Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Urgent help is needed


  • This topic is locked This topic is locked
37 replies to this topic

#1 BlueRain

BlueRain

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 25 May 2005 - 04:39 PM

Hello everybody, Im in need of urgent help.. ASAP

My computer freezes very often, I just format it.. and I have alot of things now stored on this HD that I can't erase for now. So im hoping to fix it..

First the start menu freeze, and then the whole computer (Ctrl+alt+delete stops working to) I think I got some kind of virus.. here is the Log

(I need any help I can get , thank you very much for your time :thumbsup: )



Logfile of HijackThis v1.99.1
Scan saved at 23:35:09, on 2005-05-25
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\fefewme.exe
C:\WINDOWS\System32\winsystem.exe
C:\Program\Winamp\winampa.exe
C:\Program\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Wolf\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [blah service] fefewme.exe
O4 - HKLM\..\Run: [Windows_Protect] winsystem.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [blah service] fefewme.exe
O4 - HKLM\..\RunServices: [Windows_Protect] winsystem.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows_Protect] winsystem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program\VIA\RAID\raid_tool.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116867953452
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

BC AdBot (Login to Remove)

 


#2 BlueRain

BlueRain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 26 May 2005 - 01:51 AM

It's weird, It happens sometimes every 10 minutes, and other times every 3 hours.. very strange.

#3 BlueRain

BlueRain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 26 May 2005 - 03:06 PM

Ah this truly sucks.. anyone more experienced that can help? :thumbsup:

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:51 PM

Posted 26 May 2005 - 03:19 PM

Welcome BlueRain to Bleeping Computer.

I'm sorry we couldn't reply any sooner.

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’ (and repeat this if necessary):
C:\WINDOWS\System32\fefewme.exe
C:\WINDOWS\System32\winsystem.exe

press ‘back’ and 'scan'

***

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [blah service] fefewme.exe

O4 - HKLM\..\Run: [Windows_Protect] winsystem.exe

O4 - HKLM\..\RunServices: [blah service] fefewme.exe

O4 - HKLM\..\RunServices: [Windows_Protect] winsystem.exe

O4 - HKCU\..\Run: [Windows_Protect] winsystem.exe

Click on Fix Checked when finished and exit HijackThis.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/tutorials/how-to-use-cleanup/
don't run it yet

***

Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop, don't run it yet.

****Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
***

Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, press Close.
Don't log off or reboot. Press NO.

***

Run Killbox.
Click the radio button that says Delete a file on reboot.
For each of the files in the box, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

C:\WINDOWS\System32\fefewme.exe

C:\WINDOWS\System32\winsystem.exe

Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Post back here in this topic with a fresh log using HijackThis.


Posted Image
Life is what happens while you're making other plans

#5 BlueRain

BlueRain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 27 May 2005 - 02:44 AM

Thank you very much, the support is amazing here. I respect alot of what you are doing.

Well I ran into 2 problems, first of all the link to Killbox you posted does not work, so I searched for it on google.. and got this up

http://www.bleepingcomputer.com/files/killbox.php

But you said I needed a new update of the program, So I was not sure if that was correct. Well that's not the big problem..

I did the half first part of what you wrote. But when I enter "Boot mode" (F8) I got very llimited choices.. and there is no "Safe mode" button. I can either chose to start from the Harddrive or the Cd-rom reader. It says "Chose your primary boot device" or something like that. So im stuck on that part :thumbsup:


*Edit:

At least my comp stopped freezing (Well it hasn't frozed for.. 2-3 hours now :flowers: :trumpet: )


*Edit 2

Bah it froze :inlove: .. but it took a long time though

Edited by BlueRain, 27 May 2005 - 04:41 AM.


#6 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:51 PM

Posted 27 May 2005 - 11:41 AM

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Please download the killbox from the link you have found.


