19 replies to this topic

[eased]

I've had some problems lately.. when i do Ad-Aware scans, AVG Anti-Virus, or Norton Anti Virus scans, when it gets to a certain file my computer just turns off. The only scan that works is spyboy s&d

Also, I have FPS problems in games that my computer can EASILY run.. any help is appreciated

Logfile of HijackThis v1.99.1
Scan saved at 7:29:57 PM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Steam\steam.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\PROGRA~1\MOZILLA FIREFOX\FIREFOX.EXE
C:\Documents and Settings\Robbie\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {30286A5C-F9B6-8665-C1A9-828AD9D1ABC2} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Burn4Free Toolbar Helper - {F8E5CA21-C27B-43e7-B2BE-4CA93C9F9A1F} - C:\Program Files\Burn4Free Toolbar\v2.0.0.5\Burn4Free_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Burn4Free Toolbar - {70DE7956-479D-4eb7-8641-2B45774C350E} - C:\Program Files\Burn4Free Toolbar\v2.0.0.5\Burn4Free_Toolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Does it look clean?

[AndyManchesta]

Hi Eased, Welcome To The Forum

There's afew signs of infections in the log so we are best running some scanners to see whats revealed then we can take it from there.

First of all, you may want to print out this post or copy and paste it into Notepad (Start Menu > Run > type notepad and press ok) then save it to your desktop so that you have a hard copy of these instructions as some of the steps below will require you to be in Safe mode which means you will not be able to access the Internet.

• Please download SmitRem and save the file to your desktop.
  Double click on the file to extract it to it's own folder on the desktop.
  DO NOT RUN IT YET.
  
  
  
• Please download, install, and update Ewido Anti-Malware. When installing, under Additional Options uncheck Install background guard and Install scan via context menu. Run Ewdio and click on Update in the left menu, then click the Start update button.
  After the update finishes (the status bar at the bottom will display Update successful)
  Close ewido. DO NOT RUN IT YET.
  
  
  
• Download Ccleaner if you do not already have it installed from Here. Install then close.

Boot into Safe Mode:

Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

• Open the smitRem folder, then double click the RunThis.bat file to start the tool.
  Follow the prompts on screen.
  Your desktop and icons will disappear and then reappear again --- this is normal.
  Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post the contents of that text file back into your next reply.
  
  
  
• Next Run Ewido Anti-Malware:
  Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run. When ewido finds something, it will pop up a notification. Select Remove and check the boxes Perform action with all infections and Create encrypted backup then click on ok.When the scan finishes, click on Save Report and save it to your desktop or c:/drive and post it back in your next reply.

Run Hijack This and choose Do A System Scan then place a check next to these entries

R3 - URLSearchHook: (no name) - {30286A5C-F9B6-8665-C1A9-828AD9D1ABC2} - (no file)

O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http: //yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Optional Fixes

Partypoker is (one of) the biggest organisation(s) to play online poker. In order to minimise the risk of poker robots Partypoker uses software to search the hard drive of players. With a view to the security of your system you should consider removing Partypoker, but of course it is up to you to decide if you value the service they provide. If you agree fix the following two entries.

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe

If you decide to remove PartyPoker also remove it from Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs)

• Next run Ccleaner and press the Run Cleaner button

Reboot the PC back to Normal mode

After reboot you will need to add your Wallpaper back as SmitRem resets it due to some malware infections placing a spyware warning that is difficult to remove. To change your wallpaper right click desktop and choose properties, Set the Theme to XP then goto the Desktop tab and choose your wallpaper from there.

Can you then run Hijack This again and from the main menu choose Open the Misc tools section then click Open Uninstall Manager .The Add/Remove Programs Manager panel should appear. In this panel click the Save list button. Save the uninstall_list.txt file to the desktop then copy and paste the text that appears in the generated unistall_list.txt file into your next reply.

Please post the Uninstall list , The Smitfiles.txt, The Ewido scan log and a new Hijack This log back into this reply to show if there is more work needed.

Thanks

Andy

[eased]

I had some troubles getting into safemode.. I used to be able to do it, now I tried EVERY key on my keyboard, and all i could get was my bios or nothing would happen..

The disk cleanup feature has also been known to turn off my computer when it gets to cleaning up a certain file, and I ran the smitrem anyways.



smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 03/22/2006
The current time is: 13:05:36.90

Running from
C:\Documents and Settings\Robbie\Desktop\smitrem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb
hp***.tmp


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 140 'explorer.exe'
Killing PID 140 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

ld****.tmp
ncompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!






