|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-04-2008, 04:20 PM
|
#1 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 5
OS: xp
|
[SOLVED] Comp shutting down with BSOD and then restarting on its own
so ive been forced to run in safe mode with networking otherwise it wont stay on long enough for me to follow the 5 steps.... i was surfing and recieved a message to download a codec. i was tired and not thinking so i clicked ok and thats when all my problems started. i followed the 5 steps, however was unable to complete step 4 as my computer will not allow me to turn on automatic updates. so here we are any help would be much appreciated
*edit for active scan attachment* Deckard's System Scanner v20071014.68 Run by Rob on 2008-06-04 18:09:24 Computer is in Safe Mode with Networking. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Unable to create WMI object; The operation completed successfully. Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Rob.exe) ------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 6:10:17 PM, on 6/4/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\9CM5Z42K\dss[1].exe C:\DOCUME~1\Rob\MYDOCU~1\Rob.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4357F205-68A0-4D58-90F2-851FCA6C686D} - C:\WINDOWS\system32\awttttQi.dll O2 - BHO: (no name) - {4647C2C7-9F3D-4220-87D9-43E617F67478} - C:\WINDOWS\system32\cbXNFvTk.dll O2 - BHO: QXK Olive - {CC7A758B-8CA3-4FB5-987D-F6147DAA28C6} - C:\WINDOWS\boqnrwdmfrp.dll (file missing) O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [1455bd2b] rundll32.exe "C:\WINDOWS\system32\nxepbvhg.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O20 - Winlogon Notify: cbXNFvTk - C:\WINDOWS\SYSTEM32\cbXNFvTk.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll O21 - SSODL: vregfwlx - {081383E9-7865-4609-AAFA-BDB9F78020E1} - C:\WINDOWS\vregfwlx.dll O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- HijackThis Fixed Entries (C:\DOCUME~1\Rob\MYDOCU~1\backups\) ---------------- backup-20070425-151520-181 O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe backup-20070425-151520-203 O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab backup-20070425-151520-522 O11 - Options group: [INTERNATIONAL] International* backup-20070425-151520-878 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) backup-20070425-151520-904 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll backup-20070628-183123-240 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll backup-20070706-172452-265 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ backup-20080530-233833-352 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll backup-20080530-233833-738 O3 - Toolbar: atfxqogp - {23649E36-60C6-4433-880A-9DF59FC27342} - C:\WINDOWS\atfxqogp.dll backup-20080530-234015-363 O21 - SSODL: vregfwlx - {8D3B28FB-AF6F-4CCC-8FB9-BB140376D415} - C:\WINDOWS\vregfwlx.dll backup-20080530-234047-105 O21 - SSODL: vltdfabw - {5DC3E480-A398-4352-985E-1BF25E66A648} - C:\WINDOWS\vltdfabw.dll backup-20080530-234047-353 O21 - SSODL: vregfwlx - {581EE0DA-1AC1-4A53-A255-F33A78B4F978} - C:\WINDOWS\vregfwlx.dll backup-20080530-234103-899 O21 - SSODL: vregfwlx - {E1F1967B-ED2C-4028-A5A2-6126EBFA531B} - C:\WINDOWS\vregfwlx.dll -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- 3 BLKWGU(Belkin) (Belkin Wireless G USB Network Adapter(Belkin)) - c:\windows\system32\drivers\blkwgu.sys <Not Verified; Belkin Corporation; Wireless G USB Network Adapter> 3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver> 0 nsX04 - c:\windows\system32\drivers\nsx04.sys 3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver> 3 USB-100 (USB Fast Ethernet Adapter) - c:\windows\system32\drivers\usb150.sys <Not Verified; USBs; USB Fast Ethernet Adapter> 3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- 2 msupdate (Microsoft security update service) - c:\windows\system32\mssrv32.exe -- Device Manager: Disabled ---------------------------------------------------- Unable to create WMI object. -- Scheduled Tasks ------------------------------------------------------------- 2008-05-21 00:43:00 432 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job -- Files created between 2008-05-04 and 2008-06-04 ----------------------------- 2008-06-04 17:44:10 95232 --a------ C:\WINDOWS\system32\nxepbvhg.dll 2008-06-01 00:43:28 0 d-------- C:\ie-spyad_zo 2008-06-01 00:38:58 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-01 00:38:47 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library> 2008-06-01 00:38:47 0 d-------- C:\Program Files\SpywareBlaster 2008-06-01 00:19:03 95232 --a------ C:\WINDOWS\system32\cggaktod.dll 2008-05-31 23:43:06 0 d-------- C:\Program