It is currently Sun Aug 20, 2017 10:56 am


Computer restarting by itself

Is your PC infected? Is it running slow? Just can't figure out what's making it sluggish? Here is the place to get some help.

Moderators: liljim, Gecko

Computer restarting by itself

Postby infoplz » Sat Feb 19, 2011 5:35 am

Recently I've been getting this blue screen with white words. Shortly after my computer started to restart itself on random occasions. If the computer wasn't restarting itself then it would freeze right at start up and i would have to restart . Check my log plz??

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:30:51 PM, on 2/18/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/secu ... /index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Download] C:\MediaHolder\MediaHolder.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

--
End of file - 8407 bytes
infoplz
Newbie
Newbie
 
Posts: 6
Joined: Sat Feb 19, 2011 5:22 am

Thanks given:0
Thanks received:0
Top

Re: Computer restarting by itself

Postby Gecko » Sat Feb 19, 2011 12:24 pm

infoplz,

Your log is clean

What is the exact error message you are seeing on the BSOD?
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Computer restarting by itself

Postby infoplz » Sat Feb 19, 2011 6:29 pm

well it said a problem had been detected and the computer was shutting down to protect it. Something else about "Beginning dump memory" and a stop error with some numbers :S. Am sorry i don't quite remember all...
infoplz
Newbie
Newbie
 
Posts: 6
Joined: Sat Feb 19, 2011 5:22 am

Thanks given:0
Thanks received:0
Top

Re: Computer restarting by itself

Postby Gecko » Sun Feb 20, 2011 1:29 pm

infoplz,

Let's see if e can get the exact error message.
Go to Start > Control panel > Administrative tools > Event viewer > look in the system section.

You are looking for any red icons, double click on the icon.
Click inside the 'Description' section then highlight the text and copy and paste it into notepad.
At the bottom of the event window check 'words' and then copy and paste that text also
Then past it all into your reply to this thread.

If you don't show any errors in the event viewer then:
Go to Start > Control Panel > System > Advanced tab > Startup and Recovery section
Settings button > System Failure section > check the box 'Write an event to the system log'
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Computer restarting by itself

Postby infoplz » Sun Feb 20, 2011 5:11 pm

Ok i got the errors for you, but majority of the errors didn't have a "words" section for me to copy. I also saw a lot of "Warning" with a yellow caution icon next to the event but i didn't copy those...

Event Viewer Errors



Your computer has lost the lease to its IP

address 192.168.100.11 on the Network Card

with network address 001A669C76F0.

The driver detected a controller error on

\Device\Harddisk1\D.

MTP WPD Driver has failed to start. Error

0x80070005.

The SASDIFSV service failed to start due to

the following error:
Cannot create a file when that file already

exists.

DCOM got error "This service cannot be

started in Safe Mode " attempting to start the

service EventSystem with arguments "" in

order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

The following boot-start or system-start

driver(s) failed to load:
AFD
Avgldx86
Avgmfx86
Avgtdix
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip


The IPSEC Services service depends on the

IPSEC driver service which failed to start

because of the following error:
A device attached to the system is not

functioning.

The TCP/IP NetBIOS Helper service depends

on the AFD service which failed to start

because of the following error:
A device attached to the system is not

functioning.

The DNS Client service depends on the

TCP/IP Protocol Driver service which failed to

start because of the following error:
A device attached to the system is not

functioning.

The DHCP Client service depends on the

NetBios over Tcpip service which failed to

start because of the following error:
A device attached to the system is not

functioning.

