Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer shutting down.


  • This topic is locked This topic is locked
18 replies to this topic

#1 SuddenlySarah

SuddenlySarah

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:52 AM

Posted 21 August 2009 - 10:25 AM

I keep having this problem where my computer shuts down at any given moment. My first impulse was that I had a virus, and after performing a scan with Norton I had taken steps to remove the problem. However, after a day it appeared that the 'problem' hadn't cleared.
The computer always seems to stop whenever I am running a scan and it doesn't seem to matter whether I am in safe mode or not. In fact, scans that have turned out fine in normal mode can not be completed in safe mode because the computer shuts down before they get a chance to finish.
I have rebooted the computer and reformatted the main hard drive but the problem still exists. Is there any way you could help me with this problem? :thumbup2:

I am enclosing a few basic computer details in order to be of help. :)


Computer : Fujitsu Seimens.
Age: 2 years old.
Ram: 1.00 GB
Hard drive space: 250 GB
Scanners and Anti Virus software used: Norton 2009, Adaware, Spybot Search and Destroy.


I've also managed to do a scan using Hijack this. Here is the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:51:02, on 21/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.skybroadband.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/en/uk/norton/suppo...us.jsp?type=ocs
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.10\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.10\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.10\coIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.10\coIEPlg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe

--
End of file - 5004 bytes



If there is any more information required please don't hesitate to ask. Any help would be greatly appreciated :)

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:52 AM

Posted 01 September 2009 - 04:07 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 SuddenlySarah

SuddenlySarah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:52 AM

Posted 02 September 2009 - 05:25 AM

Thank you for taking the time to get back to me, I can appreciate how busy you must be. :thumbup2:
Every time I try to run a scan the computer shuts off before the scan is completed. When I try to switch it on again, the computer takes several attempts before it will finally boot up. At first it was only happening when I was running scans in safe mode, but at the moment it happens every time I run a scan and it doesn't matter whether it's in normal or safe mode.
I have reformatted my hard drive but it has not cleared the problem. I have also run scans with several different virus scanners and each time the computer will shut off in mid scan.
I have cleared out all the dust bunnies from the machine itself and have also checked the power supply which seems to be working normally.
I've followed the instructions laid out in your post, here is the dds log. If there is anything else you need please let me know :)


DDS (Ver_09-07-30.01) - NTFSx86
Run by Sarah at 10:53:34.57 on 02/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.469 [GMT 1:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\6H4XO3IP\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.skybroadband.com
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.skybroadband.com
uInternet Connection Wizard,ShellNext = hxxp://www.skybroadband.com/
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.0.0.125\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1000000.07d\SymEFA.sys [2009-9-2 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1000000.07d\BHDrvx86.sys [2009-9-2 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1000000.07d\ccHPx86.sys [2009-9-2 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090810.001\IDSXpx86.sys [2009-9-2 276344]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [2009-9-2 115560]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090901.023\NAVENG.SYS [2009-9-1 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090901.023\NAVEX15.SYS [2009-9-1 1323568]