I am about to run the ewido now, I'll get back to you with that

[AndyManchesta]

Hi Eased

Sounds like there maybe some Registry corruption if you cannot boot into Safe Mode, That step is going to be needed to run the scanners, You can see in the Smitrem log that it failed to remove some of the files so Id like you try entering Safe Mode again, The key to get into the Windows Advanced Menu is F8 but sometimes it can be a problem if its pressed too soon or too late. I usually just reboot and start slowly tapping the F8 key and keep doing that untill It brings up the Advanced option screen. If it displays a keyboard error then its pressed too soon so you need to reboot and try again, If it doesnt do anything and just loads Windows in Normal mode without giving you the option continue with the steps below.

We can use Msconfig to get you into safe mode but Im trying to be cautious at this stage as the last thing we want is you to get stuck in safe mode or get in a position where the system will not boot. If the F8 key isnt working on your system then there maybe some registry problems so I think Diagnostic Startup would be a safer option than trying to force it to boot into safe mode using Msconfig.

Get all the downloads from my last post (Smitrem, Ewido and Ccleaner)

Goto Start Menu > Run > tpye

MSCONFIG

Press OK and on the General tab that opens place a check next to Diagnostic Startup - load basic devices and services only

Press Apply then OK/Close and you will be prompted to reboot the system.

After reboot run the Smitrem fixtool again and then Ewido, Hijack This fixes and Ccleaner, after that is done go back to Msconfig as explained above and then on the General tab place a check next to Normal Startup - load all device drivers and services then press Apply and OK/Close again and let it reboot the pc.

I think its very likely you have Trojan files running or stored in a Temp directory which are causing the scanners to crash when they detect the file so hopefully they will go without a fight if you can get into safe mode, if not the Ewido results should show what the infection is and where its saved (If it can complete the scan),

Let me know if you have any problems

Andy

[eased]

Alright, I will try going into safemode after I post this..

I just did ewido scan, and once again it shut off when it got into the windows folder, but I didnt see which file.. It did, however, delete about 55 things..

I did a hijackthis scan and deleted the things you told me to, here the latest log..

Logfile of HijackThis v1.99.1
Scan saved at 2:06:08 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Robbie\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Burn4Free Toolbar Helper - {F8E5CA21-C27B-43e7-B2BE-4CA93C9F9A1F} - C:\Program Files\Burn4Free Toolbar\v2.0.0.5\Burn4Free_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Burn4Free Toolbar - {70DE7956-479D-4eb7-8641-2B45774C350E} - C:\Program Files\Burn4Free Toolbar\v2.0.0.5\Burn4Free_Toolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



I will go into safe mode and try the scans again, but I have tried doing virus scans in safe mode before and it still turns off half way through. Wish me luck, I have a match in the game I play tonight and it runs really bad lately

[AndyManchesta]

There's obviously some serious issues on your pc, either malware related or some registry/file corruption so it may take a few steps to get you cleaned up, If I can get a list of all the junk on your sysetm , its then easy to use a different program and take them all out at the same time but I need to know what they are called and where they are saved to be able to proceed with that option.

You may have to run the Windows disk abit later on the SFC /SCANNOW feature to check the Windows system files for damage but I can explain that abit later if we get things cleaned up.

I appreciate you have an important game to play later so hopefully we can get past this crashing problem by running in Diagnostic startup and then check the Windows files for any damage if you have the original Windows disk.

Chat to you later.

[eased]

Alright.. just got back from safe mode and did some scans.

The smitrem scan works fine, the log will be posted below..

However, when I did the ewido scan, once again, it restarted my computer in the windows folder. This time, i was paying close attention to the folder it was in when my scan was going, and realised it was either during the C:\WINDOWS\SdOld scan (a folder that Microsoft Support told me to make, my windows update was messed up), or the folder right after that, which would be C:\WINDOWS\security, unless it is some kind of hidden folder before that..


Smitrem log:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 03/22/2006
The current time is: 14:19:59.87

Running from
C:\Documents and Settings\Robbie\Desktop\smitrem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1144 'explorer.exe'
Killing PID 1144 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!





HiJack this log:


Logfile of HijackThis v1.99.1
Scan saved at 3:32:09 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Documents and Settings\Robbie\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Coon] "C:\Program Files\oors\iurs.exe" -vt yax
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPcservice.exe






After coming out of safe mode, all my services were disabled so I had to re-enable them all.. so 30 processes are running at startup, lots of which shouldnt be. Which can i disable?

[AndyManchesta]

Hi Again

If you selected Diagnostic startup and then set it back to Normal startup then it should of started the services when you rebooted. You can go into Msconfig again and disable items using the Startup tab but You have a new startup entry in this log which needs removing and Smitrem is still failing to clean up the files it detects plus you still have the crashes when running scanners so your startup items are not a big issue for now as you may end up having to reinstall Windows if this continues as we cannot be sure whats hiding on your pc if no scanner will finish or produce a log.

