Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page [SOLVED] Comp shutting down with BSOD and then restarting on its own
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-04-2008, 03:20 PM   #1 (permalink)
Registered User
 
Join Date: May 2008
Posts: 5
OS: xp


[SOLVED] Comp shutting down with BSOD and then restarting on its own
so ive been forced to run in safe mode with networking otherwise it wont stay on long enough for me to follow the 5 steps.... i was surfing and recieved a message to download a codec. i was tired and not thinking so i clicked ok and thats when all my problems started. i followed the 5 steps, however was unable to complete step 4 as my computer will not allow me to turn on automatic updates. so here we are any help would be much appreciated

*edit for active scan attachment*

Deckard's System Scanner v20071014.68
Run by Rob on 2008-06-04 18:09:24
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Rob.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:10:17 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\9CM5Z42K\dss[1].exe
C:\DOCUME~1\Rob\MYDOCU~1\Rob.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4357F205-68A0-4D58-90F2-851FCA6C686D} - C:\WINDOWS\system32\awttttQi.dll
O2 - BHO: (no name) - {4647C2C7-9F3D-4220-87D9-43E617F67478} - C:\WINDOWS\system32\cbXNFvTk.dll
O2 - BHO: QXK Olive - {CC7A758B-8CA3-4FB5-987D-F6147DAA28C6} - C:\WINDOWS\boqnrwdmfrp.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [1455bd2b] rundll32.exe "C:\WINDOWS\system32\nxepbvhg.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O20 - Winlogon Notify: cbXNFvTk - C:\WINDOWS\SYSTEM32\cbXNFvTk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: vregfwlx - {081383E9-7865-4609-AAFA-BDB9F78020E1} - C:\WINDOWS\vregfwlx.dll
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\Rob\MYDOCU~1\backups\) ----------------

backup-20070425-151520-181 O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
backup-20070425-151520-203 O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
backup-20070425-151520-522 O11 - Options group: [INTERNATIONAL] International*
backup-20070425-151520-878 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20070425-151520-904 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
backup-20070628-183123-240 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
backup-20070706-172452-265 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
backup-20080530-233833-352 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20080530-233833-738 O3 - Toolbar: atfxqogp - {23649E36-60C6-4433-880A-9DF59FC27342} - C:\WINDOWS\atfxqogp.dll
backup-20080530-234015-363 O21 - SSODL: vregfwlx - {8D3B28FB-AF6F-4CCC-8FB9-BB140376D415} - C:\WINDOWS\vregfwlx.dll
backup-20080530-234047-105 O21 - SSODL: vltdfabw - {5DC3E480-A398-4352-985E-1BF25E66A648} - C:\WINDOWS\vltdfabw.dll
backup-20080530-234047-353 O21 - SSODL: vregfwlx - {581EE0DA-1AC1-4A53-A255-F33A78B4F978} - C:\WINDOWS\vregfwlx.dll
backup-20080530-234103-899 O21 - SSODL: vregfwlx - {E1F1967B-ED2C-4028-A5A2-6126EBFA531B} - C:\WINDOWS\vregfwlx.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 BLKWGU(Belkin) (Belkin Wireless G USB Network Adapter(Belkin)) - c:\windows\system32\drivers\blkwgu.sys <Not Verified; Belkin Corporation; Wireless G USB Network Adapter>
3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
0 nsX04 - c:\windows\system32\drivers\nsx04.sys
3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
3 USB-100 (USB Fast Ethernet Adapter) - c:\windows\system32\drivers\usb150.sys <Not Verified; USBs; USB Fast Ethernet Adapter>
3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 msupdate (Microsoft security update service) - c:\windows\system32\mssrv32.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2008-05-21 00:43:00 432 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job