DCOM got error "This service cannot be

started in Safe Mode " attempting to start the

service StiSvc with arguments "" in order to

run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

DCOM got error "This service cannot be

started in Safe Mode " attempting to start the

service EventSystem with arguments "" in

order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

DCOM got error "This service cannot be

started in Safe Mode " attempting to start the

service netman with arguments "" in order to

run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

The device, \Device\CdRom0, has a bad block.
0000: 00680003 00b80001 00000000

c0040007
0010: 00000100 00000000 00000000

00000000
0020: 00e70000 00000001 00228e10

00000000
0030: ffffffff 00000002 c4000040

00000002
0040: 120a2000 00000248 00000000

00000014
0050: 10bb6a20 8636d3f8 00000000

85a72e00
0060: 00000002 00201ca8 20000028

0000a81c
0070: 00000040 00000000 000300f0

0ae01c20
0080: 00000000 00000002 00000000

00000000

Timeout (30000 milliseconds) waiting for a

transaction response from the Dnscache

service.




P.S. what is this, O4 - HKCU\..\Run: [Download] C:\MediaHolder\MediaHolder.exe.
i saw it in my log but i can't find it on my computer...
infoplz
Newbie
Newbie
 
Posts: 6
Joined: Sat Feb 19, 2011 5:22 am

Thanks given:0
Thanks received:0
Top

Re: Computer restarting by itself

Postby Gecko » Sun Feb 20, 2011 8:43 pm

infoplz,

From what I can make of it your first CdRom device is causing the BSOD problem could be just the cd/dvd that's in the drive, it could be the drive itself or even the driver.

As for O4 - HKCU\..\Run: [Download] C:\MediaHolder\MediaHolder.exe.
When I checked your log I found no reports on this entry however there has been an upload of the same named file at Virustotal that shows it might be a trojan so...

Please download combofix to your desktop.

Double click combofix.exe and follow the prompts.

If combofix will not start or is ended before the "Blue window" please rename combofix.exe to cbf.exe and try again.

If cbf.exe will not start or is ended, you will have to run cbf.exe from safe mode.
Reboot in to Safe mode:
Restart Windows after you see the BIOS screen and before Windows starts to load.
Start tapping the F8 key. The Windows Advanced Options Menu appears.
Use the Arrow key to ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Do not exit Combofix while it is running you my loose all your personal settings!
Important Note - Do not mouseclick combofix's window while it's running, that may cause it to stall.

When it's done running it will produce a log for you. Please post that log in your next reply.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Computer restarting by itself

Postby infoplz » Tue Feb 22, 2011 1:28 am

Combofix log:

ComboFix 11-02-20.03 - Doreen 02/21/2011 18:41:29.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.569 [GMT -5:00]
Running from: c:\documents and settings\Doreen\My Documents\Downloads\Programs\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Doreen\Application Data\Local
c:\documents and settings\Doreen\Application Data\Local\Temp\DDM\Settings\.ddr
c:\documents and settings\Doreen\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\Doreen\Application Data\Local\Temp\DDM\Settings\1.ddi
c:\documents and settings\Doreen\Application Data\Local\Temp\DDM\Settings\2.ddi
c:\documents and settings\Doreen\Application Data\Local\Temp\DDM\Settings\435088881127_43798.mp4.ddr
c:\documents and settings\Doreen\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\Doreen\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\.ddp
c:\documents and settings\Doreen\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\435088881127_43798.mp4
c:\documents and settings\Doreen\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\videoplayback.ddp
c:\documents and settings\Doreen\Application Data\Local\Temp\DDM\Settings\videoplayback.ddr
c:\documents and settings\Doreen\Application Data\syswin
c:\documents and settings\LocalService\Application Data\02000000b69107a01100C.manifest
c:\documents and settings\LocalService\Application Data\02000000b69107a01100O.manifest
c:\documents and settings\LocalService\Application Data\02000000b69107a01100P.manifest
c:\documents and settings\LocalService\Application Data\02000000b69107a01100S.manifest
c:\recycler\k-1-3542-4232123213-7676767-8888886
c:\windows\system32\1314020072
c:\windows\system32\SysWoW32
c:\windows\system32\SysWoW32\_u641361877v0
c:\windows\system32\SysWoW32\_u641361877v1
c:\windows\system32\SysWoW32\_u641361877v2
c:\windows\system32\SysWoW32\_u641361877v3
c:\windows\system32\SysWoW32\mu641361877v4.kwd
c:\windows\system32\SysWoW32\mu641361877v5.kwd
c:\windows\system32\SysWoW32\mu641361877v6.kwd
c:\windows\system32\SysWoW32\mu641361877v7.kwd
c:\windows\system32\SysWoW32\wu641361877v0
c:\windows\system32\SysWoW32\wu641361877v0.kwd
c:\windows\system32\SysWoW32\wu641361877v1
c:\windows\system32\SysWoW32\wu641361877v1.kwd
c:\windows\system32\SysWoW32\wu641361877v2
c:\windows\system32\SysWoW32\wu641361877v2.kwd
c:\windows\system32\SysWoW32\wu641361877v3
c:\windows\system32\SysWoW32\wu641361877v3.kwd

