Anti-virus, anti-spyware freezing in Win XP

Recently my AVG Anti-Virus & Anti-Spyware began freezing at C:\System Volume
Information\tracking.log.

Lavasoft Ad-Aware 2007 v. 7.0.2.3 froze, too. The results we (1) Total
infections detected: 33; and (2) after 11 hours, still wasn’t finished
scanning, having frozen at C:\System Volume
Information\MountPointManagerRemoteDatabase.

The first time I rant RootkitRevealer.exe, I got the following data, which I
can't interpret:
HKU\S-1-5-18\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ParseAutoexec 10/23/2007 7:21 a.m. 5 bytes Data
mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 7/20/2005 11:28 a.m. 0 bytes Key name
contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 7/20/2005 11:28 a.m. 0 bytes Key name
contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32\ThreadingModel 10/16/2007
10:55 a.m. 5 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 10/23/2007 7:21 a.m. 80
bytes Data mismatch between Windows API and raw hive data.

The second time I ran RootKitRevealer, it froze on C:\System Volume
Information\. (Don't know why I ran it again since I didn't understand what
it was telling me the first time.)

Windows OneCare Live Safety Scanner froze at 20% into the virus and spyware
scan, telling me “2 items detected, 1 issue found.�

Trend Micro House Call 6.5 froze at “Step 2: Scanning local computer and
connected components – 2 ¼ hours – scanning files and folders.�

HouseCall 6.6 froze at “Step 2: Scanning local computer and connected
components – 2 ½ hours – scanning files and folders�

Panda ActiveScan 5.54.01 froze at C:\.

When I ran the latest Microsoft Malicious Software Removal Tool, it froze at
C:\System Volume Information\MountSharePointManagerRemoteDatabase.

NOD32 freezes repeatedly at C:\RECYCLER or C:\System Volume
Information\MountPointManagerRemoteDatabase

Any suggestions would be gratefully appreciated, folks.

Shut off system restore (system volume) and reboot,re-run scans
--
Mike Pawlak


"Munchausen" wrote:

Recently my AVG Anti-Virus & Anti-Spyware began freezing at C:\System Volume
Information\tracking.log.

Lavasoft Ad-Aware 2007 v. 7.0.2.3 froze, too. The results we (1) Total
infections detected: 33; and (2) after 11 hours, still wasn’t finished
scanning, having frozen at C:\System Volume
Information\MountPointManagerRemoteDatabase.

The first time I rant RootkitRevealer.exe, I got the following data, which I
can't interpret:
HKU\S-1-5-18\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ParseAutoexec 10/23/2007 7:21 a.m. 5 bytes Data
mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 7/20/2005 11:28 a.m. 0 bytes Key name
contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 7/20/2005 11:28 a.m. 0 bytes Key name
contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32\ThreadingModel 10/16/2007
10:55 a.m. 5 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 10/23/2007 7:21 a.m. 80
bytes Data mismatch between Windows API and raw hive data.

The second time I ran RootKitRevealer, it froze on C:\System Volume
Information\. (Don't know why I ran it again since I didn't understand what
it was telling me the first time.)

Windows OneCare Live Safety Scanner froze at 20% into the virus and spyware
scan, telling me “2 items detected, 1 issue found.�

Trend Micro House Call 6.5 froze at “Step 2: Scanning local computer and
connected components – 2 ¼ hours – scanning files and folders.�

HouseCall 6.6 froze at “Step 2: Scanning local computer and connected
components – 2 ½ hours – scanning files and folders�

Panda ActiveScan 5.54.01 froze at C:\.

When I ran the latest Microsoft Malicious Software Removal Tool, it froze at
C:\System Volume Information\MountSharePointManagerRemoteDatabase.

NOD32 freezes repeatedly at C:\RECYCLER or C:\System Volume
Information\MountPointManagerRemoteDatabase

Any suggestions would be gratefully appreciated, folks.

Dear Mike,

I did as you suggested and chose as my first scan Trend Micro HouseCall 6.5,
but it froze at the same file as before – C:\System Volume
Information\MountPointManagerRemoteDatabase.

I'm open to any other suggestions, sir, and I'm eager to employ them.

Thank you.

"MAP" wrote:

Shut off system restore (system volume) and reboot,re-run scans
--
Mike Pawlak


"Munchausen" wrote:

Recently my AVG Anti-Virus & Anti-Spyware began freezing at C:\System Volume
Information\tracking.log.

Lavasoft Ad-Aware 2007 v. 7.0.2.3 froze, too. The results we (1) Total
infections detected: 33; and (2) after 11 hours, still wasn’t finished
scanning, having frozen at C:\System Volume
Information\MountPointManagerRemoteDatabase.

The first time I rant RootkitRevealer.exe, I got the following data, which I
can't interpret:
HKU\S-1-5-18\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ParseAutoexec 10/23/2007 7:21 a.m. 5 bytes Data
mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 7/20/2005 11:28 a.m. 0 bytes Key name
contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 7/20/2005 11:28 a.m. 0 bytes Key name
contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32\ThreadingModel 10/16/2007
10:55 a.m. 5 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 11/28/2005 1:13 p.m. 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 10/23/2007 7:21 a.m. 80
bytes Data mismatch between Windows API and raw hive data.