-- Files created between 2008-05-04 and 2008-06-04 -----------------------------

2008-06-04 17:44:10 95232 --a------ C:\WINDOWS\system32\nxepbvhg.dll
2008-06-01 00:43:28 0 d-------- C:\ie-spyad_zo
2008-06-01 00:38:58 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 00:38:47 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-06-01 00:38:47 0 d-------- C:\Program Files\SpywareBlaster
2008-06-01 00:19:03 95232 --a------ C:\WINDOWS\system32\cggaktod.dll
2008-05-31 23:43:06 0 d-------- C:\Program Files\Panda Security
2008-05-31 23:37:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-31 23:37:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-31 03:21:06 0 d-------- C:\Documents and Settings\Rob\Application Data\AXPFixer
2008-05-31 0349 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-30 23:51:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-30 23:50:15 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-30 23:50:15 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-30 23:50:15 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-30 23:50:15 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-30 23:50:15 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-30 23:50:15 1310720 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-30 23:50:15 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-30 23:50:15 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-30 23:50:15 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-30 23:50:15 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-30 23:50:15 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-30 23:50:15 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-30 23:50:15 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-30 23:50:15 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-30 23:36:02 387248 --ahs---- C:\WINDOWS\system32\iQttttwa.ini2
2008-05-30 23:35:59 324864 --a------ C:\WINDOWS\system32\awttttQi.dll
2008-05-30 23:31:13 12792 --a------ C:\WINDOWS\system32\mssrv32.exe
2008-05-30 23:31:11 14336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-30 23:31:11 28928 --a------ C:\WINDOWS\system32\drivers\nsX04.sys
2008-05-30 23:30:54 33920 --a------ C:\WINDOWS\system32\tuvWoppO.dll
2008-05-30 23:30:42 33920 --a------ C:\WINDOWS\system32\cbXNFvTk.dll
2008-05-30 23:30:30 94208 --a------ C:\WINDOWS\xmpstean.exe
2008-05-30 23:30:30 274432 --a------ C:\WINDOWS\vregfwlx.dll
2008-05-30 23:30:30 385024 --a------ C:\WINDOWS\vltdfabw.dll
2008-05-30 23:30:30 176128 --a------ C:\WINDOWS\embd.exe
2008-05-30 23:30:30 200704 --a------ C:\WINDOWS\atfxqogp.dll
2008-05-30 23:30:17 101376 --a------ C:\WINDOWS\system32\ctfmona.exe
2008-05-30 23:25:33 0 d-------- C:\Documents and Settings\Rob\Application Data\Google
2008-05-30 23:25:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-30 23:25:17 0 d-------- C:\Program Files\Google
2008-05-15 23:25:55 3496 --a------ C:\logfile


-- Find3M Report ---------------------------------------------------------------

2008-05-30 23:25:35 0 d-------- C:\Documents and Settings\Rob\Application Data\Adobe
2008-05-14 22:31:43 0 d-------- C:\Program Files\World of Warcraft
2008-04-10 12:37:27 0 d-------- C:\Program Files\MSXML 4.0
2008-04-09 00:47:04 0 d-------- C:\Program Files\Kodak
2008-04-09 00:46:33 0 d-------- C:\Program Files\Common Files
2008-04-09 00:46:33 0 d-------- C:\Program Files\Common Files\Kodak


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4357F205-68A0-4D58-90F2-851FCA6C686D}]
05/30/2008 11:36 PM 324864 --a------ C:\WINDOWS\system32\awttttQi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4647C2C7-9F3D-4220-87D9-43E617F67478}]
05/30/2008 11:30 PM 33920 --a------ C:\WINDOWS\system32\cbXNFvTk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC7A758B-8CA3-4FB5-987D-F6147DAA28C6}]
C:\WINDOWS\boqnrwdmfrp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 02:42 PM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 05:59 AM C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/28/2007 12:43 PM]
"nwiz"="nwiz.exe" [06/28/2007 12:43 PM C:\WINDOWS\system32\nwiz.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/28/2007 12:43 PM]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [05/30/2008 11:30 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"1455bd2b"="C:\WINDOWS\system32\nxepbvhg.dll" [06/04/2008 05:44 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [10/04/2007 11:20 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [10/28/2005 11:23:10 AM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [9/19/2007 4:33:46 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4647C2C7-9F3D-4220-87D9-43E617F67478}"= C:\WINDOWS\system32\cbXNFvTk.dll [05/30/2008 11:30 PM 33920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vregfwlx"= {081383E9-7865-4609-AAFA-BDB9F78020E1} - C:\WINDOWS\vregfwlx.dll [05/29/2008 11:59 PM 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXNFvTk]
cbXNFvTk.dll 05/30/2008 11:30 PM 33920 C:\WINDOWS\system32\cbXNFvTk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 06/04/2008 05:58 PM 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awttttQi

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsX04.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-06-04 18:11:25 ------------
Attached Files
File Type: txt extra.txt (9.7 KB, 1 views)
File Type: txt ActiveScan.txt (22.9 KB, 1 views)
Last edited by pmb116; 06-04-2008 at 03:30 PM.
pmb116 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 06-04-2008, 06:13 PM   #2 (permalink)
Registered User
 