.
((((((((((((((((((((((((( Files Created from 2011-01-21 to 2011-02-21 )))))))))))))))))))))))))))))))
.

2011-02-20 23:21 . 2011-02-21 23:46 -------- d-----w- c:\program files\Common Files\Akamai
2011-02-19 18:37 . 2011-02-19 18:39 -------- d-----w- c:\documents and settings\Administrator
2011-02-13 00:02 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-02-12 02:03 . 2011-02-13 01:44 -------- d-----w- c:\documents and settings\Doreen\Application Data\IDM
2011-02-12 02:03 . 2011-02-12 02:03 -------- d-----w- c:\program files\Internet Download Manager
2011-02-12 01:55 . 2011-02-12 01:55 388096 ----a-r- c:\documents and settings\Doreen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-12 01:55 . 2011-02-12 01:55 -------- d-----w- c:\program files\Trend Micro
2011-02-06 15:54 . 2008-12-08 17:53 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2011-02-06 15:54 . 2008-06-09 03:58 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2011-02-06 15:54 . 2011-02-06 15:54 -------- d-----w- c:\program files\ffdshow
2011-02-06 15:54 . 2010-01-26 18:09 290816 ----a-w- c:\windows\system32\stFLVSource.ax
2011-02-06 15:54 . 2011-02-06 15:54 -------- d-----w- c:\program files\Common Files\SourceTec
2011-02-06 15:54 . 2009-08-17 14:54 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2011-02-06 15:54 . 2009-08-17 14:54 217088 ----a-w- c:\windows\system32\CoreFLACDecoder.ax
2011-02-06 15:54 . 2011-02-06 15:54 -------- d-----w- c:\program files\SourceTec
2011-02-06 15:54 . 2009-08-17 14:54 438272 ----a-w- c:\windows\system32\Mpeg2DecFilter.ax
2011-02-05 04:10 . 2011-02-05 04:10 -------- d-----w- c:\documents and settings\Doreen\Local Settings\Application Data\Downloaded Installations
2011-02-02 13:31 . 2011-02-02 13:31 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-02-02 13:31 . 2011-02-02 13:31 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-02-02 11:31 . 2011-02-02 11:31 -------- d-----w- c:\documents and settings\Doreen\Application Data\Pegasys Inc
2011-02-01 14:37 . 2011-01-25 10:40 97112 ----a-w- c:\windows\system32\drivers\idmtdi.sys
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-01-30 17:07 . 2011-01-30 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2011-01-30 17:05 . 2011-02-20 00:58 -------- d-----w- C:\GameHouse Games
2011-01-30 17:05 . 2009-07-02 16:19 102400 ----a-w- c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
2011-01-30 17:05 . 2011-01-30 17:05 -------- d-----w- c:\program files\Zylom Games
2011-01-30 17:05 . 2011-01-30 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2011-01-30 17:02 . 2011-02-20 00:58 -------- d-----w- c:\program files\RealArcade
2011-01-23 22:18 . 2011-01-23 22:25 -------- d-----w- C:\temp
2011-01-23 05:38 . 2011-01-23 05:38 -------- d-----w- c:\program files\ASIO4ALL v2
2011-01-23 05:38 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2011-01-23 05:37 . 2009-08-02 20:09 1554944 ----a-w- c:\windows\system32\vorbis.acm
2011-01-23 05:36 . 2011-01-23 05:39 -------- d-----w- c:\program files\VstPlugins
2011-01-23 05:36 . 2011-01-23 05:36 -------- d-----w- c:\program files\Outsim
2011-01-23 05:33 . 2011-01-23 05:38 -------- d-----w- c:\program files\Image-Line

