Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need help computer exhibiting wierd behaviour

  • Please log in to reply
3 replies to this topic

#1 anything


  • Members
  • 3 posts
  • Local time:02:23 PM

Posted 30 July 2005 - 04:26 AM

My computer randomly reboots and shuts down. Not only that but my internet conection randomly gets clipped. Im not sure if this has something to do with spyware or malware but I'm worried about it and trying to get help.

Logfile of HijackThis v1.99.1
Scan saved at 5:11:41 AM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ICQLite\ICQLite.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
F:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\mike\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ICQ Lite] F:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Steam] F:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] F:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8...pdatePortal.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A55E25F-75A3-4214-8FA2-D20386F9492B}: NameServer =
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe

BC AdBot (Login to Remove)


#2 OldTimer


    Malware Expert

  • Members
  • 11,092 posts
  • Gender:Male
  • Location:North Carolina
  • Local time:03:23 PM

Posted 30 July 2005 - 06:26 PM

Hello anything and welcome to the BC malware forum. I only see 1 minor 'file missing' entry in the log so let's take care of that first.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Now, let's run a different scan to see if there is anything not showing in the log.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here so I can review it.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.

Posted Image

#3 anything

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:23 PM

Posted 31 July 2005 - 12:42 AM

So sorry for the prolonged waiting period. But i have finished with the safe mode WinPFind thing. would you like me to post the HJT new log with this? One more thing *more of a complement* Makeing your own software and cureing *canerous computers your like a hero

Below log posted as requested

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/23/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
6/24/2005 5:01:52 PM 0 C:\WINDOWS\inf\oem7.inf
7/30/2005 7:29:08 PM 11270 C:\WINDOWS\system32\KGyGaAvL.sys
7/31/2005 1:26:52 AM 8192 C:\WINDOWS\system32\config\default.LOG
7/31/2005 1:27:12 AM 1024 C:\WINDOWS\system32\config\SAM.LOG
7/31/2005 1:27:00 AM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
7/31/2005 1:27:14 AM 69632 C:\WINDOWS\system32\config\software.LOG
7/31/2005 1:27:04 AM 864256 C:\WINDOWS\system32\config\system.LOG
7/13/2005 10:41:46 PM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
7/31/2005 1:25:44 AM 6 C:\WINDOWS\Tasks\SA.DAT
7/6/2005 1:29:22 AM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
7/19/2005 2:21:28 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
7/19/2005 2:22:06 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4L4H03OZ\desktop.ini
7/19/2005 2:22:06 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WTIFS5UF\desktop.ini

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/26/2005 9:53:10 PM 1918 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
5/26/2005 7:48:00 PM 1851 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
6/18/2005 1:08:34 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

Checking Selected Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

{73B24247-042E-4EF5-ADC2-42F62E6FD654} = F:\Program Files\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll

= %SystemRoot%\system32\SHELL32.dll
= %SystemRoot%\system32\SHELL32.dll
= %SystemRoot%\system32\SHELL32.dll
= %SystemRoot%\system32\SHELL32.dll

Control Center C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

ATICCC "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
ICQ Lite F:\Program Files\ICQLite\ICQLite.exe -minimize
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
WinampAgent F:\Program Files\Winamp\winampa.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
ASUS Probe C:\Program Files\ASUS\Probe\AsusProb.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime




Steam F:\Program Files\Valve\Steam\\Steam.exe -silent
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

ICQ Lite F:\Program Files\ICQLite\ICQLite.exe -trayboot

dontdisplaylastusername 0
shutdownwithoutlogon 1
undockwithoutlogon 1

NoDriveTypeAutoRun 145

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB
= C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs wbsys.dll

Scan Complete
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.

#4 OldTimer


    Malware Expert

  • Members
  • 11,092 posts
  • Gender:Male
  • Location:North Carolina
  • Local time:03:23 PM

Posted 31 July 2005 - 01:38 AM

Hi anything. Well, the scans don't show anything related to an infection or malware. they are both clean (if you fixed the entry in the prior post).

Random shutdown/reboots are typically caused by either a heat problem (the CPU over-heating being the most common) or a hardware issue (a bad RAM chip being the most common). If your computer has a monitoring utility where it monitors the CPU temp I would run that and see where the temp is at and if it climbs out of range during normal operation (consult your manually for the temp operating ranges). As for the RAM, most computer shops have RAM testers and will check your RAM for free. Or you could get DocMem (a free utility) and test it yourself from here: http://downloads-zdnet.com.com/3001-2094-1534814.html.

Let me know if you have any other questions.


I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users