Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Pc Keeps Shutting Down


  • Please log in to reply
No replies to this topic

#1 nikola_hp

nikola_hp

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 09 April 2008 - 08:21 AM

Hello,

I have a very strange problem. A friend of mine used my PC for a while, "exposing" it to memory sticks with UFO.exe, sxs.exe and antihost.exe on them. The PC has XP Home SP2, avast home edition and spybot s&d and I'm pretty sure it's loaded with malware. Every time I try to scan the local drives with avast the PC simply shuts down in the middle of the process. No warnings, no problems, just goes off by itself and then I have to turn it back on. The same happens when I try to scan with spybot s&d, the kaspersky on-line scanner, avg anti-rootkit and it happened the first time I ran Combofix. Same story when all is done in safe mode. Prevx free version displays the following summary:

C:\WINDOWS\system32\fsmgmt.dll.tmp - >> Win32/CryptExe.A
C:\WINDOWS\system32\secpol.exe - [B] >> Generic9.AZOS

When I use command prompt to delete those files, they do not exist. I ran Combofix using a script for a second time and it produced the following report:

ComboFix 08-04-08.10 - Owner 2008-04-09 14:36:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1251.1.1033.18.148 [GMT 2:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


FILE ::
C:\WINDOWS\SYSTEM32\fsmgmt.dll
C:\WINDOWS\system32\secpol.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 10:51 . 2008-04-09 10:51 <DIR> d-------- C:\Program Files\InterMute
2008-04-09 10:51 . 2008-04-09 10:51 <DIR> d-------- C:\Program Files\InCode Solutions
2008-04-09 10:32 . 2005-03-27 08:26 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-3FDB94E0B\WINDOWS
2008-04-09 10:32 . 2005-05-21 22:06 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-3FDB94E0B\Application Data\SampleView
2008-04-07 11:05 . 2008-04-07 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-05 13:47 . 2008-04-05 13:47 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-05 13:25 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-05 13:25 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-04 12:09 . 2008-04-04 12:09 3,072,054 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp
2008-04-04 12:09 . 2008-04-04 12:09 54,870 --a------ C:\WINDOWS\BricoPackUninst.cmd
2008-04-04 12:06 . 2008-04-04 12:06 <DIR> d-------- C:\WINDOWS\BricoPacks
2008-04-04 12:06 . 2008-04-04 12:09 6,114 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-03-26 16:44 . 2008-03-26 16:44 <DIR> d-------- C:\rar
2008-03-26 16:41 . 2008-03-26 16:41 1,206,366 --a------ C:\wrar371.exe
2008-03-09 18:35 . 2008-03-09 18:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-09 18:35 . 2008-03-09 18:35 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 12:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-04-09 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 11:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-07 09:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\PrevxCSI
2008-04-05 15:50 --------- d-----w C:\Program Files\Pure Networks
2008-04-05 11:48 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-05 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-04 10:09 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-04 20:03 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-02 09:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-22 08:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-08-21 18:54 518 ----a-w C:\Program Files\Shortcut to Scion Corporation.lnk
2007-02-20 10:32 101,142 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_19_17_28_18_small.dmp.zip
2007-02-19 10:35 106,638 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_18_20_58_14_small.dmp.zip
2007-02-14 22:23 101,359 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_14_15_42_04_small.dmp.zip
2007-02-12 08:20 104,909 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_11_11_52_42_small.dmp.zip
2007-02-06 07:29 99,656 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_05_21_58_37_small.dmp.zip
2007-02-03 13:23 142,907 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_03_12_27_55_small.dmp.zip
2007-01-31 19:50 146,537 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_31_10_43_21_small.dmp.zip
2007-01-31 09:00 103,721 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_30_12_33_32_small.dmp.zip
2007-01-28 11:08 113,538 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_27_19_14_06_small.dmp.zip
2006-05-24 11:47 66,840 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-03-16 10:55 1,542,370 ----a-w C:\Program Files\WinZip.exe
2005-09-20 17:44 716,832 --sha-w C:\WINDOWS\fidbox.dat
.

------- Sigcheck -------

2007-06-13 12:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\explorer.exe
2007-06-13 13:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 21:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 12:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20 20058152]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 16:59 224248]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 14:16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 00:20 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 00:20 499712]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-27 02:57 139264]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-07-10 11:25 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-07-10 11:13 114688]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 16:59 224248]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 00:05:02 630784]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 09:43:08 180224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk.disabled [2004-06-19 00:08:12 1518]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 07:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ChristmasTree"=C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I6PDP8TE\christmas%20tree[1].exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Lecteur CANALPLAY\\CanalPlayer.exe"=
"C:\\Program Files\\Lecteur CANALPLAY\\CanalPlayerHelper.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 Seagate Sync Service;Seagate Sync Service;"C:\Program Files\Seagate\Sync\SeaSyncServices.exe" [2007-01-18 13:20]
S3 Service CANALPLAY;Service CANALPLAY;"C:\Program Files\Lecteur CANALPLAY\CanalPlayService.exe" [2006-07-11 13:01]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-01-20 12:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16ca669c-5615-11dc-8fe1-00038a000015}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{260a9584-3840-11dc-8f92-00038a000015}]
\Shell\Auto\command - F:\sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{281e19f9-c81f-11dc-90ed-00038a000015}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29fe29ee-bead-11dc-90d3-00038a000015}]
\Shell\AutoRun\command - F:\xn1i9x.com
\Shell\explore\Command - F:\xn1i9x.com
\Shell\open\Command - F:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32903bb1-4655-11dc-8fb9-00038a000015}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{340bf8c8-08a8-11dc-8f35-00038a000015}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{357bf1e8-cbf4-11da-9c2d-00038a000015}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bd30f28-56b5-11db-8e6c-00038a000015}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82d47726-cb21-11dc-90f3-00038a000015}]
\Shell\Auto\command - F:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c800eba6-92e8-11dc-906b-00038a000015}]
\Shell\Auto\command - F:\sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c839600b-2928-11dc-8f7f-00038a000015}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c839600d-2928-11dc-8f7f-00038a000015}]
\Shell\Auto\command - F:\boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cce3469b-e054-11dc-912f-00038a000015}]
\Shell\Auto\command - F:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-06-26 08:07:03 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-06-26 08:07:03 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-06-26 08:06:46 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 14:39:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
-> C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon.dll
.
Completion time: 2008-04-09 14:40:17
ComboFix-quarantined-files.txt 2008-04-09 12:40:03
Pre-Run: 3,555,770,368 bytes free
Post-Run: 3,542,089,728 bytes free
.
2008-04-09 11:40:30 --- E O F ---



I cannot stop wondering why the computer keeps shutting down by itself. It that related to the infections? I also did scandisk and there was nothing wrong with the drives.
Please help.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users