Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Continuous Restarts


  • This topic is locked This topic is locked
4 replies to this topic

#1 jupiter

jupiter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 23 October 2006 - 10:21 AM

Hello,
Haven't had any problems for awhile but now I have a real puzzler. I had a problem with a hardware install a little while back, so I blew out all applications and reinstalled most everything to straighten that problem out. It seemed to work ok, but now I have a problem where the system continues to shut down automatically. It is just a vicious cycle. As soon as it comes back up, I get this message that the system will shut down in 60 sec., that it is initiated by NT AUTHORITY\SYSTEM and it is due to an error in WINDOWS\SYSTEM32\services.exe, code -1073741819. So, I'm dead in the water. I can restart in Safe Mode and was able to run a scan to get the attached HJT log, but can't do anything in normal mode. Would really appreciate some help on this. Thanks, in advance.

Logfile of HijackThis v1.99.1
Scan saved at 10:21:07 AM, on 10/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - F:\Program Files\Common Files\{344D4A38-03A5-1033-0731-000317030001}\MyToolBar.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - F:\Program Files\Common Files\{344D4A38-03A5-1033-0731-000317030001}\MyToolBar.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] F:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [hpppta] F:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [QuickFinder Scheduler] f:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM\..\Run: [ChkDisk] F:\WINDOWS\system32\iesniff.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: NkvMon.exe.lnk = F:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E17B757-743F-4C73-B70E-529BD00707F5}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{40083B49-4351-4C22-8C68-2DDBA2704611}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6857EE7-8DFD-4004-8F06-FB0B986BF8D3}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E17B757-743F-4C73-B70E-529BD00707F5}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E17B757-743F-4C73-B70E-529BD00707F5}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O20 - Winlogon Notify: instcat - F:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - F:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:20 PM

Posted 31 October 2006 - 01:24 PM

Hello and welcome to BC. :thumbsup:

Sorry for the delay in response. The forums are really busy. If you haven't received any help from any other forums, and still have problems, you can try the following:

You seem to have a lot of problems. Please save or print these instructions before beginning.

==================================================

Possible that the error is caused by the Sasser Worm. First, enable the Internet Connection Firewall (http://www.microsoft.com/WindowsXP/home/us...homenet/icf.asp),

Then click Start>Run, and enter "shutdown -a" (without the quotation marks) when the countdown begins....this will abort the shutdown.

Please download the Symantec sasser removal tool from here. Save the file FxSasser.exe to your desktop.
Double click FxSasser.exe
Click Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean of sasser.

==================================================

Since you posted your HijackThis log from Safe Mode, I cannot see the realtime scanners you have on board. You'll either have to disable them or allow the changes that they will be alerting you about when you are doing the fixes.

Possible realtime scanners:

Norton Script Blocking Service
SpySweeper
Win Patrol
Spyware Guard
Pestpatrol
Regrun
Diamonds Process controller
Ewido guard or AVG Anti Spyware guard
Windows Defender
SpywareGuard
Previx1
Spyware Doctor

==================================================

2. Please download Brute Force Uninstaller.
  • Unzip it to it's own folder (c:\BFU)

    [b Use this URL to copy into the address bar of the Download script window:
    http://metallica.geekstogo.com/alcanshorty.bfu
    [/b]
    Press execute and let it do it's job.

    Wait for the complete script execution box to pop up and press OK.
    Whenb done, press exit to terminate the BFU program.

    ==================================================

    Please download FixWareout by LonnyRJones from one of these sites and save it to your desktop.

    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    [list]
  • Run Fixwareout.
  • Click Next,
  • then Install,
  • make sure Run fixit is checked
  • and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
When you run fixwareout , simply follow the prompts, you will need to restart when prompted.

CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. When you are sure you do not need a specific DNS address here, you may proceed.