=============== Created Last 30 ================

2009-09-02 10:25 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-09-02 10:25 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-02 10:25 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-09-02 10:25 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-02 10:25 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-02 10:25 <DIR> --d----- c:\program files\Symantec
2009-09-02 10:25 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-09-02 10:24 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-09-02 10:24 <DIR> --d----- c:\program files\Norton Internet Security
2009-09-02 10:22 <DIR> --d----- c:\program files\NortonInstaller
2009-09-02 10:22 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-09-02 10:18 <DIR> --d----- c:\program files\Sky Broadband
2009-09-02 10:14 307,200 a----r-- c:\windows\system32\atiiiexx.dll
2009-09-02 10:14 6,126 a----r-- c:\windows\system32\atifglpf.xml
2009-09-02 10:14 129,084 a----r-- c:\windows\system32\atiicdxx.dat
2009-09-02 10:14 1,114,674 a----r-- c:\windows\system32\drivers\ativcaxx.cpa
2009-09-02 10:14 58,560 a----r-- c:\windows\system32\drivers\ativckxx.vp
2009-09-02 10:14 31,632 a----r-- c:\windows\system32\drivers\ativvpxx.vp
2009-09-02 10:14 929 a----r-- c:\windows\system32\drivers\ativcaxx.vp
2009-09-02 10:14 40,960 a----r-- c:\windows\system32\drivers\SiSGbeXP.sys
2009-09-02 10:14 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-09-02 10:14 <DIR> --d----- c:\program files\ATI Technologies
2009-09-02 10:02 172,416 -c------ c:\windows\system32\dllcache\kmixer.sys
2009-09-02 10:02 82,944 -c------ c:\windows\system32\dllcache\wdmaud.sys
2009-09-02 10:02 6,400 -c------ c:\windows\system32\dllcache\splitter.sys
2009-09-02 10:00 163,840 -c------ c:\windows\system32\dllcache\jgdw400.dll
2009-09-02 10:00 27,648 -c------ c:\windows\system32\dllcache\jgpl400.dll
2009-09-02 09:59 143,360 -c------ c:\windows\system32\dllcache\usbport.sys
2009-09-02 09:59 30,080 -c------ c:\windows\system32\dllcache\usbehci.sys
2009-09-02 09:59 20,608 -c------ c:\windows\system32\dllcache\usbuhci.sys
2009-09-02 09:59 17,152 -c------ c:\windows\system32\dllcache\usbohci.sys
2009-09-02 09:57 453,120 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-09-02 09:56 23,040 -------- c:\windows\kb913800.exe
2009-09-02 09:54 28,672 -------- c:\windows\system32\verclsid.exe
2009-09-02 09:50 <DIR> --d----- c:\windows\system32\PreInstall
2009-09-02 07:15 <DIR> --d----- c:\windows\system32\inetsrv
2009-08-24 08:59 4,484 a------- c:\windows\system32\drivers\SYMEVENT.PNF
2009-08-24 08:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-24 08:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-24 07:10 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-08-24 07:10 21,504 a------- c:\windows\system32\hidserv.dll
2009-08-24 07:10 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-08-24 07:09 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-08-24 07:09 6,400 a------- c:\windows\system32\drivers\enum1394.sys
2009-08-24 07:09 74,240 a------- c:\windows\system32\usbui.dll
2009-08-24 07:08 <DIR> --d----- c:\program files\common files\ODBC
2009-08-24 07:08 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-08-24 07:07 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-08-24 06:51 <DIR> --d----- c:\windows\RegisteredPackages
2009-08-24 06:49 46,592 -------- c:\windows\system32\drivers\irbus.sys
2009-08-24 06:49 19,200 -------- c:\windows\system32\drivers\hidir.sys
2009-08-24 06:44 <DIR> --d----- c:\windows\system32\URTTemp
2009-08-24 06:43 <DIR> --d----- c:\documents and settings\Sarah
2009-08-24 06:42 <DIR> --ds---- c:\windows\system32\Microsoft
2009-08-24 06:42 8,192 a------- c:\windows\REGLOCS.OLD