Can you confirm you are running the programs from the Administrator account ? If not you need to access the Admin account and retry the tools.

Can you download the 2 attached files (Check.zip & Fix.zip) extract them but do not use them yet.

Run Hijack This and choose Do A System Scan then place a check next to this entry

O4 - HKCU\..\Run: [Coon] "C:\Program Files\oors\iurs.exe" -vt yax

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Click the blue Quicktime Icon in your system tray then click Quicktime Preferences. Goto the Advanced tab and Uncheck the 'Install Quicktime Icon In System Tray' box then press Apply and OK and fix the below entry in Hijack This if it remains.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Open the Fix.zip folder and double click Fix.bat , you will just notice cmd screen open then close and its finished , It will just attempt to remove the files smitrem is finding except the ld****.tmp as that is a random name so thats what Check.zip is for and also remove the folder from the new entry in your log.

Open Check.zip and double click check.bat , it will open Notepad and show any files in system32 starting with ld, please post the contents of the text file back.

Regarding the scanners crashing there is not much we can do to help untill we know exactly whats causing it as the folder you mentioned is valid and the first folder you said you created yourself after getting advise from Microsoft so we cannot remove either of them unless we know they are infected.


Download Blacklight beta from HERE and save it to your desktop.

Run the program, accept statement > click next then scan

When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' and will be in the same place as the Blacklight file (desktop).


Lets try an online scanner and see if that can finish its scan.

Run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.


If that crashes you may be looking at performing a repair install of Windows as its difficult to help if there is no way of finding out what the problem is , First you can try the system file check by going to Start Menu > Run > and type

SFC /SCANNOW

there's a space after SFC then press OK, have your Windows disk with you as it will ask you to insert it once it starts checking the files, Follow the prompts and insert the Windows disk and it will replace any that are missing or corrupt.

If you still have problems have a look at the event viewer to see if it shows whats causing the crashes

Goto Start Menu > Run > and type

eventvwr

Check the Application tab and the System tab for red circles with white X's which indicate errors on the system, If you find them double click the entry in the right pane to open the details in a new window. You can then left click and cover the text and press Control and C together to copy to clipboard, If you do that you can right click into a reply here and choose Paste to post back the details of the errors. If you post them back Id also need to see the EventID which is shown when you double click a entry.

If there is alot of errors in event viewer and you are not sure if they are related to the problem then right click System and Application on the left pane and choose Clear All Events, no need to save them , Next time a program crashes or the system reboots go back to Event viewer and check if it then shows new errors.

Post back the Blacklight log, the Panda log and the results from Check.bat ,

Cheers

Andy

[eased]

Hey

The check.bat opens and closes before i can read whats going on in there..

I will try the panda scan in a bit. I currently have the windows file protection scanning with my cd in, and i'm looking at the event viewer..

Under application, almost EVERYTHING says "Warning", and there are 2 errors:

WmiAdapter (Event #4099)
PerfNet (Event #2004)

Under system, almoste EVERYTHING has errors:

DCOM (#10005) <-- this one shows up 100+ Times
Service Control Manager (#7023)
VETMONNT (#105)
NETLOGON (#3095)

They all come up multiple times, I'll get back to you when windows scanner is done.

[AndyManchesta]

Hi

The Check.zip is showing 0 downloads and the fix.zip 1 download, The fix part will not show you anything, it will just attempt to remove the files so all you will see it the cmd screen flash on then off, the check part will do the same thing but when its finished it will open Notepad but if it didnt work you can create it again on your system or use the Check.zip attachment download if you only ran the fix part

Open Notepad (Start Menu > Run > Type notepad and press OK) then copy the contents of the codebox into notepad.

cls
@echo off

cd %systemroot%\System32

dir ld*.*>file.txt
notepad file.txt

Goto File on the top bar of notepad and choose Save As, On the Save As Type change it to All Files, name it check.bat and save it to your desktop

Double click check.bat, you will just notice cmd screen open then close then Notepad should open.

I will check into some of the Event ID's and see if I can find out what they relate to

Andy

[eased]

Check.bat:

Volume in drive C has no label.
Volume Serial Number is 8CEA-C340

Directory of C:\WINDOWS\system32

03/22/2006 03:28 PM 29,197 ld6CC.tmp
1 File(s) 29,197 bytes
0 Dir(s) 23,746,580,480 bytes free




I just came back from dinner, and when i came back the windows file checker was gone, does that mean there was nothing wrong?