Join Date: May 2008
Posts: 5
OS: xp


Re: Comp shutting down with BSOD and then restarting on its own
heres a quick copy and paste from what ive got with kaspersky running on my system

detected: riskware Hidden object Running process: C:\WINDOWS\system32\smss.exe
deleted: Trojan program Trojan-PSW.Win32.Nilage.bht File: C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\le.dll
deleted: Trojan program Trojan-Dropper.Win32.Agent.sev File: C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\msprint.exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Dropper.Win32.Agent.bcq File: C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\xxx44.tmp
deleted: Trojan program Trojan.Win32.Buzus.fit File: C:\Deckard\System Scanner\backup\WINDOWS\temp\BN8.tmp//Stalin
deleted: Trojan program Trojan.Win32.Buzus.fit File: C:\Deckard\System Scanner\backup\WINDOWS\temp\BNA.tmp//Stalin
deleted: Trojan program Trojan.Win32.Vapsup.fyz File: C:\WINDOWS\atfxqogp.dll
deleted: Trojan program Trojan.Win32.Vapsup.fyx File: C:\WINDOWS\embd.exe
deleted: Trojan program Trojan.Win32.Vapsup.fxu File: C:\WINDOWS\vltdfabw.dll
deleted: Trojan program Trojan.Win32.Vapsup.fxv File: C:\WINDOWS\vregfwlx.dll
deleted: Trojan program Trojan.Win32.Vapsup.fyz File: C:\WINDOWS\xmpstean.exe
deleted: Trojan program Trojan.Win32.Agent.quk File: C:\WINDOWS\Resources\CDMon.dll//PE_Patch.PECompact//PecBundle//PECompact
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.xmw File: C:\WINDOWS\system32\cggaktod.dll
deleted: Trojan program Trojan.Win32.Buzus.fit File: C:\WINDOWS\system32\mssrv32.exe//Stalin
not found: adware not-a-virus:AdWare.Win32.Virtumonde.xae Running module: winlogon.exe\cbXNFvTk.dll
deleted: Trojan program Trojan-Dropper.Win32.Agent.shb File: c:\windows\system32\drivers\nsx04.sys
deleted: Trojan program Trojan-Dropper.Win32.Agent.shb File: c:\windows\system32\drivers\winxd26.sys
pmb116 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-05-2008, 09:36 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: Comp shutting down with BSOD and then restarting on its own
Hello pmb116 and welcome,


This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-05-2008, 11:52 PM   #4 (permalink)
Registered User
 
Join Date: May 2008
Posts: 5
OS: xp


Re: Comp shutting down with BSOD and then restarting on its own
sorry for my slow response and thank you very much for your help ....here are my combofix log and hijack this log....again thank you

