Member Panel

Rhyne

My real computer keeps restarting before I can log in. It seems to be on a restart timer because it restarts regardless of whether I attempt to log in or not after a set period of time. Just before it started this awful cycle I saw a file download window popup while I was surfing the internet. Hmmm... Here's my stuff:

Logfile of HijackThis v1.99.1
Scan saved at 12:05:40 AM, on 1/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - (no file)
O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file)
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {9c5875b8-93f3-429d-ff34-660b206d897a} - (no file)
O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O2 - BHO: ASGP32.ASGP - {AB268D16-3B58-482F-91EB-8D305534302F} - C:\WINDOWS\System32\asgp32.dll
O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\ContMedia\Anatomy Atlas 4HRI\MSDXM.OCX
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QUVGVwEx] C:\PROGRA~1\vossrvvo\fcQAFoxN.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [37.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\37.tmp.exe
O4 - HKLM\..\Run: [38.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\6.tmp.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\6.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [17.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\17.tmp.exe
O4 - HKLM\..\Run: [17.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\17.tmp.exe
O4 - HKLM\..\Run: [1E.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1E.tmp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [glght.exe] C:\WINDOWS\System32\glght.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - http://70.150.224.48/controls/prntpro2.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{864076FA-9332-4CFE-808D-8DAE740F3A3B}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BA41CE8-2325-46C9-B8F2-9DDD2CF9CDA2}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{B811EBDB-D601-4639-A38A-4DA0EDC3DEB1}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5FBFFC6-E115-4633-B23B-E51C1B402DC1}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87E5847-D658-4244-A27B-980E112F83CF}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF20E463-EBE1-48F3-995E-7BAA1D7E296D}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{E58D8711-D4F3-4FF9-9DD1-51F434B2366F}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73
O21 - SSODL: ryYxujAshx - {BC9E7CA8-1634-D602-E96B-91D0A7E54126} - C:\WINDOWS\System32\qurbh.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

hipcity

have you tried to load last known good configuration?
as this will set back any changes made at the time of the problem - just as long as you did not log in to the pc

Rhyne

How do you do that? I still can't even log in because it keeps restarting over and over and over again.

chiaz

Hello.

Run a scan with AVG Anti-spyware and SpySweeper if you haven't done so, and clean everything found.

Next:
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Member Panel

Sponsors and Ads

Join the Team

Live Tag Cloud