I'm about to do the panda scan

Thanks for all the help so far man

[AndyManchesta]

Yes I suppose so , if its gone without asking you for a disk then all we can assume is that it didnt find problems , It will take me afew minutes to check those Events but give Panda a try and also run Blacklight as Id like to make sure there is not any Rootkit infections on your system .

No Problem about the help Ive not really done anything useful yet


Delete this file from your system if you can, let me know if you cannot and we can use another tool abit later once we get some results back from Blacklight or Panda (If they Run).

C:\WINDOWS\system32\ld6CC.tmp

[eased]

Nope, cant delete it.. its in use

Panda is about half way through.. 34 spyware, 0 viruses so far

[AndyManchesta]

Ok we can deal with that abit later, usually I would just say go into safe mode but as thats a problem we can use a different method. Hopefully Panda will complete and the spyware its finding are not just cookies as we can remove all them at the same time , Post back the log and the Blacklight log when they are finished.

[eased]

Blacklight done, nothing found.

[AndyManchesta]

Thats good news

[eased]

Yeah, most of my spyware scanners just find cookies.. are they even really that dangerous to have on your computer?

Backlight log:

03/22/06 18:33:06 [Info]: BlackLight Engine 1.0.33 initialized
03/22/06 18:33:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/22/06 18:33:08 [Note]: 7019 4
03/22/06 18:33:08 [Note]: 7005 0
03/22/06 18:33:17 [Note]: 7006 0
03/22/06 18:33:17 [Note]: 7011 1648
03/22/06 18:33:19 [Note]: FSRAW library version 1.7.1015
03/22/06 18:36:25 [Note]: 7007 0

[AndyManchesta]

Sorry for the delay I just had a couple of things to sort out, Regarding the cookies , they are not a threat as they do not contain any code. The problem is when you visit one site and another sites adds the cookie , this is what the spyware scanners detect. For example if you visit hotmail you will get cookies added by Doubleclick/Fastclick as they have banner ads on there. Now if you goto another site with a Doubleclick ad they can update the cookie so in a sense they can track your web surfing habits . They do not collect any personal information but the fact they add the cookies without you visiting Doubleclick becomes a privacy concern. I do not worry about them and have mine set to accept all cookies then just use Ccleaner before closing the pc each day to remove them and any temp files.

Can you check your services and make sure these are not disabled, im listing the settings my system has for each service as this system has never had malware issues and I dont change the services manually.

Goto Start Menu > Run > Type

services.msc

Press OK then check these :


DCOM Server Process Launcher - Set to Auto

Net Logon - Set to Manual

NT LM Security Support Provider - Set to Manual

Protected Storage - Set to Auto

Remote Procedure Call (RPC) - Set to Auto

Server - Set to Auto

WMI Performance Adapter- Set to Manual

If yours are different or disabled then double click the entry or right click and choose properties and then change the Startup type to match the above, if you make changes press Apply and OK

One of your services are showing the file is missing so you may as well set it to disabled as it maybe causing some of the errors.

MSSQLServerADHelper - Set to Disabled


Blacklight was just to check for any hidden rootkit files, so thats great it didnt show any files. Its just Pandascan now then we can attempt to remove anything found

EDIT: Go back to Event Viewer and clear all the events (Right click Application and System and choose Clear All Events no need to save them first, This way it will be easier to see if the error's continue after your scanners crash and maybe help determine whats causing it.

Andy

[eased]

Alright, the Panda scan also restarted my computer.. I just checked event viewer and:

Application is clear, but system isnt:

Service Control Manager (#7026)
Service Control Manager (#7001)
DCOM (#10005)

It had detected a bunch of spyware and 1 hacker tool before it shut off.

[AndyManchesta]

Hi Eased

Its getting to the point now where you should really consider saving all your data to disk and then formatting the system and reinstalling Windows (If there is a chance that some of the data is infected then its not worth backing it up as it could reinfect you again) . I wouldnt say that unless I thought it was required but there is clearly serious malware problems on your pc and with you not being able to boot into safe mode or run any scanner without it crashing your system the only solution I can see is to back up your data and Format the pc.

This would remove all the malware and then let you start fresh, If you do that you need to get the Antivirus and Firewall in place before using the Internet and then only go to Windows Updates and keep re-visiting them untill there is no more updates available. Once thats done you can start adding your programs back and using the Online games etc..

This will be the easiest and quickest solution as I cannot see what else can be recommended as no scanner will complete the scan and you can not get into safe mode plus Panda is finding hacker tools. If there is any other helpers reading this then maybe they can offer a different solution but if it was myown pc I wouldnt hesitate and would format so I can be sure the system is 100% clean then would make sure the system is fully patched before using it after the format to prevent more infections.

Sorry I cannot provide an easier solution but let me know if I can help more in anyway.

All The Best

Andy