Files\Panda Security 2008-05-31 23:37:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia 2008-05-31 23:37:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2008-05-31 03:21:06 0 d-------- C:\Documents and Settings\Rob\Application Data\AXPFixer 2008-05-31 03  49 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>2008-05-30 23:51:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-05-30 23:50:15 0 d--h----- C:\Documents and Settings\Administrator\Templates 2008-05-30 23:50:15 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2008-05-30 23:50:15 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-05-30 23:50:15 0 d--h----- C:\Documents and Settings\Administrator\Recent 2008-05-30 23:50:15 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2008-05-30 23:50:15 1310720 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2008-05-30 23:50:15 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2008-05-30 23:50:15 0 d-------- C:\Documents and Settings\Administrator\My Documents 2008-05-30 23:50:15 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-05-30 23:50:15 0 d-------- C:\Documents and Settings\Administrator\Favorites 2008-05-30 23:50:15 0 d-------- C:\Documents and Settings\Administrator\Desktop 2008-05-30 23:50:15 0 d--hs---- C:\Documents and Settings\Administrator\Cookies 2008-05-30 23:50:15 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-05-30 23:50:15 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-05-30 23:36:02 387248 --ahs---- C:\WINDOWS\system32\iQttttwa.ini2 2008-05-30 23:35:59 324864 --a------ C:\WINDOWS\system32\awttttQi.dll 2008-05-30 23:31:13 12792 --a------ C:\WINDOWS\system32\mssrv32.exe 2008-05-30 23:31:11 14336 --a------ C:\WINDOWS\system32\WinCtrl32.dll 2008-05-30 23:31:11 28928 --a------ C:\WINDOWS\system32\drivers\nsX04.sys 2008-05-30 23:30:54 33920 --a------ C:\WINDOWS\system32\tuvWoppO.dll 2008-05-30 23:30:42 33920 --a------ C:\WINDOWS\system32\cbXNFvTk.dll 2008-05-30 23:30:30 94208 --a------ C:\WINDOWS\xmpstean.exe 2008-05-30 23:30:30 274432 --a------ C:\WINDOWS\vregfwlx.dll 2008-05-30 23:30:30 385024 --a------ C:\WINDOWS\vltdfabw.dll 2008-05-30 23:30:30 176128 --a------ C:\WINDOWS\embd.exe 2008-05-30 23:30:30 200704 --a------ C:\WINDOWS\atfxqogp.dll 2008-05-30 23:30:17 101376 --a------ C:\WINDOWS\system32\ctfmona.exe 2008-05-30 23:25:33 0 d-------- C:\Documents and Settings\Rob\Application Data\Google 2008-05-30 23:25:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Google 2008-05-30 23:25:17 0 d-------- C:\Program Files\Google 2008-05-15 23:25:55 3496 --a------ C:\logfile -- Find3M Report --------------------------------------------------------------- 2008-05-30 23:25:35 0 d-------- C:\Documents and Settings\Rob\Application Data\Adobe 2008-05-14 22:31:43 0 d-------- C:\Program Files\World of Warcraft 2008-04-10 12:37:27 0 d-------- C:\Program Files\MSXML 4.0 2008-04-09 00:47:04 0 d-------- C:\Program Files\Kodak 2008-04-09 00:46:33 0 d-------- C:\Program Files\Common Files 2008-04-09 00:46:33 0 d-------- C:\Program Files\Common Files\Kodak -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4357F205-68A0-4D58-90F2-851FCA6C686D}] 05/30/2008 11:36 PM 324864 --a------ C:\WINDOWS\system32\awttttQi.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4647C2C7-9F3D-4220-87D9-43E617F67478}] 05/30/2008 11:30 PM 33920 --a------ C:\WINDOWS\system32\cbXNFvTk.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC7A758B-8CA3-4FB5-987D-F6147DAA28C6}] C:\WINDOWS\boqnrwdmfrp.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 02:42 PM] "BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 05:59 AM C:\WINDOWS\BCMSMMSG.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/28/2007 12:43 PM] "nwiz"="nwiz.exe" [06/28/2007 12:43 PM C:\WINDOWS\system32\nwiz.exe] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/28/2007 12:43 PM] "ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [05/30/2008 11:30 PM] "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [] "1455bd2b"="C:\WINDOWS\system32\nxepbvhg.dll" [06/04/2008 05:44 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM] "Aim6"="C:\Program Files\AIM6\aim6.exe" [10/04/2007 11:20 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [10/28/2005 11:23:10 AM] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [9/19/2007 4:33:46 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{4647C2C7-9F3D-4220-87D9-43E617F67478}"= C:\WINDOWS\system32\cbXNFvTk.dll [05/30/2008 11:30 PM 33920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "vregfwlx"= {081383E9-7865-4609-AAFA-BDB9F78020E1} - C:\WINDOWS\vregfwlx.dll [05/29/2008 11:59 PM 274432] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXNFvTk] cbXNFvTk.dll 05/30/2008 11:30 PM 33920 C:\WINDOWS\system32\cbXNFvTk.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32] WinCtrl32.dll 06/04/2008 05:58 PM 14336 C:\WINDOWS\system32\WinCtrl32.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\awttttQi [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsX04.sys] @="Driver" -- End of Deckard's System Scanner: finished at 2008-06-04 18:11:25 ------------ Last edited by pmb116; 06-04-2008 at 04:30 PM. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-04-2008, 07:13 PM
