Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Restarts By Itself


  • This topic is locked This topic is locked
22 replies to this topic

#1 galaxy99

galaxy99

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 15 September 2008 - 10:01 PM

When I turn on or try to start my PC it goes in a cycle of starting up then restarting itslef once the desktop is displayed. There seems to be some problem that's causing it to restart by itself. I noticed that the only way to stop my PC from restarting is to delete some running programs such as: braviax.exe

I ran panda antivirus, AD-Aware and Spybot among other malware removal programs but that disn't help. I would appreciate your assistance and thanks in advance.

Please see HIJACHTHIS log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:56 AM, on 9/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-FU997.exe" /REG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: qsmp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1209513447328
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...337/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1132DB1-335C-4F32-8A87-22FE19C2A25F}: NameServer = 192.168.1.1,192.168.1.2
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe

--
End of file - 6784 bytes

Edited by galaxy99, 15 September 2008 - 10:14 PM.


BC AdBot (Login to Remove)

 


#2 galaxy99

galaxy99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 16 September 2008 - 04:37 PM

I ran SDFix and I thought I should paste the reports here. Also please note that I noticed that it's Braviax.exe that I think is causing my PC to restart every time.


SDFix: Version 1.225
Run by Gold on Wed 09/17/2008 at 12:12 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 00:18:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Finished!

----------------------------------------------------------------------------------------------------------------------


; This .inf file will remove Policy restrictions added by the VirusAlert
; infection and restore the default start menu icons and drive settings

[Version]
Signature="$Windows NT$"

[DefaultInstall]
DelReg=RemoveRestrictions
AddReg=ResetRegChanges

[ResetRegChanges]
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowControlPanel,0x10001,0x00000002
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowHelp,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowMyComputer,0x10001,0x00000002
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowMyDocs,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowMyMusic,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowMyPics,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowNetPlaces,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowRun,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowSearch,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDrives,0x10001,0x00000000

[RemoveRestrictions]
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies","DisableRegistryTools"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies","DisableRegistryTools"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies","DisableTaskMgr"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies","DisableTaskMgr"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies","NoDispCPL"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies","NoDispCPL"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSetFolders"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSetFolders"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoStartMenuMorePrograms"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoStartMenuMorePrograms"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoToolbarCustomize"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoToolbarCustomize"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","StartMenuLogoff"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","StartMenuLogoff"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableCMD"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableCMD"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableTaskMgr"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableTaskMgr"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispCPL"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispCPL"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispBackgroundPage"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispBackgroundPage"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispScrSavPage"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispScrSavPage"
HKCU, "Software\Policies\Microsoft\Internet Explorer\Restrictions","NoBrowserOptions"
HKLM, "Software\Policies\Microsoft\Internet Explorer\Restrictions","NoBrowserOptions"
HKCU, "Software\Policies\Microsoft\Windows\system","DisableCMD"
HKLM, "Software\Policies\Microsoft\Windows\system","DisableCMD"
---------------------------------------------------------------------------------------------------------------


; This .inf file will remove Policy restrictions added by the VirusAlert infection

[Version]
Signature="$Windows NT$"

[DefaultInstall]
DelReg=RemoveRestrictions

[RemoveRestrictions]
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies","DisableRegistryTools"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies","DisableRegistryTools"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies","DisableTaskMgr"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies","DisableTaskMgr"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies","NoDispCPL"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies","NoDispCPL"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSetFolders"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSetFolders"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoStartMenuMorePrograms"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoStartMenuMorePrograms"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoToolbarCustomize"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoToolbarCustomize"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","StartMenuLogoff"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","StartMenuLogoff"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableCMD"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableCMD"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableTaskMgr"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableTaskMgr"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispCPL"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispCPL"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispBackgroundPage"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispBackgroundPage"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispScrSavPage"
HKLM, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispScrSavPage"
HKCU, "Software\Policies\Microsoft\Internet Explorer\Restrictions","NoBrowserOptions"
HKLM, "Software\Policies\Microsoft\Internet Explorer\Restrictions","NoBrowserOptions"
HKCU, "Software\Policies\Microsoft\Windows\system","DisableCMD"
HKLM, "Software\Policies\Microsoft\Windows\system","DisableCMD"

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:50 PM

Posted 18 September 2008 - 09:18 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#4 galaxy99

galaxy99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 21 September 2008 - 08:25 AM

Thank you for your help. I downloaded combofix but I have several problems and difficulties trying to install Windows XP Recovery Console. And by the way PC is not restarting by itself now after running SDFix but I am still not sure if my PC is infected.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:50 PM

Posted 21 September 2008 - 10:30 AM

What do you mean its not restarting by itself? Also what are the problems you are having getting the recovery console installed?

#6 galaxy99

galaxy99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 21 September 2008 - 02:33 PM

What do you mean its not restarting by itself? Also what are the problems you are having getting the recovery console installed?


The original problem of my PC is that when I start it up it starts loading my desktop then before finishing loading up all my desktop items it restarts again by itself; that's rebooting... and it goes in a loop doing that. That problem is not occuring now after I ran the SDFix, some adaware softwares and antivirus programs.