Posted Image
Life is what happens while you're making other plans

#7 BlueRain

BlueRain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 27 May 2005 - 12:10 PM

Done, here is the new stuff




Logfile of HijackThis v1.99.1
Scan saved at 19:07:18, on 2005-05-27
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Winamp\winampa.exe
C:\Program\MessengerPlus! 3\MsgPlus.exe
C:\Program\Java\jre1.5.0_01\bin\jusched.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\VIA\RAID\raid_tool.exe
C:\Documents and Settings\Wolf\Skrivbord\Important icons\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116867953452
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

#8 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:51 PM

Posted 27 May 2005 - 06:27 PM

Your log looks good to me. How are things on your side?


Posted Image
Life is what happens while you're making other plans

#9 BlueRain

BlueRain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 28 May 2005 - 01:01 AM

Thanks! :thumbsup:

Actually on my side it's a bit strange (But alot better), it still keeps freezing from time to time. Not as often as before, but it happens. But I have 2 hard drives now.. Im thinking of putting all important files into one of them and then format the windows. However then this would be for nothing.. so no way. Im suspecting MSN .. because.. well, if to many chat with me at the same time it freeze .. but I tried Trillian, and it didn't really work better. So im trying to find the problem

But thanks for removing whatever bad stuff I had (Like the trojan)

:flowers:

Edited by BlueRain, 28 May 2005 - 01:02 AM.


#10 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:51 PM

Posted 28 May 2005 - 04:36 AM

Let's have another look then (if you don't mind).

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files.
Do NOT run a scan yet.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/tutorials/how-to-use-cleanup/

Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Then please run Ewido, and run a full scan. Save the logfile from the scan.
Please post that logfile here in your answer.

***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your answer please.


Posted Image
Life is what happens while you're making other plans

#11 BlueRain

BlueRain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 29 May 2005 - 05:47 AM

I did a Ewido scan, but it froze right after it was completed, so I could not save the log file :thumbsup:
However it found 4 infections and cleaned them up, want me to run it again?

Here is the Hijackthis log you ask for


Ad-Aware SE Personal
ASUS Probe V2.23.06
Athlon 64 Processor Driver
ATI - Hjälp för avinstallation av program
ATI Control Panel
ATI Display Driver
CleanUp!
Command & Conquer Generals
Command & Conquer Renegade
Command and ConquerTM Generals Zero Hour
DAEMON Tools
DC++ 0.674
eMusic - 50 Free MP3 offer
ewido security suite
GameSpy Arcade
Guitar Pro 4.0
Half-Life
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 1
Marvell Miniport Driver
Messenger Plus! 3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
mIRC
Mozilla Firefox (1.0.4)
MSN Messenger 7.0
PowerQuest PartitionMagic 8.0
Realtek AC'97 Audio
Sierra Utilities
Spybot - Search & Destroy 1.3
Trillian
VIA Plattform för enhetshanterare
Winamp (remove only)
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix-paket [Ytterligare information finns i Q329115]
Windows XP-snabbkorrigering - KB-artikel 834707
WinRAR archiver
VobSub v2.23 (Remove Only)
World of Warcraft

#12 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:51 PM

Posted 29 May 2005 - 06:27 AM

I don't see anything strang there.

You could try running MSN Messenger without Messenger Plus for a while. See if that helps. Please let me know.

If you'd like to, you can try:
Panda online scan
Make sure that you choose "fix" or "clean". If you do, save the log and post it here.


Posted Image
Life is what happens while you're making other plans

#13 BlueRain

BlueRain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 29 May 2005 - 06:49 AM

Thank you very much for your help g2i2r4

I will try to run with trillian instead and remove some add-on programs. I will report back here if it works or if anything strange occurs, again thank you for your great support.

Edited by BlueRain, 29 May 2005 - 06:49 AM.


#14 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:51 PM

Posted 29 May 2005 - 06:58 AM

Thanks for the compliment.

How to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware, Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

I'll keep this topic open for a while, hoping to hear from you. Good luck.


Posted Image
Life is what happens while you're making other plans

#15 BlueRain

BlueRain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 29 May 2005 - 08:08 AM

I have checked all the links in your post, and scanned everything. I found some minor stuff with Ad-aware

For now i got the windows firewall ,I'll get a better one soon.
I will reply tonight again in this topic about how it's going. And then you can lock this if you want :thumbsup:

I really respect this place for the attitude against those who is in need of help :flowers: good work.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users