|
#2 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 5
OS: xp
|
Re: Comp shutting down with BSOD and then restarting on its own
heres a quick copy and paste from what ive got with kaspersky running on my system
detected: riskware Hidden object Running process: C:\WINDOWS\system32\smss.exe deleted: Trojan program Trojan-PSW.Win32.Nilage.bht File: C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\le.dll deleted: Trojan program Trojan-Dropper.Win32.Agent.sev File: C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\msprint.exe//PE_Patch.PECompact//PecBundle//PECompact deleted: Trojan program Trojan-Dropper.Win32.Agent.bcq File: C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\xxx44.tmp deleted: Trojan program Trojan.Win32.Buzus.fit File: C:\Deckard\System Scanner\backup\WINDOWS\temp\BN8.tmp//Stalin deleted: Trojan program Trojan.Win32.Buzus.fit File: C:\Deckard\System Scanner\backup\WINDOWS\temp\BNA.tmp//Stalin deleted: Trojan program Trojan.Win32.Vapsup.fyz File: C:\WINDOWS\atfxqogp.dll deleted: Trojan program Trojan.Win32.Vapsup.fyx File: C:\WINDOWS\embd.exe deleted: Trojan program Trojan.Win32.Vapsup.fxu File: C:\WINDOWS\vltdfabw.dll deleted: Trojan program Trojan.Win32.Vapsup.fxv File: C:\WINDOWS\vregfwlx.dll deleted: Trojan program Trojan.Win32.Vapsup.fyz File: C:\WINDOWS\xmpstean.exe deleted: Trojan program Trojan.Win32.Agent.quk File: C:\WINDOWS\Resources\CDMon.dll//PE_Patch.PECompact//PecBundle//PECompact deleted: adware not-a-virus:AdWare.Win32.Virtumonde.xmw File: C:\WINDOWS\system32\cggaktod.dll deleted: Trojan program Trojan.Win32.Buzus.fit File: C:\WINDOWS\system32\mssrv32.exe//Stalin not found: adware not-a-virus:AdWare.Win32.Virtumonde.xae Running module: winlogon.exe\cbXNFvTk.dll deleted: Trojan program Trojan-Dropper.Win32.Agent.shb File: c:\windows\system32\drivers\nsx04.sys deleted: Trojan program Trojan-Dropper.Win32.Agent.shb File: c:\windows\system32\drivers\winxd26.sys |
|
|
|
|
06-05-2008, 10:36 PM
|
#3 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,582
OS: WinXP and Vista
|
Re: Comp shutting down with BSOD and then restarting on its own
Hello pmb116 and welcome,
This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows:
Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log. |
|
|
|
|
06-06-2008, 12:52 AM
|
#4 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 5
OS: xp
|
Re: Comp shutting down with BSOD and then restarting on its own
sorry for my slow response and thank you very much for your help ....here are my combofix log and hijack this log....again thank you
ComboFix 08-06-05.3 - Rob 2008-06-06 2:21:36.1 - NTFSx86 Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Rob\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\#SharedObjects\Y72CLM6K\www.broadcaster.com C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\WINDOWS\cookies.ini C:\WINDOWS\system32\aHilRXyb.ini C:\WINDOWS\system32\aHilRXyb.ini2 C:\WINDOWS\system32\awttttQi.dll C:\WINDOWS\system32\byXRliHa.dll C:\WINDOWS\system32\cbXNFvTk.dll C:\WINDOWS\system32\dotkaggc.ini C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\ghvbpexn.ini C:\WINDOWS\system32\iQttttwa.ini C:\WINDOWS\system32\iQttttwa.ini2 C:\WINDOWS\system32\kfhonnef.ini C:\WINDOWS\system32\mssrv32.exe C:\WINDOWS\system32\stvsqsto.ini C:\WINDOWS\system32\tuvWoppO.dll C:\WINDOWS\system32\vwjewsgv.ini C:\WINDOWS\system32\WinCtrl32.dl_ C:\WINDOWS\system32\WinCtrl32.dll C:\WINDOWS\system32\wtehmsst.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSUPDATE -------\Legacy_NPF -------\Service_msupdate -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 ))))))))))))))))))))))))))))))) . 2008-06-06 02:44 . 2008-06-06 02:44 294 ---hs---- C:\WINDOWS\system32\kfhonnef.ini 2008-06-05 17:44 . 2008-06-05 17:44 96,128 --a------ C:\WINDOWS\system32\fennohfk.dll 2008-06-04 23:54 . 2008-06-04 23:54 <DIR> d-------- C:\WINDOWS\Sun 2008-06-04 23:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-04 23:53 . 2008-06-04 23:54 <DIR> d-------- C:\Program Files\Java 2008-06-04 23:53 . 2008-06-04 23:53 <DIR> d-------- C:\Program Files\Common Files\Java 2008-06-04 20:06 . 2008-06-04 20:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat 2008-06-04 20:06 . 