Recovery console problems: I tried to load it from my Windows XP cd but it's not there. I tried to follow the other directions to load it from the MS website and I could not do it. It's long and confusing. I am sorry but I spent a lot of time trying and could not do it. Maybe I am just not as sharp as I should be when it comes to technical stuff.


EDIT: I am running Windows XP, Professional Service Pack 2. I forgot to say that my Floppy device is not operating for some reason eventhough I installed a new one about a month or so ago. So basically I can not create boot diskettes on my Floppy drive.

Edited by galaxy99, 21 September 2008 - 02:45 PM.


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:50 PM

Posted 22 September 2008 - 11:19 AM

Let's try this:

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#8 galaxy99

galaxy99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 22 September 2008 - 07:31 PM

ComboFix log:

ComboFix 08-09-19.12 - Gold 2008-09-23 3:14:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.498 [GMT 3:00]
Running from: C:\Documents and Settings\Gold\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gold\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Gold\Cookies\gold@w2.hidemyass[1].txt
C:\Documents and Settings\Gold\Cookies\gold@w2.hidemyass[3].txt

.
((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-20 05:08 . 2008-09-20 05:08 <DIR> d-------- C:\Program Files\PCPitstop
2008-09-17 06:51 . 2008-09-20 06:52 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-17 04:53 . 2008-09-17 04:53 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-17 04:53 . 2008-09-17 04:53 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-17 04:52 . 2008-09-23 02:59 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-17 04:52 . 2008-09-17 04:52 <DIR> d-------- C:\Program Files\AVG
2008-09-17 04:52 . 2008-09-17 04:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 04:52 . 2008-09-17 04:52 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-17 04:34 . 2008-09-17 04:34 <DIR> d-------- C:\Program Files\TuneXP
2008-09-17 04:34 . 2008-09-17 04:33 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-09-17 02:44 . 2008-09-17 02:44 <DIR> d-------- C:\ie-spyad_zo
2008-09-17 01:04 . 2008-09-17 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-17 00:09 . 2008-09-17 00:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-17 00:05 . 2008-09-17 00:05 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-16 23:59 . 2008-09-17 00:20 <DIR> d-------- C:\SDFix
2008-09-16 05:52 . 2008-09-16 05:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-12 18:59 . 2008-09-12 20:18 3,902,784 --a------ C:\Documents and Settings\Gold\gosetup.exe
2008-09-12 05:03 . 2008-09-12 05:03 724,984 --a------ C:\Documents and Settings\Gold\gotomypc_437.exe
2008-08-27 04:43 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 04:43 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-26 00:18 . 2008-08-26 00:18 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 02:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-21 19:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-17 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-17 07:40 --------- d-----w C:\Program Files\Panda Security
2008-09-17 07:40 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-09-14 06:29 --------- d-----w C:\Documents and Settings\Gold\Application Data\Image Zone Express
2008-08-21 04:16 --------- d-----w C:\Documents and Settings\Gold\Application Data\Anonymizer
2008-08-21 04:13 --------- d-----w C:\Program Files\Anonymizer
2008-08-21 04:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Anonymizer
2008-08-07 20:50 --------- d-----w C:\Program Files\PIXresizer
2008-07-20 23:18 249,592 ----a-w C:\WINDOWS\system32\cssdll32.dll
2008-07-20 23:16 143,104 ----a-w C:\WINDOWS\system32\guard32.dll
2008-07-14 21:38 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"COMODO SafeSurf"="C:\Program Files\COMODO\SafeSurf\cssurf.exe" [2008-07-21 278264]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-21 1655552]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-17 1235736]
"VTTimer"="VTTimer.exe" [2004-10-22 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-11 C:\WINDOWS\system32\VTTrayp.exe]

C:\Documents and Settings\Gold\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cru629.dat,avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-17 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-21 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-21 24208]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-17 76040]
S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-17 875288]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-17 231704]
S3 Asushwio;Asushwio;C:\WINDOWS\system32\drivers\Asushwio.sys [2000-03-29 5824]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{B1132DB1-335C-4F32-8A87-22FE19C2A25F}: NameServer = 192.168.1.1,192.168.1.2

O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 03:18:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-23 3:19:44
ComboFix-quarantined-files.txt 2008-09-23 00:19:37

Pre-Run: 28,203,413,504 bytes free
Post-Run: 28,318,744,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

140



Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:35 AM, on 9/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1209513447328
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...337/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1132DB1-335C-4F32-8A87-22FE19C2A25F}: NameServer = 192.168.1.1,192.168.1.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: cru629.dat,avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6054 bytes

Edited by galaxy99, 22 September 2008 - 07:33 PM.


#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:50 PM

Posted 23 September 2008 - 09:59 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Windows\System32\cru629.dat

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#10 galaxy99

galaxy99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 23 September 2008 - 04:16 PM

ComboFix log:

ComboFix 08-09-19.12 - Gold 2008-09-24 0:03:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.466 [GMT 3:00]
Running from: C:\Documents and Settings\Gold\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gold\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\System32\cru629.dat
.

