Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Crashes During Virus Scan


  • Please log in to reply
2 replies to this topic

#1 --AuRyn--

--AuRyn--

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 04 December 2005 - 04:22 PM

Hello all...this is my first post to this forum, so if I seem like a n00b, it's because I am.

My computer had/s a virus. I ran a scan using McAfee 8.0i Corporate Edition, and was able to delete one: Exploit-MhtRedir.gen

However, the scan did not complete. At a certain point in the scan, the computer shuts off. This would lead me to believe I have ANOTHER virus, or that the virus that was supposedly deleted, wasn't.

I have run HijackThis! just to make sure I am covering all the bases.

Below is a copy of the log file:

-----------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:27:19 PM, on 12/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\smc.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
D:\Program Files\Java\bin\jusched.exe
D:\Program Files\Virus Scan\SHSTAT.EXE
D:\Program Files\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
D:\Program Files\Virus Scan\Mcshield.exe
D:\Program Files\Virus Scan\VsTskMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\r5uhaq3.exe
C:\WINDOWS\System32\r5uhaq3.exe
D:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\3p7.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Virus Scan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\RunOnce: [0tp06.exe] C:\WINDOWS\System32\0tp06.exe /k
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [0tp06.exe] C:\WINDOWS\System32\0tp06.exe /k
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office XP\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe Acrobat\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22c1aee17abb55...ip/RdxIE601.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://supporttrial.webex.com/client/v_myw...ort/ieatgpc.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Virus Scan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Virus Scan\VsTskMgr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\smc.exe

--------------------------------------------------------------------------------------------------------------

I have no clue which of these entries is safe for removal. Some are obviously supposed to be there, but the less identifiable entries are difficult to assess.

Any help you can provide would be greatly appreciated.

Thanks in advance for your time and assistance
.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 December 2005 - 07:44 AM

Hi --AuRyn-- and Welcome to the Bleeping Computer!

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet


Download Pocket KillBox from here:
http://www.atribune.org/downloads/KillBox.exe

Highlight the list below and press Ctrl+C to Copy

C:\WINDOWS\System32\r5uhaq3.exe
C:\WINDOWS\System32\0tp06.exe


Open Pocket Killbox-> Click File-> Click Paste from Clipboard

Place a tick by Delete on Reboot->Select Options-> Place a check by Process all in List

Click the Red Circle to Delete

Click Yes to the Prompts that follow and let Killbox Reboot the PC


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

O4 - HKLM\..\RunOnce: [0tp06.exe] C:\WINDOWS\System32\0tp06.exe /k

O4 - HKCU\..\RunOnce: [0tp06.exe] C:\WINDOWS\System32\0tp06.exe /k

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply->Close->Follow the Prompts to Restart

Restart Normal and Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"


Post back with a fresh HijackThis log and the results of WinPFind and Blacklight.

#3 --AuRyn--

--AuRyn--
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 18 December 2005 - 12:33 AM

Thank you so much for all of that, but I had to format the computer.

I am sure your suggestions would have helped, and I appreciate the time you took to spell it all out for me.

Have a great day !
:thumbsup:


P.S. Even though I didn't use your suggestion, I PayPal'd you anyway. Cheers.

Edited by --AuRyn--, 18 December 2005 - 12:36 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users