Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NT authority forces my system to reboot with 60 seconds countdown timer--Virus infected--please help


  • This topic is locked This topic is locked
3 replies to this topic

#1 sristar

sristar

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 06 February 2010 - 08:40 AM

I have seen in this forum that
http://www.bleepingcomputer.com/forums/t/235096/servicesexe-terminated-unexpectedly-status-code-1073741819/
that someone had faced the same issue.. Am facing the same issue as mentioned in that forum. Am getting the NT/Authority system shutdown timer for 60 secs when booted normally.

Can someone please direct me how to fix this up?

Thanks
Sriram

Edited by Orange Blossom, 06 February 2010 - 10:40 PM.
Move to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 sristar

sristar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 07 February 2010 - 01:16 AM

Hi,

Can someone please help me how to fix it? The infection seems to be present in windows/system32/svchost.

Thanks
Sriram

#3 sristar

sristar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 09 February 2010 - 11:22 AM

I followed the instructions as per http://www.bleepingcomputer.com/combofix/how-to-use-combofix and then installed the combofix.

It seems to have fixed out the problem. I also have the Combofix log as shown below. Can someone please analyse the log and let me know if any infections still remain??

ComboFix 10-02-05.04 - Sri 02/09/2010 21:42:05.2.2 - x86
Running from: c:\anitvirus\ComboFix.exe
Command switches used :: c:\anitvirus\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-09 to 2010-02-09 )))))))))))))))))))))))))))))))
.

2010-02-09 15:42 . 2004-08-04 02:56 203264 ----a-w- c:\windows\regedit.exe
2010-02-09 15:41 . 2004-08-04 02:56 203264 ----a-w- c:\windows\system32\dllcache\regedit.exe
2010-02-09 04:03 . 2010-02-09 16:07 -------- d-----w- C:\anitvirus
2010-02-05 16:28 . 2010-02-05 16:25 6489376 ----a-w- C:\spybotsd_includes.exe
2010-02-05 15:59 . 2010-02-05 08:42 16472936 ----a-w- C:\spybotsd162.exe
2010-02-05 15:59 . 2010-02-04 16:30 9034488 ----a-w- C:\mssefullinstall-x86fre-en-us-xp.exe
2010-02-04 15:55 . 2010-02-04 15:55 106496 ----a-w- c:\windows\system32\abisytaa.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-09 15:40 . 2008-10-22 07:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-09 15:40 . 2008-10-22 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-16 13:26 . 2008-03-24 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2009-12-16 13:26 . 2009-12-16 13:26 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-12-16 13:25 . 2009-12-16 13:25 -------- d-----w- c:\program files\Airtel
2008-08-28 21:27 . 2008-08-28 21:27 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-03-24 18:25 . 2008-03-24 18:25 76 --sh--r- c:\windows\CT4CET.bin
2008-05-17 17:01 . 2008-05-17 17:01 8 --sh--r- c:\windows\system32\2D6180B79A.sys
2008-05-17 17:01 . 2008-05-17 17:01 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-09_15.51.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 19:01 . 2004-08-04 11:00 289280 c:\windows\system32\fxscover.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abisytaa]
2010-02-04 15:55 106496 ----a-w- c:\windows\system32\abisytaa.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sri^Start Menu^Programs^Startup^WordWeb.lnk]
path=c:\documents and settings\Sri\Start Menu\Programs\Startup\WordWeb.lnk
backup=c:\windows\pss\WordWeb.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 08:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 00:27 217088 ----a-w- c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-11-16 13:34 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2008-11-01 06:38 118784 ----a-w- c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-09-07 22:49 1286144 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellAutomatedPCTuneUp]
2007-10-11 14:49 465136 ----a-w- c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLD.EXE]
2007-09-16 18:46 1404928 ----a-w- c:\program files\Download Direct\DLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-24 13:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-08-28 21:27 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-05 18:13 133104 ----atw- c:\documents and settings\Sri\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3792896 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-09-24 03:09 166424 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-09-24 03:09 141848 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 07:36 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KADxMain]
2006-11-02 19:05 282624 ----a-w- c:\windows\system32\KADxMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 10:10 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-08-28 20:54 36864 ----a-w- c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 21:10 237568 ----a-w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-09-24 03:09 137752 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 10:48 442368 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 18:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-03-24 18:29 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-17 17:16 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-05-15 10:41 3644464 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-03-07 01:08 3558136 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 21:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager-061008-081103"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"wltrysvc"=2 (0x2)
"SupportSoft RemoteAssist"=3 (0x3)
"STacSV"=2 (0x2)
"sprtsvc_nxpclient"=2 (0x2)
"hnmsvc"=2 (0x2)
"dsNcService"=2 (0x2)
"DellAMBrokerService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"8682:TCP"= 8682:TCP:BitComet 8682 TCP
"8682:UDP"= 8682:UDP:BitComet 8682 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ninpw;ninpw; [x]
R1 soqwx32;soqwx32;c:\windows\system32\drivers\soqwx32.sys [x]
R4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-28 29744]
R4 sprtsvc_nxpclient;SupportSoft Sprocket Service (nxpclient);c:\program files\Airtel\NetXpert\bin\sprtsvc.exe [2007-11-26 202800]

.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 07:04]

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1928556752-4268289573-883014206-1006Core.job
- c:\documents and settings\Sri\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 18:13]

2010-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1928556752-4268289573-883014206-1006UA.job
- c:\documents and settings\Sri\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 18:13]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080324
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {D42E3370-7841-4BB9-9B16-F2ED7919EE36} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Sri\Application Data\Mozilla\Firefox\Profiles\9gfr35vi.default\
FF - plugin: c:\documents and settings\Sri\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
txtfile=%windir%\NOTEPAD.EXE %1
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\abisytaa.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-02-09 21:46:15
ComboFix-quarantined-files.txt 2010-02-09 16:16
ComboFix2.txt 2010-02-09 15:56

Pre-Run: 14,249,177,088 bytes free
Post-Run: 14,225,342,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F2E8ABB9F04F4B59452927214221D576

#4 Pandy

Pandy

    Bleepin'


  • Members
  • 9,559 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:31 PM

Posted 24 May 2010 - 08:24 AM

Since this topic has gone stale and seems to have been resolved I shall close it now. If there is need to reopen this topic please send me or any other moderator a personal message and it shall be reopened for you.

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?

Facebook

Follow us on Twitter





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users