The second time I ran RootKitRevealer, it froze on C:\System Volume
Information\. (Don't know why I ran it again since I didn't understand what
it was telling me the first time.)

Windows OneCare Live Safety Scanner froze at 20% into the virus and spyware
scan, telling me “2 items detected, 1 issue found.�

Trend Micro House Call 6.5 froze at “Step 2: Scanning local computer and
connected components – 2 ¼ hours – scanning files and folders.�

HouseCall 6.6 froze at “Step 2: Scanning local computer and connected
components – 2 ½ hours – scanning files and folders�

Panda ActiveScan 5.54.01 froze at C:\.

When I ran the latest Microsoft Malicious Software Removal Tool, it froze at
C:\System Volume Information\MountSharePointManagerRemoteDatabase.

NOD32 freezes repeatedly at C:\RECYCLER or C:\System Volume
Information\MountPointManagerRemoteDatabase

Any suggestions would be gratefully appreciated, folks.

Hi,

I am experiencing the same, and like you, suspect a root kit
infection. Found this page with Google.

http://www.avira.com/en/threats/sect...r_vidro.u.html

A root kit which hides itself in the tracking log file.

I have downloaded Avira and am running it overnight to see how it gets
on.

Thanks. I've downloaded the rootkirevealer and I'm running it now.

What did you run -- the anti-virus program?

What were your results?

" wrote:

Hi,

I am experiencing the same, and like you, suspect a root kit
infection. Found this page with Google.

http://www.avira.com/en/threats/sect...r_vidro.u.html

A root kit which hides itself in the tracking log file.

I have downloaded Avira and am running it overnight to see how it gets
on.

Hi,

ran Avira overnight and it freezes when coming to C:\System Volume
Information\tracking.log ... It claims to run rootkit checks before
starting the virus check.

I wasn't using System Restore and had already turned it off before I
had these problems.

Presently, I'm running http://www.kaspersky.com/kos/english/kavwebscan.html,
which hasn't given me any results yet. But BitDefender, which I'm also
running, discovered, tried to repair but then deleted a Trojan called
"BehavesLike:BAT.Gen." It's still running so it might find more Trojans,
viruses

Symantec Security Check has detected one "threat," but until it's finished
with its "deep scan," I won't be able to read or see the results.

When I get results, I'll pass them along.

Maybe, together, we can straighten this mess out.

" wrote:

Hi,

ran Avira overnight and it freezes when coming to C:\System Volume
Information\tracking.log ... It claims to run rootkit checks before
starting the virus check.

I wasn't using System Restore and had already turned it off before I
had these problems.

On Oct 29, 8:07 pm, Munchausen
wrote:
Presently, I'm runninghttp://www.kaspersky.com/kos/english/kavwebscan.html,
which hasn't given me any results yet. But BitDefender, which I'm also
running, discovered, tried to repair but then deleted a Trojan called
"BehavesLike:BAT.Gen." It's still running so it might find more Trojans,
viruses

Symantec Security Check has detected one "threat," but until it's finished
with its "deep scan," I won't be able to read or see the results.

When I get results, I'll pass them along.

Maybe, together, we can straighten this mess out.



" wrote:
Hi,

ran Avira overnight and it freezes when coming to C:\System Volume
Information\tracking.log ... It claims to run rootkit checks before
starting the virus check.

I wasn't using System Restore and had already turned it off before I
had these problems.- Hide quoted text -

- Show quoted text -

Hi, back after a name change, hopefully my email address will no
longer be up on the internet. I wonder if "report inappropriate
content" will delete the posts with my email address. I tried Kapersky
before, and it got stuck on tracking.log. I use ZoneAlarm as my
evryday virus checker, it was sticking there too, and ZA uses the
Kapersky engine, so not surprising that if one gets stuck the other
does too.

I'll try BitDefender overnight

cheers

interesting link on malware and rootkits. You need to install the new
MS player software

http://www.microsoft.com/emea/spotli..._Cleaning.aspx

Hi -

My AVG is doing the ssame thing. Yesterday I turned off System Restore,
rebooted, and deleted the System Volume Information directory. AVG ran
perfectly., I the turned System Restore back on - and guess - AVG froze up on
the System Volume Information directory AGAIN.

I run AVG on three computers - it's only happening on one.

"FinnbarSaunders" wrote:


interesting link on malware and rootkits. You need to install the new
MS player software

http://www.microsoft.com/emea/spotli..._Cleaning.aspx

I would like to thank you people for making such a great software
www.search-and-destroy.com . It has made my work easy. My pc is now fast
and stable. I am least concerned about my programs getting crashed.
Thanks a lot.....


--
stever
------------------------------------------------------------------------
stever's Profile: http://forums.techarena.in/members/stever.htm
View this thread: http://forums.techarena.in/windows-security/842228.htm

http://forums.techarena.in