|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
10-19-2004, 09:15 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 15
OS: Win XP SP1
|
Unexpected Power Off
A few weeks ago my computer began to power off unexpectedly. No warnings, no error messages, just like I simply unplugged it. My system would shut off like this about every other day, but then it started shutting down more often, like once a day, or twice a day. The intervals between shuts down kept getting shorter until I couldn't even load windows without the system powering off.
I could enter the BIOS and I noticed the CPU temperature was 200-210 F. At this point, I could leave the computer off for about an hour, and it would then start up and run for about 10 minutes before powering down. The CPU temperature was back to around 200F after every shut down. After several failed attempts, I managed to run a system restore before the power shut off. After I did this, everything seemed to work nicely. Until I ran a virus scan. Midway through the scan, the system powered down, and led me into the same shut-off cycle I was in before. This time, the only way I could get a system restore to complete was by restarting with "Windows Domain Controllers Only." After the restore, the system again worked fine...until I tried another virus scan, this time with a different program. It powered down, cpu temp was high, same deal. Well, I system restored again and DIDN'T do a virus scan and now my system is semi-stable. It will power down unexpectedly almost every day, and I will run a system restore every couple of days. Interestingly, my friend (who is on the same network) had the same program on his laptop. After a complete reformat, his computer quit having the problem. I want to avoid a reformat. I thought it was a BIOS virus affecting CPU fan speed or something so I flashed the BIOS, but that didn't improve anything. I doubt it is a hardware problem, because if it were, a system restore shouldn't have any effect. Anyone have any ideas? |
|
     
|
|
10-19-2004, 09:40 PM
|
#2 (permalink) |
|
Manager, The Relaxation Room/Analyst, Security Team
Join Date: Oct 2004
Posts: 10,735
OS: xp
|
well if it s virus or malware ,most of the time we can see it through the hijackthis log .
i won t send you to do an online scan ,you might have the same shutdown problem ,instead get hijackthis 1.98.2 and install it inside folder anywhere in C: and post a hjt log in this thread . http://www.softpedia.com/public/cat/...10-17-69.shtml |
|
|
|
|
10-19-2004, 09:52 PM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 15
OS: Win XP SP1
|
I have tried online virus scans and they too cause a system shut down. Here is the log:
Logfile of HijackThis v1.98.2 Scan saved at 10:50:45 PM, on 10/19/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\System32\Ati2evxx.exe D:\WINDOWS\System32\CTsvcCDA.exe D:\PowerManager\upssrv.exe D:\PowerManager\upsio.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\ZoneLabs\vsmon.exe D:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe D:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe D:\Program Files\Logitech\iTouch\iTouch.exe D:\Program Files\Real\RealPlayer\RealPlay.exe D:\WINDOWS\System32\RUNDLL32.exe D:\Program Files\WinPortrait\wpctrl.exe D:\Program Files\Logitech\MouseWare\system\em_exec.exe D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe D:\Program Files\Winamp\winampa.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe D:\Program Files\AIM\aim.exe D:\WINDOWS\System32\ctfmon.exe D:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\Program Files\WinPortrait\floater.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe D:\WINDOWS\System32\wuauclt.exe D:\Program Files\Wolfram Research\Mathematica\5.0\SystemFiles\FrontEnd\Binaries\Windows\Mathematica.exe D:\Program Files\Wolfram Research\Mathematica\5.0\MathKernel.exe D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\DOCUME~1\Jeff\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - D:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "D:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode O4 - HKLM\..\Run: [PivotSoftware] "D:\Program Files\WinPortrait\wpctrl.exe" O4 - HKLM\..\Run: [HydraVisionDesktopManager] D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [Steam] D:\Program Files\Valve\Steam\Steam.exe -silent O4 - HKCU\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - Global Startup: Zone Labs Security.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open Client to monitor &1 - D:\WINDOWS\web\AOpenClient.htm O8 - Extra context menu item: Open Client to monitor &2 - D:\WINDOWS\web\AOpenClient.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - D:\Program Files\Magic NetTrace\MTIE.exe O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - D:\Program Files\Magic NetTrace\MTIE.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\Program Files\AWS\WeatherBug\Weather.exe (HKCU) O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/p...tx/install.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/act...a/SymAData.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/act...ActiveData.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usc.edu O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usc.edu O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usc.edu |