2009-08-24 06:38 103,424 ac------ c:\windows\system32\dllcache\uihelper.dll
2009-08-24 06:37 1,875,968 ac------ c:\windows\system32\dllcache\msir3jp.lex
2009-08-24 06:36 10,096,640 ac------ c:\windows\system32\dllcache\hwxcht.dll
2009-08-24 06:35 9,216 ac------ c:\windows\system32\dllcache\authfilt.dll
2009-08-24 06:32 49,265 a------- c:\windows\system32\jpicpl32.cpl
2009-08-24 06:32 6,400 a------- c:\windows\system32\drivers\splitter.sys
2009-08-24 06:31 82,944 a------- c:\windows\system32\drivers\wdmaud.sys
2009-08-24 06:31 52,864 a------- c:\windows\system32\drivers\DMusic.sys
2009-08-24 06:31 54,272 a------- c:\windows\system32\drivers\swmidi.sys
2009-08-24 06:31 142,464 a------- c:\windows\system32\drivers\aec.sys
2009-08-24 06:31 172,416 a------- c:\windows\system32\drivers\kmixer.sys
2009-08-24 06:31 2,944 a------- c:\windows\system32\drivers\drmkaud.sys
2009-08-24 06:31 60,800 a------- c:\windows\system32\drivers\sysaudio.sys
2009-08-24 06:31 7,552 a------- c:\windows\system32\drivers\MSKSSRV.sys
2009-08-24 06:31 4,992 a------- c:\windows\system32\drivers\MSPQM.sys
2009-08-24 06:31 5,376 a------- c:\windows\system32\drivers\MSPCLOCK.sys
2009-08-24 06:30 <DIR> --d----- c:\windows\fsc
2009-08-24 06:30 <DIR> --d----- C:\AddOn
2009-08-24 06:30 17,638 a------- c:\windows\system32\OEMLOGO.BMP
2009-08-24 06:30 1,038 a------- c:\windows\system32\OEMINFO.INI
2009-08-24 06:30 130,048 a------- c:\windows\system32\ksproxy.ax
2009-08-24 06:30 60,288 a------- c:\windows\system32\drivers\drmk.sys
2009-08-24 06:30 4,096 a------- c:\windows\system32\ksuser.dll
2009-08-24 06:27 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-08-24 06:24 23,392 a------- c:\windows\system32\nscompat.tlb
2009-08-24 06:24 16,832 a------- c:\windows\system32\amcompat.tlb
2009-08-24 06:24 316,640 a------- c:\windows\WMSysPr9.prx
2009-08-24 06:22 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-08-24 06:22 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-08-24 06:22 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-08-24 06:22 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-08-24 06:22 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-08-24 06:22 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-08-24 06:22 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-08-24 06:22 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-08-24 06:22 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-08-24 06:22 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-08-24 06:22 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-08-24 06:20 <DIR> --d----- c:\program files\common files\MSSoap
2009-08-24 06:17 <DIR> --d----- c:\program files\Online Services
2009-08-24 06:16 <DIR> --d----- c:\program files\Windows Plus
2009-08-24 06:13 <DIR> --d----- c:\program files\Messenger
2009-08-24 06:13 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-08-24 06:13 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-08-24 08:59 20,408 a------- c:\windows\system32\drivers\INFCACHE.1
2009-08-24 07:08 63,240 a------- c:\windows\system32\drivers\Si3112r.PNF
2009-08-24 07:08 12,432 a------- c:\windows\system32\drivers\adpu320.PNF
2009-08-24 07:08 12,204 a------- c:\windows\system32\drivers\nvraid.PNF
2009-08-24 07:08 10,828 a------- c:\windows\system32\drivers\iaAHCI.PNF
2009-08-24 07:08 9,388 a------- c:\windows\system32\drivers\iaStor.PNF
2009-08-24 07:08 7,280 a------- c:\windows\system32\drivers\viamraid.PNF
2009-08-24 07:08 6,984 a------- c:\windows\system32\drivers\SiSRaid.PNF
2009-08-24 06:53 126,662 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-08-24 06:53 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-24 06:18 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 10:54:04.68 ===============