2008-06-04 20:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat 2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-06-04 20:04 . 2008-06-04 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-06-04 20:04 . 2008-06-06 02:46 1,336,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-04 20:04 . 2008-06-06 02:32 18,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-04 20:04 . 2008-06-06 02:44 1,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-04 20:04 . 2008-06-06 02:32 1,148 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-04 20:02 . 2008-06-04 20:02 <DIR> d-------- C:\kav 2008-06-04 19:33 . 2008-06-04 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-04 18:08 . 2008-06-04 18:08 <DIR> d-------- C:\Deckard 2008-06-04 17:44 . 2008-06-04 17:44 95,232 --a------ C:\WINDOWS\system32\nxepbvhg.dll 2008-06-01 00:43 . 2008-06-01 00:43 <DIR> d-------- C:\ie-spyad_zo 2008-06-01 00:38 . 2008-06-01 00:38 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-01 00:38 . 2008-06-04 17:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-01 00:38 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX 2008-06-01 00:38 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2008-06-01 00:38 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-05-31 23:43 . 2008-05-31 23:43 <DIR> d-------- C:\Program Files\Panda Security 2008-05-31 03:21 . 2008-05-31 03:21 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\AXPFixer 2008-05-31 03:06 . 2008-06-04 19:20 160,256 --a------ C:\WINDOWS\system32\blackster.scr 2008-05-30 23:51 . 2008-05-30 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-05-30 23:50 . 2008-05-30 23:50 <DIR> d-------- C:\Documents and Settings\Administrator 2008-05-30 23:30 . 2008-06-04 19:17 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp 2008-05-30 23:25 . 2008-05-31 03:06 <DIR> d-------- C:\Program Files\Google 2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe 2008-05-15 23:25 . 2008-06-06 02:44 4,104 --a------ C:\logfile . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-05 00:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys 2008-06-04 23:33 --------- d-----w C:\Program Files\Lavasoft 2008-06-04 23:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-01 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-05-15 02:31 --------- d-----w C:\Program Files\World of Warcraft 2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-10 16:37 --------- d-----w C:\Program Files\MSXML 4.0 2008-04-09 04:47 --------- d-----w C:\Program Files\Kodak 2008-04-09 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak 2008-04-09 04:46 --------- d-----w C:\Program Files\Common Files\Kodak 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC7A758B-8CA3-4FB5-987D-F6147DAA28C6}] C:\WINDOWS\boqnrwdmfrp.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 11:20 50528] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432] "nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 12:43 81920] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "1455bd2b"="C:\WINDOWS\system32\fennohfk.dll" [2008-06-05 17:44 96128] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 11:23:10 1404928] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsX04.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxd26.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\kav\\kav7\\setup.exe"= "C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 . Contents of the 'Scheduled Tasks' folder "2008-05-21 04:43:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job" - C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-06 02:44:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\kfhonnef.ini 294 bytes scan completed successfully hidden files: 1 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\fennohfk.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\verclsid.exe . ************************************************************************** . Completion time: 2008-06-06 2:48:29 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-06 06:48:24 Pre-Run: 2,251,739,136 bytes free Post-Run: 2,477,133,824 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 185 --- E O F --- 2008-05-29 16:04:50 Logfile of HijackThis v1.99.1 Scan saved at 2:51:38 AM, on 6/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM6\aaim6.exe C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Rob\My Documents\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: QXK Olive - {CC7A758B-8CA3-4FB5-987D-F6147DAA28C6} - C:\WINDOWS\boqnrwdmfrp.dll (file missing) O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [1455bd2b] rundll32.exe "C:\WINDOWS\system32\fennohfk.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/...ws-i586-jc.cab O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe |
|
|
|
|
06-06-2008, 07:32 AM
|
#5 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,582
OS: WinXP and Vista
|
Re: Comp shutting down with BSOD and then restarting on its own
Hi pmb116, : )
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *************************************************** Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open notepad and copy/paste the text in the code box below into it: Quote:
in the same location as ComboFix.exe  Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. **Note** When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html Answer Yes, when prompted to install an ActiveX component.
**Note** To optimize scanning time and produce a more sensible report for review:
--------------------------------------------------------------- Run a new scan with HijackThis.exe and save the log. --------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt Kaspersky results New HijackThis log Update on system behavior |
|
|
|
|
|
06-06-2008, 04:51 PM
|
#6 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 5
OS: xp
|
Re: Comp shutting down with BSOD and then restarting on its own
thank you once again here are the logs you asked for, the computer seems to be running good for the time being but i wont know how well until i can monitor it for an extended period of time
ComboFix 08-06-06.4 - Rob 2008-06-06 17:11:58.2 - NTFSx86 Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Rob\Desktop\CFScript.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\blackster.scr C:\WINDOWS\system32\ctfmonb.bmp C:\WINDOWS\system32\fennohfk.dll C:\WINDOWS\system32\kfhonnef.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\nxepbvhg.dll . ((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 ))))))))))))))))))))))))))))))) . 2008-06-06 17:12 . 2008-06-06 17:12 0 --a------ C:\WINDOWS\system32\kfhonnef.tmp 2008-06-06 03:27 . 2008-06-06 03:35 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-06-04 23:54 . 2008-06-04 23:54 <DIR> d-------- C:\WINDOWS\Sun 2008-06-04 23:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-04 23:53 . 2008-06-04 23:54 <DIR> d-------- C:\Program Files\Java 2008-06-04 23:53 . 2008-06-04 23:53 <DIR> d-------- C:\Program Files\Common Files\Java 2008-06-04 20:06 . 2008-06-04 20:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat 2008-06-04 20:06 . 2008-06-04 20:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat 2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-06-04 20:04 . 2008-06-06 09:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-06-04 20:04 . 2008-06-06 17:15 1,440,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-04 20:04 . 2008-06-06 17:15 19,916 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-04 20:04 . 2008-06-06 17:15 18,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-04 20:04 . 2008-06-06 17:15 1,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-04 20:02 . 2008-06-04 20:02 <DIR> d-------- C:\kav 2008-06-04 19:33 . 2008-06-04 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-04 18:08 . 2008-06-04 18:08 <DIR> d-------- C:\Deckard 2008-06-01 00:43 . 2008-06-01 00:43 <DIR> d-------- C:\ie-spyad_zo 2008-06-01 00:38 . 2008-06-01 00:38 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-01 00:38 . 2008-06-04 17:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-01 00:38 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX 2008-06-01 00:38 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2008-06-01 00:38 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-05-31 23:43 . 2008-05-31 23:43 <DIR> d-------- C:\Program Files\Panda Security 2008-05-31 03:21 . 2008-05-31 03:21 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\AXPFixer 2008-05-30 23:51 . 2008-05-30 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-05-30 23:50 . 2008-05-30 23:50 <DIR> d-------- C:\Documents and Settings\Administrator 2008-05-30 23:25 . 2008-05-31 03:06 <DIR> d-------- C:\Program Files\Google 2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe 2008-05-15 23:25 . 2008-06-06 17:17 4,712 --a------ C:\logfile . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-05 00:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys 2008-06-04 23:33 --------- d-----w C:\Program Files\Lavasoft 2008-06-04 23:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-01 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-05-15 02:31 --------- d-----w C:\Program Files\World of Warcraft 2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-10 16:37 --------- d-----w C:\Program Files\MSXML 4.0 2008-04-09 04:47 --------- d-----w C:\Program Files\Kodak 2008-04-09 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak 2008-04-09 04:46 --------- d-----w C:\Program Files\Common Files\Kodak . ((((((((((((((((((((((((((((( snapshot@2008-06-06_ 2.47.59.03 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-06 06:43:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-06 21:16:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2007-03-15 22:19:28 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll + 2008-03-20 22 36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll. ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 11:20 50528] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432] "nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 12:43 81920] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 11:23:10 1404928] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\kav\\kav7\\setup.exe"= "C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 . Contents of the 'Scheduled Tasks' folder "2008-05-21 04:43:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job" - C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-06 17:17:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\system32\verclsid.exe . ************************************************************************** . Completion time: 2008-06-06 17:20:35 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-06 21:20:31 ComboFix2.txt 2008-06-06 06:48:30 Pre-Run: 1,992,859,648 bytes free Post-Run: 1,981,542,400 bytes free ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, June 06, 2008 6:48:56 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 6/06/2008 Kaspersky Anti-Virus database records: 834859 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 35543 Number of viruses found: 4 Number of infected objects: 16 Number of suspicious objects: 0 Duration of the scan process: 00:56:44 Infected Object Name / Virus Name / Last Action C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp/stream Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp NSIS: infected - 2 skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp/stream Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp NSIS: infected - 2 skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt14.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt16.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt45.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt8.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.ttB.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Rob\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Rob\Desktop\[4]-Submit_2008-06-06@17.11.zip/nxepbvhg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped C:\Documents and Settings\Rob\Desktop\[4]-Submit_2008-06-06@17.11.zip ZIP: infected - 1 skipped C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Rob\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Temp\~DF6BC8.tmp Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Rob\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Rob\ntuser.dat.LOG Object is locked skipped C:\QooBox\Quarantine\catchme2008-06-06_ 23008.32.zip/mssrv32.exe Infected: Trojan.Win32.Buzus.fit skipped C:\QooBox\Quarantine\catchme2008-06-06_ 23008.32.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{EC0AEA79-FB7A-4384-8F3D-449CF71EE0A8}\RP8\A0018270.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped C:\System Volume Information\_restore{EC0AEA79-FB7A-4384-8F3D-449CF71EE0A8}\RP9\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{21CA0A50-A257-4CD0-A5D5-192D727607C1}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. Logfile of HijackThis v1.99.1 Scan saved at 6:51:02 PM, on 6/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Rob\My Documents\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/...ws-i586-jc.cab O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe |
|
|
|
|
06-06-2008, 09:37 PM
|
#7 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,582
OS: WinXP and Vista
|
Re: Comp shutting down with BSOD and then restarting on its own
Hi pmb116,
Delete the [4]-Submit_2008-06-06@17.11.zip file from your desktop, and thank you.  Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry: O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following File (Right click and select 'Delete'): C:\WINDOWS\system32\kfhonnef.tmp -------------------------------------------------------------------- Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? Think Prevention HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. **Kindly respond one more time and let me know if we may consider this thread resolved. |
|
|
|
| Thread Tools | |
|
|