ComboFix 08-06-05.3 - Rob 2008-06-06 2:21:36.1 - NTFSx86

Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\#SharedObjects\Y72CLM6K\www.broadcaster.com
C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aHilRXyb.ini
C:\WINDOWS\system32\aHilRXyb.ini2
C:\WINDOWS\system32\awttttQi.dll
C:\WINDOWS\system32\byXRliHa.dll
C:\WINDOWS\system32\cbXNFvTk.dll
C:\WINDOWS\system32\dotkaggc.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\ghvbpexn.ini
C:\WINDOWS\system32\iQttttwa.ini
C:\WINDOWS\system32\iQttttwa.ini2
C:\WINDOWS\system32\kfhonnef.ini
C:\WINDOWS\system32\mssrv32.exe
C:\WINDOWS\system32\stvsqsto.ini
C:\WINDOWS\system32\tuvWoppO.dll
C:\WINDOWS\system32\vwjewsgv.ini
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\wtehmsst.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Legacy_NPF
-------\Service_msupdate
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-06 02:44 . 2008-06-06 02:44 294 ---hs---- C:\WINDOWS\system32\kfhonnef.ini
2008-06-05 17:44 . 2008-06-05 17:44 96,128 --a------ C:\WINDOWS\system32\fennohfk.dll
2008-06-04 23:54 . 2008-06-04 23:54 <DIR> d-------- C:\WINDOWS\Sun
2008-06-04 23:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-04 23:53 . 2008-06-04 23:54 <DIR> d-------- C:\Program Files\Java
2008-06-04 23:53 . 2008-06-04 23:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-04 20:06 . 2008-06-04 20:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-04 20:06 . 2008-06-04 20:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-04 20:04 . 2008-06-04 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-04 20:04 . 2008-06-06 02:46 1,336,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-04 20:04 . 2008-06-06 02:32 18,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-04 20:04 . 2008-06-06 02:44 1,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-04 20:04 . 2008-06-06 02:32 1,148 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-04 20:02 . 2008-06-04 20:02 <DIR> d-------- C:\kav
2008-06-04 19:33 . 2008-06-04 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-04 18:08 . 2008-06-04 18:08 <DIR> d-------- C:\Deckard
2008-06-04 17:44 . 2008-06-04 17:44 95,232 --a------ C:\WINDOWS\system32\nxepbvhg.dll
2008-06-01 00:43 . 2008-06-01 00:43 <DIR> d-------- C:\ie-spyad_zo
2008-06-01 00:38 . 2008-06-01 00:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-01 00:38 . 2008-06-04 17:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 00:38 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-01 00:38 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-06-01 00:38 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-31 23:43 . 2008-05-31 23:43 <DIR> d-------- C:\Program Files\Panda Security
2008-05-31 03:21 . 2008-05-31 03:21 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\AXPFixer
2008-05-31 03:06 . 2008-06-04 19:20 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-30 23:51 . 2008-05-30 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-30 23:50 . 2008-05-30 23:50 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-30 23:30 . 2008-06-04 19:17 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-30 23:25 . 2008-05-31 03:06 <DIR> d-------- C:\Program Files\Google
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-15 23:25 . 2008-06-06 02:44 4,104 --a------ C:\logfile

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 00:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-04 23:33 --------- d-----w C:\Program Files\Lavasoft
2008-06-04 23:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 02:31 --------- d-----w C:\Program Files\World of Warcraft
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-10 16:37 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-09 04:47 --------- d-----w C:\Program Files\Kodak
2008-04-09 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-04-09 04:46 --------- d-----w C:\Program Files\Common Files\Kodak
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC7A758B-8CA3-4FB5-987D-F6147DAA28C6}]
C:\WINDOWS\boqnrwdmfrp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 11:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 12:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"1455bd2b"="C:\WINDOWS\system32\fennohfk.dll" [2008-06-05 17:44 96128]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 11:23:10 1404928]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsX04.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxd26.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724


.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 04:43:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 02:44:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\kfhonnef.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\fennohfk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-06 2:48:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 06:48:24

Pre-Run: 2,251,739,136 bytes free
Post-Run: 2,477,133,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

185 --- E O F --- 2008-05-29 16:04:50


Logfile of HijackThis v1.99.1
Scan saved at 2:51:38 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aaim6.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Rob\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: QXK Olive - {CC7A758B-8CA3-4FB5-987D-F6147DAA28C6} - C:\WINDOWS\boqnrwdmfrp.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [1455bd2b] rundll32.exe "C:\WINDOWS\system32\fennohfk.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/...ws-i586-jc.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
pmb116 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-06-2008, 06:32 AM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: Comp shutting down with BSOD and then restarting on its own
Hi pmb116, : )

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/secu...ml#post1522575

Collect::
C:\WINDOWS\system32\kfhonnef.ini
C:\WINDOWS\system32\fennohfk.dll
C:\WINDOWS\system32\nxepbvhg.dll
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\ctfmonb.bmp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC7A758B-8CA3-4FB5-987D-F6147DAA28C6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1455bd2b"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsX04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxd26.sys]
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis.exe and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-06-2008, 03:51 PM   #6 (permalink)
Registered User
 
Join Date: May 2008
Posts: 5
OS: xp


Re: Comp shutting down with BSOD and then restarting on its own
thank you once again here are the logs you asked for, the computer seems to be running good for the time being but i wont know how well until i can monitor it for an extended period of time
ComboFix 08-06-06.4 - Rob 2008-06-06 17:11:58.2 - NTFSx86

Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob\Desktop\CFScript.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\fennohfk.dll
C:\WINDOWS\system32\kfhonnef.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nxepbvhg.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-06 17:12 . 2008-06-06 17:12 0 --a------ C:\WINDOWS\system32\kfhonnef.tmp
2008-06-06 03:27 . 2008-06-06 03:35 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-04 23:54 . 2008-06-04 23:54 <DIR> d-------- C:\WINDOWS\Sun
2008-06-04 23:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-04 23:53 . 2008-06-04 23:54 <DIR> d-------- C:\Program Files\Java
2008-06-04 23:53 . 2008-06-04 23:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-04 20:06 . 2008-06-04 20:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-04 20:06 . 2008-06-04 20:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-04 20:04 . 2008-06-06 09:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-04 20:04 . 2008-06-06 17:15 1,440,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-04 20:04 . 2008-06-06 17:15 19,916 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-04 20:04 . 2008-06-06 17:15 18,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-04 20:04 . 2008-06-06 17:15 1,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-04 20:02 . 2008-06-04 20:02 <DIR> d-------- C:\kav
2008-06-04 19:33 . 2008-06-04 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-04 18:08 . 2008-06-04 18:08 <DIR> d-------- C:\Deckard
2008-06-01 00:43 . 2008-06-01 00:43 <DIR> d-------- C:\ie-spyad_zo
2008-06-01 00:38 . 2008-06-01 00:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-01 00:38 . 2008-06-04 17:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 00:38 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-01 00:38 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-06-01 00:38 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-31 23:43 . 2008-05-31 23:43 <DIR> d-------- C:\Program Files\Panda Security
2008-05-31 03:21 . 2008-05-31 03:21 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\AXPFixer
2008-05-30 23:51 . 2008-05-30 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-30 23:50 . 2008-05-30 23:50 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-30 23:25 . 2008-05-31 03:06 <DIR> d-------- C:\Program Files\Google
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-15 23:25 . 2008-06-06 17:17 4,712 --a------ C:\logfile

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 00:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-04 23:33 --------- d-----w C:\Program Files\Lavasoft
2008-06-04 23:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 02:31 --------- d-----w C:\Program Files\World of Warcraft
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-10 16:37 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-09 04:47 --------- d-----w C:\Program Files\Kodak
2008-04-09 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-04-09 04:46 --------- d-----w C:\Program Files\Common Files\Kodak
.

((((((((((((((((((((((((((((( snapshot@2008-06-06_ 2.47.59.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-06 06:43:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 21:16:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-03-15 22:19:28 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 2236 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 11:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 12:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 11:23:10 1404928]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724


.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 04:43:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 17:17:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-06 17:20:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 21:20:31
ComboFix2.txt 2008-06-06 06:48:30

Pre-Run: 1,992,859,648 bytes free
Post-Run: 1,981,542,400 bytes free


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 6:48:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/06/2008
Kaspersky Anti-Virus database records: 834859
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 35543
Number of viruses found: 4
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 00:56:44

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp/stream Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp/stream Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt14.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt16.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt45.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt8.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.ttB.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rob\Desktop\[4]-Submit_2008-06-06@17.11.zip/nxepbvhg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped
C:\Documents and Settings\Rob\Desktop\[4]-Submit_2008-06-06@17.11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Temp\~DF6BC8.tmp Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Rob\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\catchme2008-06-06_ 23008.32.zip/mssrv32.exe Infected: Trojan.Win32.Buzus.fit skipped
C:\QooBox\Quarantine\catchme2008-06-06_ 23008.32.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EC0AEA79-FB7A-4384-8F3D-449CF71EE0A8}\RP8\A0018270.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped
C:\System Volume Information\_restore{EC0AEA79-FB7A-4384-8F3D-449CF71EE0A8}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{21CA0A50-A257-4CD0-A5D5-192D727607C1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 6:51:02 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Rob\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/...ws-i586-jc.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
pmb116 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-06-2008, 08:37 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: Comp shutting down with BSOD and then restarting on its own
Hi pmb116,

Delete the [4]-Submit_2008-06-06@17.11.zip file from your desktop, and thank you.



Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry:

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\


Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following File (Right click and select 'Delete'):

C:\WINDOWS\system32\kfhonnef.tmp

--------------------------------------------------------------------

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-06-2008, 09:23 PM   #8 (permalink)
Registered User
 
Join Date: May 2008
Posts: 5
OS: xp


Re: Comp shutting down with BSOD and then restarting on its own
thank you very much for all your help, it is greatly appreciated
pmb116 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-06-2008, 09:28 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: [SOLVED] Comp shutting down with BSOD and then restarting on its own
You're welcome.

Take care, pmb116.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:31 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84