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:52 PM

Posted 08 September 2009 - 09:48 AM

Hello SuddenlySarah :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your long wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





At first glance I didn't really see anything in the way of infections but let's see if we can get a rootkit scan and go from there.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.






Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 SuddenlySarah

SuddenlySarah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:52 AM

Posted 08 September 2009 - 12:41 PM

Thank you thewall for taking the time to get back to me, I really do appreciate it. Apologies if anything I have done so far has been wrong. I really am a bit of a novice when it comes to computing. I've been reading through a few of the tutorials and I must say they've been extremely insightful! :thumbup2:
Anyway, I've followed your instructions to the letter; here is the log from the scan. Feel free to let me know if there is anything else you need. :)




GMER 1.0.15.15077 [77775b5h.exe] - http://www.gmer.net
Rootkit scan 2009-09-08 18:33:30
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 855E7C70 ZwAlertResumeThread
SSDT 8602FC70 ZwAlertThread
SSDT 85320B58 ZwAllocateVirtualMemory
SSDT 8602D248 ZwAssignProcessToJobObject
SSDT 862260B0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF2BEC020]
SSDT 855DDD30 ZwCreateMutant
SSDT 86039008 ZwCreateSymbolicLinkObject
SSDT 8566E918 ZwCreateThread
SSDT 85647340 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF2BEC2A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF2BEC800]
SSDT 85320E30 ZwDuplicateObject
SSDT 85358008 ZwFreeVirtualMemory
SSDT 855D5970 ZwImpersonateAnonymousToken
SSDT 86109548 ZwImpersonateThread
SSDT 861B8BC0 ZwLoadDriver
SSDT 85320160 ZwMapViewOfSection
SSDT 8610BB78 ZwOpenEvent
SSDT 853591E8 ZwOpenProcess
SSDT 8610AB78 ZwOpenProcessToken
SSDT 86032C70 ZwOpenSection
SSDT 85320FC0 ZwOpenThread
SSDT 863121D0 ZwProtectVirtualMemory
SSDT 86133630 ZwResumeThread
SSDT 86030450 ZwSetContextThread
SSDT 85358F80 ZwSetInformationProcess
SSDT 856612B8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF2BECA50]
SSDT 8602D6E0 ZwSuspendProcess
SSDT 8610D548 ZwSuspendThread
SSDT 8610B6E0 ZwTerminateProcess
SSDT 8564AC70 ZwTerminateThread
SSDT 855F43E0 ZwUnmapViewOfSection
SSDT 85320748 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 25E 804E4A98 8 Bytes CALL F8D3802E
? SYMEFA.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Logitech\QuickCam10\QuickCam10.exe[456] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01122E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam10\QuickCam10.exe[456] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01122C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam10\QuickCam10.exe[456] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01122C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam10\QuickCam10.exe[456] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01122C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[464] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02FC2E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[464] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02FC2C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[464] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [02FC2C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[464] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02FC2C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Messenger\msmsgs.exe[2580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00F52E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Messenger\msmsgs.exe[2580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00F52C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Messenger\msmsgs.exe[2580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00F52C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Messenger\msmsgs.exe[2580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00F52C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam10\COCIManager.exe[2788] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A42E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam10\COCIManager.exe[2788] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A42C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam10\COCIManager.exe[2788] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A42C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam10\COCIManager.exe[2788] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A42C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3456] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtCreateFile] [003E2E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3456] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3456] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtClose] [003E2C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3456] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDuplicateObject] [003E2C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3476] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtCreateFile] [00A62E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3476] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDeviceIoControlFile] [00A62C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3476] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtClose] [00A62C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3476] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDuplicateObject] [00A62C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[4024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00392E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[4024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00392C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[4024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00392C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[4024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00392C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Sarah\Desktop\77775b5h.exe[6212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Sarah\Desktop\77775b5h.exe[6212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Sarah\Desktop\77775b5h.exe[6212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Sarah\Desktop\77775b5h.exe[6212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:52 PM

Posted 08 September 2009 - 01:04 PM

You're welcome and everything you have done is OK. :thumbup2:

See if you can get MBAM to do a Quick Scan.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 SuddenlySarah

SuddenlySarah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:52 AM

Posted 10 September 2009 - 03:52 AM

Sorry for the delay, here is the Mbam log as requested. :thumbup2: I'm very pleased to say that it hasn't picked up anything. Though I'm not sure if this could mean that it's a system problem as opposed to a virus.





Malwarebytes' Anti-Malware 1.40
Database version: 2770
Windows 5.1.2600 Service Pack 3

10/09/2009 09:47:50
mbam-log-2009-09-10 (09-47-50).txt

Scan type: Quick Scan
Objects scanned: 102742
Time elapsed: 7 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:52 PM

Posted 10 September 2009 - 08:52 AM

You may indeed be dealing with another problem here other than infections. :thumbup2: I would like to try and run a Kaspersky scan but from what you have told me it probably won't run to completion. Let's give it a try though and what we will do is disable your AV while it is running but of course you don't want to be doing any Web surfing with your protection off. If it won't run don't try to force it just let me know.


Instructions for disabling Norton Internet Security can be found here.


Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 SuddenlySarah

SuddenlySarah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:52 AM

Posted 11 September 2009 - 06:09 AM

I've run the Kapersky scan which went through with no problems, it didn't pick up a single thing. This morning I followed one of the Bleepingcomputer online tutorials and cleaned out the unit itself. I managed to get rid of some serious dust bunnies. I'm starting to hope that it was nothing more than the dust clogging the fans and causing the system to overheat. Here is the Kapersky scan file.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, September 11, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 11, 2009 11:11:05
Records in database: 2776967
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 45632
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:07:25

No threats found. Scanned area is clean.

Selected area has been scanned.


I will monitor the computer usage today and inform you if the situation resolves itself. :thumbup2: Thanks so much for your help :)

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:52 PM

Posted 11 September 2009 - 08:38 AM

That sounds good, :thumbup2: let me know and I'll have some last things for you before we close up.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 SuddenlySarah

SuddenlySarah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:52 AM

Posted 12 September 2009 - 02:10 PM

I've been using the computer on and off over the course of the past day and I'm over the moon! There hasn't been one single shut down! :thumbup2: I'm not sure where to go from here though, could there be anything else worth checking?