|
|
|
|
10-19-2004, 10:04 PM
|
#6 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 15
OS: Win XP SP1
|
/* The previous post was actually from the older version...here is the new version. I don't know if there is a difference. */
Logfile of HijackThis v1.98.2 Scan saved at 11:02:59 PM, on 10/19/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\System32\Ati2evxx.exe D:\WINDOWS\System32\CTsvcCDA.exe D:\PowerManager\upssrv.exe D:\PowerManager\upsio.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\ZoneLabs\vsmon.exe D:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe D:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe D:\Program Files\Logitech\iTouch\iTouch.exe D:\Program Files\Real\RealPlayer\RealPlay.exe D:\WINDOWS\System32\RUNDLL32.exe D:\Program Files\WinPortrait\wpctrl.exe D:\Program Files\Logitech\MouseWare\system\em_exec.exe D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe D:\Program Files\Winamp\winampa.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe D:\Program Files\AIM\aim.exe D:\WINDOWS\System32\ctfmon.exe D:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\Program Files\WinPortrait\floater.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe D:\WINDOWS\System32\wuauclt.exe D:\Program Files\Wolfram Research\Mathematica\5.0\SystemFiles\FrontEnd\Binaries\Windows\Mathematica.exe D:\Program Files\Wolfram Research\Mathematica\5.0\MathKernel.exe D:\DOCUME~1\Jeff\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe D:\Program Files\Opera75\opera.exe D:\WINDOWS\System32\WISPTIS.EXE D:\WINDOWS\system32\rundll32.exe D:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe D:\Program Files\WinRAR\WinRAR.exe D:\Documents and Settings\Jeff\My Documents\HijackThis.exe D:\WINDOWS\system32\NOTEPAD.EXE D:\Documents and Settings\Jeff\My Documents\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - D:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "D:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode O4 - HKLM\..\Run: [PivotSoftware] "D:\Program Files\WinPortrait\wpctrl.exe" O4 - HKLM\..\Run: [HydraVisionDesktopManager] D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [Steam] D:\Program Files\Valve\Steam\Steam.exe -silent O4 - HKCU\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - Global Startup: Zone Labs Security.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open Client to monitor &1 - D:\WINDOWS\web\AOpenClient.htm O8 - Extra context menu item: Open Client to monitor &2 - D:\WINDOWS\web\AOpenClient.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - D:\Program Files\Magic NetTrace\MTIE.exe O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - D:\Program Files\Magic NetTrace\MTIE.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\Program Files\AWS\WeatherBug\Weather.exe (HKCU) O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/p...tx/install.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/act...a/SymAData.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/act...ActiveData.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usc.edu O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usc.edu O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usc.edu |
|
|
|
|
10-19-2004, 10:45 PM
|
#10 (permalink) |
|
Manager, The Relaxation Room/Analyst, Security Team
Join Date: Oct 2004
Posts: 10,735
OS: xp
|
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode O8 - Extra context menu item: Open Client to monitor &1 - D:\WINDOWS\web\AOpenClient.htm O8 - Extra context menu item: Open Client to monitor &2 - D:\WINDOWS\web\AOpenClient.htm O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\Program Files\AWS\WeatherBug\Weather.exe (HKCU) O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/...stx/install.cab Restart to safe mode. How to start your computer in safe mode Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" Now find and delete AWS\WeatherBug from add/remove programs navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Empty the Recycle Bin Please read this : http://securityresponse.symantec.com....lastdoor.html submit that file to : http://virusscan.jotti.dhs.org/ Look at the top of the page for the Submit file box. Click on Browse upload the Rundll32.exe file and let us know what you find. |
|
|
|
|
10-20-2004, 07:17 AM
|
#12 (permalink) |
|
Analyst, Security Team
|
Please post a new log file for us to verify if it's clean.
Any problems now?
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
10-20-2004, 08:06 PM
|
#13 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 15
OS: Win XP SP1
|
Sorry this took so long, but my internet quit working there for a while. Anyway, I thought it might be interesting to point out that my idle CPU temp is ~60C. If I run any computationally intensive programs (Mathematica, Virus Scan, etc) the temperature skyrockets. I've seen it hit 100C before I've killed the application and watched the temperature slowly go back down to about 60C. I know this sounds like a heat sink/fan problem...but the other evidence just doesn't suggest that...hmmm.