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2008-04-14 13:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 13:39 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 09:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-25 19:49 . 2010-12-25 19:49 203776 --sh--w- c:\windows\system32\unrar.exe
2010-12-22 12:34 . 2008-04-14 13:41 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 13:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 13:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2008-04-14 13:41 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 17:26 . 2008-04-14 13:41 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 08:07 385024 ----a-w- c:\windows\system32\html.iec
2010-12-14 13:43 . 2011-01-02 16:12 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2010-12-14 13:39 . 2011-01-02 16:18 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2010-12-09 15:15 . 2008-04-14 13:41 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-14 13:41 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2008-04-14 08:57 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 00:01 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-01-25 10:40 67680 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-04-17 95536]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-02-01 3265944]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 16132608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNAC"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" start
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58855:TCP"= 58855:TCP:Pando Media Booster
"58855:UDP"= 58855:UDP:Pando Media Booster
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2/1/2011 9:37 AM 97112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 8:42 AM 14336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.symantec.com/enterprise/secu ... /index.jsp
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
FF - ProfilePath - c:\documents and settings\Doreen\Application Data\Mozilla\Firefox\Profiles\q7alc8ub.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cf38d9f ... g=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Free Realms Installer: {38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1} - %profile%\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\Doreen\Application Data\IDM\idmmzcc3
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Download - c:\mediaholder\MediaHolder.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-21 18:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_dbc0250.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_dbc0250.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):86,e3,27,f1,0f,15,da,a8,39,98,3b,e6,af,3b,57,86,ef,e8,8c,fd,dc,
7e,ad,c6,e8,8a,69,cf,dc,dd,1a,90,04,ff,43,80,f1,0d,89,ed,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f14a683c-5dd9-4a43-a1ce-68a85e81fe29}]
@Denied: (Full) (Everyone)
"Model"=dword:0000002d
"Therad"=dword:00000001
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4048)
c:\windows\system32\WININET.dll
c:\program files\Internet Download Manager\IDMShellExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Internet Download Manager\idmmkb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Internet Download Manager\IEMonitor.exe
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2011-02-21 18:52:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-21 23:52

Pre-Run: 122,852,954,112 bytes free
Post-Run: 123,843,952,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 0B0195DEBC8D2B2262EA008BDA344724
infoplz
Newbie
Newbie
 
Posts: 6
Joined: Sat Feb 19, 2011 5:22 am

Thanks given:0
Thanks received:0
Top

Re: Computer restarting by itself

Postby Gecko » Tue Feb 22, 2011 2:55 am

infoplz,

You log looks clean, so how's it running now?

Also make sure that the folder C:\temp is empty!
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Computer restarting by itself

Postby infoplz » Tue Feb 22, 2011 4:07 am

its running great actually thank you :)
infoplz
Newbie
Newbie
 
Posts: 6
Joined: Sat Feb 19, 2011 5:22 am

Thanks given:0
Thanks received:0
Top

Re: Computer restarting by itself

Postby bredhedden1 » Sat Jan 28, 2012 10:35 pm

I guess that should be best & its still helpful.
bredhedden1
Newbie
Newbie
 
Posts: 1
Joined: Fri Jan 20, 2012 11:26 pm

Thanks given:0
Thanks received:0
Top


Return to Malware Support

Who is online

Users browsing this forum: No registered users and 1 guest

cron