((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-20 05:08 . 2008-09-20 05:08 <DIR> d-------- C:\Program Files\PCPitstop
2008-09-17 06:51 . 2008-09-20 06:52 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-17 04:53 . 2008-09-17 04:53 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-17 04:52 . 2008-09-17 04:52 <DIR> d-------- C:\Program Files\AVG
2008-09-17 04:52 . 2008-09-17 04:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 04:34 . 2008-09-17 04:34 <DIR> d-------- C:\Program Files\TuneXP
2008-09-17 04:34 . 2008-09-17 04:33 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-09-17 02:44 . 2008-09-17 02:44 <DIR> d-------- C:\ie-spyad_zo
2008-09-17 01:04 . 2008-09-17 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-17 00:09 . 2008-09-17 00:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-17 00:05 . 2008-09-17 00:05 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-16 23:59 . 2008-09-17 00:20 <DIR> d-------- C:\SDFix
2008-09-16 05:52 . 2008-09-16 05:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-12 18:59 . 2008-09-12 20:18 3,902,784 --a------ C:\Documents and Settings\Gold\gosetup.exe
2008-09-12 05:03 . 2008-09-12 05:03 724,984 --a------ C:\Documents and Settings\Gold\gotomypc_437.exe
2008-08-26 00:18 . 2008-08-26 00:18 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 03:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-21 19:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-17 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-17 07:40 --------- d-----w C:\Program Files\Panda Security
2008-09-17 07:40 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-09-17 01:53 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-17 01:52 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-14 06:29 --------- d-----w C:\Documents and Settings\Gold\Application Data\Image Zone Express
2008-09-09 21:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 21:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-21 04:16 --------- d-----w C:\Documents and Settings\Gold\Application Data\Anonymizer
2008-08-21 04:13 --------- d-----w C:\Program Files\Anonymizer
2008-08-21 04:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Anonymizer
2008-08-07 20:50 --------- d-----w C:\Program Files\PIXresizer
2008-07-20 23:18 249,592 ----a-w C:\WINDOWS\system32\cssdll32.dll
2008-07-20 23:16 143,104 ----a-w C:\WINDOWS\system32\guard32.dll
2008-07-14 21:38 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"COMODO SafeSurf"="C:\Program Files\COMODO\SafeSurf\cssurf.exe" [2008-07-21 278264]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-21 1655552]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-17 1235736]
"VTTimer"="VTTimer.exe" [2004-10-22 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-11 C:\WINDOWS\system32\VTTrayp.exe]

C:\Documents and Settings\Gold\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-17 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-21 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-21 24208]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-17 76040]
S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-17 875288]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-17 231704]
S3 Asushwio;Asushwio;C:\WINDOWS\system32\drivers\Asushwio.sys [2000-03-29 5824]

NETSVCS REQUIRES REPAIRS - current entries shown

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs


*Newly Created Service* - PROCEXP90
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 00:05:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-24 0:07:56
ComboFix-quarantined-files.txt 2008-09-23 21:07:48
ComboFix2.txt 2008-09-23 00:19:47

Pre-Run: 28,308,639,744 bytes free
Post-Run: 28,303,941,632 bytes free

116



Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:32 AM, on 9/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1209513447328
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...337/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1132DB1-335C-4F32-8A87-22FE19C2A25F}: NameServer = 192.168.1.1,192.168.1.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6007 bytes

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:50 PM

Posted 23 September 2008 - 04:54 PM

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

@echo off
swreg query hklm\system\currentcontrolset\services /s |(
SED -r "/^HK|^ +ImagePath.*-k netsvcs/I!d" |(
SED -r ":a; $!N;s/\n.*\t.*/\t/;ta;P;D" |(
SED -r "/.*\\(.*)\t/!d; s//\1/"
)))>Log.txt
Start Notepad Log.txt

Save this as peek.bat and choose to Save as type: - All Files then close the Notepad file.

Double-click on peek.bat & allow it to run. A Notepad file will open. Post the contents of that file, Log.txt, in your next reply.

#12 galaxy99

galaxy99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 23 September 2008 - 07:25 PM

My PC is not starting up as I get a screen full of messages and it goes into scan mode then restarts back up to the same place. Here's the messages that I get:

A problem has been detected and windows has been shut down to prevent damage to your computer.

The problem seems to be caused by the following file: avgtdix.sys

driver_unload_without_cancelling_pending_operations

I was able to start PC in safe mode though.

Please note I am posting this from another PC as it seems I lost my internet connection on my PC when I started it in safe mode.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:50 PM

Posted 24 September 2008 - 06:25 AM

From safe mode, uninstall AVG Antivirus and reboot. See if you can login now.

#14 galaxy99

galaxy99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 24 September 2008 - 09:38 AM

OK AVG antivirus uninstalled and I am able to start up in normal mode but I can not connect to the internet. The net icon near the clock is not showing too.

I also get a window installer banner trying to load or something on the desktop.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:50 PM

Posted 24 September 2008 - 10:02 AM

Any idea what is is trying to install?

If you go into the control panel, then double click on network connections, what connections are there? Is there local area connection? If so, right click on and make sure its enabled.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users