Logfile of HijackThis v1.98.2 Scan saved at 8:04:04 PM, on 10/20/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\System32\Ati2evxx.exe D:\WINDOWS\System32\CTsvcCDA.exe D:\PowerManager\upssrv.exe D:\PowerManager\upsio.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe D:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe D:\Program Files\Logitech\MouseWare\system\em_exec.exe D:\Program Files\Logitech\iTouch\iTouch.exe D:\Program Files\Real\RealPlayer\RealPlay.exe D:\WINDOWS\System32\RUNDLL32.exe D:\Program Files\WinPortrait\wpctrl.exe D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe D:\Program Files\Winamp\winampa.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe D:\WINDOWS\System32\ctfmon.exe D:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe D:\Program Files\WinPortrait\floater.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe D:\WINDOWS\System32\wuauclt.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe D:\Program Files\AIM\aim.exe D:\WINDOWS\System32\WISPTIS.EXE D:\Program Files\SpeedFan\speedfan.exe D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE D:\Program Files\Opera75\opera.exe D:\Documents and Settings\Jeff\My Documents\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - D:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [PivotSoftware] "D:\Program Files\WinPortrait\wpctrl.exe" O4 - HKLM\..\Run: [HydraVisionDesktopManager] D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [Steam] D:\Program Files\Valve\Steam\Steam.exe -silent O4 - HKCU\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - Global Startup: Zone Labs Security.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - D:\Program Files\Magic NetTrace\MTIE.exe O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - D:\Program Files\Magic NetTrace\MTIE.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usc.edu O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usc.edu O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usc.edu |
|
|
|
|
10-20-2004, 10:40 PM
|
#14 (permalink) | |
|
Manager, The Relaxation Room/Analyst, Security Team
Join Date: Oct 2004
Posts: 10,735
OS: xp
|
Quote:
please download lspfix.exe http://www.cexx.org/lspfix.htm Run LspFix, and click the "I know what I'm doing" checkbox. (Don't do anything else) Then click Finish. and post a new log . |
|
|
|
|
|
10-20-2004, 10:55 PM
|
#15 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 15
OS: Win XP SP1
|
(Lspfix said it didn't correct anything). Logfile of HijackThis v1.98.2 Scan saved at 10:54:37 PM, on 10/20/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\System32\Ati2evxx.exe D:\WINDOWS\System32\CTsvcCDA.exe D:\PowerManager\upssrv.exe D:\PowerManager\upsio.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe D:\WINDOWS\Explorer.EXE C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\ZoneLabs\vsmon.exe D:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe D:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe D:\Program Files\Logitech\iTouch\iTouch.exe D:\Program Files\Logitech\MouseWare\system\em_exec.exe D:\Program Files\Real\RealPlayer\RealPlay.exe D:\Program Files\WinPortrait\wpctrl.exe D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe D:\Program Files\WinPortrait\floater.exe D:\Program Files\Opera75\opera.exe D:\Program Files\AIM\aim.exe D:\WINDOWS\System32\ctfmon.exe D:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\WINDOWS\System32\wuauclt.exe D:\Program Files\SpeedFan\speedfan.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe D:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe D:\WINDOWS\System32\WISPTIS.EXE D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Documents and Settings\Jeff\My Documents\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - D:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [PivotSoftware] "D:\Program Files\WinPortrait\wpctrl.exe" O4 - HKLM\..\Run: [HydraVisionDesktopManager] D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [Steam] D:\Program Files\Valve\Steam\Steam.exe -silent O4 - HKCU\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - Global Startup: Zone Labs Security.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open Client to monitor &1 - D:\WINDOWS\web\AOpenClient.htm O8 - Extra context menu item: Open Client to monitor &2 - D:\WINDOWS\web\AOpenClient.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - D:\Program Files\Magic NetTrace\MTIE.exe O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - D:\Program Files\Magic NetTrace\MTIE.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: d:\program files\google\google desktop search\googledesktopnetwork1.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} ( |