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:52 PM

Posted 13 September 2009 - 09:25 AM

That sounds real good and from what I am seeing it appears your system is clean. :thumbup2: I have some last suggestions for you and there is one program you need to update. Other than that I believe you are good to go.

You can delete GMER from your Desktop now.


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.




Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally, this is very important. It is absolutely essential to keep all of your security programs up to date



If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. :)


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 SuddenlySarah

SuddenlySarah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:52 AM

Posted 14 September 2009 - 05:32 AM

I've followed your instructions and downloaded the programs that you'd recommended. This morning I used a-squared free and ran a full system scan only to find traces of a win32 virus. :thumbup2: Here is the log from the scan,




a-squared Free - Version 4.5
Last update: 14/09/2009 09:33:08

Scan settings:

Scan type: Deep Scan
Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 14/09/2009 09:35:20

c:\program files\amazon detected: Trace.Directory.Berm.Amazon Toolbar!A2
C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[2].txt detected: Trace.TrackingCookie.atdmt!A2
C:\Documents and Settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe detected: Backdoor.Win32.IRCBot!IK
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\CZO9EV2X\fport[1]\Fport-2.0\Fport.exe detected: Riskware.Hacktool.FPort!IK
C:\System Volume Information\_restore{29CBB3A0-3FC1-403B-903A-457B22235FFC}\RP11\A0002710.exe detected: Riskware.Hacktool.FPort!IK
C:\System Volume Information\_restore{29CBB3A0-3FC1-403B-903A-457B22235FFC}\RP11\A0002711.exe detected: Riskware.Hacktool.FPort!IK
C:\System Volume Information\_restore{29CBB3A0-3FC1-403B-903A-457B22235FFC}\RP11\A0002712.exe detected: Riskware.Hacktool.FPort!IK

Scanned

Files: 113428
Traces: 779101
Cookies: 51
Processes: 44

Found

Files: 5
Traces: 1
Cookies: 1
Processes: 0
Registry keys: 0

Scan end: 14/09/2009 10:29:09
Scan time: 0:53:49

C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\CZO9EV2X\fport[1]\Fport-2.0\Fport.exe Quarantined Riskware.Hacktool.FPort!IK
C:\System Volume Information\_restore{29CBB3A0-3FC1-403B-903A-457B22235FFC}\RP11\A0002710.exe Quarantined Riskware.Hacktool.FPort!IK
C:\System Volume Information\_restore{29CBB3A0-3FC1-403B-903A-457B22235FFC}\RP11\A0002711.exe Quarantined Riskware.Hacktool.FPort!IK
C:\System Volume Information\_restore{29CBB3A0-3FC1-403B-903A-457B22235FFC}\RP11\A0002712.exe Quarantined Riskware.Hacktool.FPort!IK
C:\Documents and Settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe Quarantined Backdoor.Win32.IRCBot!IK
C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[2].txt Quarantined Trace.TrackingCookie.atdmt!A2
c:\program files\amazon Quarantined Trace.Directory.Berm.Amazon Toolbar!A2

Quarantined

Files: 5
Traces: 1
Cookies: 1


The only other program I have recently downloaded was a tool from amazon.co.uk to enable faster lisenced mp3 purchased music. Is it just traces from a previous virus or do I need to take steps to remove the trojan from the computer?

Edited by SuddenlySarah, 14 September 2009 - 05:32 AM.


#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:52 PM

Posted 14 September 2009 - 08:47 AM

Those are now in quarantine so they don't present a problem. That's what's good about running various programs some will pick up things the others miss. Why don't you try updating MalwareBytes and do a Full Scan and let's see if it finds anything else.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 SuddenlySarah

SuddenlySarah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:52 AM

Posted 14 September 2009 - 11:35 AM

I've run a scan with Malwarebytes which hasn't picked up anything. I'm not sure where to go from here, whether to delete the files that are currently in quarantine or leave them as they are. Here is the log just in case you wanted a look. :thumbup2:

Malwarebytes' Anti-Malware 1.41
Database version: 2795
Windows 5.1.2600 Service Pack 3

14/09/2009 17:27:55
mbam-log-2009-09-14 (17-27-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144936
Time elapsed: 35 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by SuddenlySarah, 14 September 2009 - 11:35 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users