Once back in Windows, close all web browsers.
  • Go into Control Panel>Network Connections.
  • Right click on your connection
  • and click Properties.
  • On the Properties page, highlight Internet Protocol(TCP/IP)
  • Click Properties. This will bring up another page.
  • Select Obtain DNS Server Automatically.
  • Click the ok button. The page will close.
  • Press ok on the page in front of you.
  • Go to Start > Run and type in cmd
  • Click OK.
  • This will open a command prompt.
  • Type or copy and paste the following line in the command window:
  • ipconfig /flushdns
  • Hit Enter
  • Exit the command window
=================================

Now, run HijackThis. Close all windows and browsers except HijackThis.
Go to Config > Misc tools
Click on Delete a File On Reboot
Click once on the file below to select it:
F:\WINDOWS\system32\iesniff.exe
Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - F:\Program Files\Common Files\{344D4A38-03A5-1033-0731-000317030001}\MyToolBar.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - F:\Program Files\Common Files\{344D4A38-03A5-1033-0731-000317030001}\MyToolBar.dll
O4 - HKLM\..\Run: [ChkDisk] F:\WINDOWS\system32\iesniff.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E17B757-743F-4C73-B70E-529BD00707F5}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{40083B49-4351-4C22-8C68-2DDBA2704611}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6857EE7-8DFD-4004-8F06-FB0B986BF8D3}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E17B757-743F-4C73-B70E-529BD00707F5}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E17B757-743F-4C73-B70E-529BD00707F5}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O20 - Winlogon Notify: instcat - F:\WINDOWS\SYSTEM32\instcat.dll


Make sure that all browsers/windows/mail, etc. are closed, except HijackThis and click on fix checked. Exit HijackThis.

===================================================

Reboot in Normal Mode . Open this file c:\fixwareout\report.txt and post the contents of it and a new HijackThis log please.

#3 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 03 November 2006 - 09:38 PM

Thanks for the reply, Amateur. I'm sure that would have been helpful for my dilemma. Unfortunately, my situation deteriorated even further and I had no alternative but to call in a pro to clean things up. As always, I do appreciate your attention and your helpful advice. One question I do have now though is how do I prevent this from happening again. I am planning to install Macafee (sp.?) anti-virus, anti-whatever when I get my box back. What else would you recommend?

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:20 PM

Posted 03 November 2006 - 10:22 PM

Hi Jupiter,

I am sorry we could not help you in time. :thumbsup: The following is part of my recommendations once a computer is declared clean, system restore is flushed, and a new restore point is created. I hope it will help you stay clean and safe in future. You may already have some of them.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.
If you haven't got an antivirus, you can download and install one of the following ones which are free for personal use: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

AVG Free here
AntiVir here
Avast here

It is essential to keep the anti-virus program fully updated.
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site <http://windowsupdate.microsoft.com/> to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site <http://office.microsoft.com/officeupdate/m...g.aspx?lc=en-us> and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them already):
AdAware here
Spybot here Remember to "immunize" after each update
Windows Defender here

Install realtime pestware-scanners and keep them up-to-date.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster here Remember to "enable all protection" after each update.
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet.
If there is no firewall installed on your computer, you can download and install one of the following free firewalls:
ZoneAlarm here
Kerio Personal Firewall here
Outpost here
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

Test your firewall here to make sure that it's working properly

Install these programs, to make surfing with Internet Explorer safer:

A popup-blocker, f.e. Google Toolbar here: A popup-blocker prevents popup-windows from opening, when you come along a websites that uses them, during internet-surfing.

IE-SPYAD here: This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer.

SiteHound by Firetrust
here:

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer.
SiteHound will alert you when you enter a site which is known to contain:
Fraudulent claims or scams
Offensive material
Security vulnerabilities
Spyware or Adware
Spam related material
or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

o Adult o Spyware o Spam Advertising o Phishing o Possible scam or fraud o Misleading or False Advertising
o Pharming o Rogue or Suspect Product o Adware o Malware or Virus

Install and use an alternative browser to surf on the internet.

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite here
Mozilla Firefox here
Opera here
Netscape here
Important: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, e.g. most of the Online Malware-scanners.

But above all, keep all your software UP-TO-DATE at all time!!

Also, I would recommend reading the excellent advice by Tony Klein: So how did I get infected in the first place

Safe surfing :flowers:

Edited by amateur, 03 November 2006 - 10:23 PM.


#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:20 PM

Posted 16 November 2006 - 02:58 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread, and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users