on boot most strange

Resolution on boot would be different on boot to when the system is up and running as the drivers would have been fully loaded in the windows start. I haven’t used any ATI graphics card for many, many years, I have nvidia graphics.

I don’t know what your monitor is, mine a 20" TFT has an auto setup key that gives the best image for a particular situation. When I first used it in safe mode the default resolution is 800x600 256 colour and pressing the auto setup gave the best picture. I can’t recall if I also did this when I did a boot scan by I did it with another application which runs before windows and that expanded the image to fill the screen.

I don’t know if this will help that much, but it is all I have other than reinstalling the video cards graphics drivers and that isn’t easy to try to explain.

Also see http://www.google.com/search?q=split+screen+at+startup results of a google search.

The forums have been slow for me today so I don’t know if this is also what you are experiencing.

OT

Same this morning as we’ve discussed before. This time though, I was hit with a port scan each time I clicked the forum link. ???

I had lots of the server might be busy and gave up for an hour or so early afternoon (morning for you), and then slow page loads, etc. seems to be OK at the moment (fingers crossed). No port scans though.