Error message and system shut down help needed urgently

**betamax bandit** · #1 18th Jan 2008, 10:00

basically i have just had this message which counted down 1 minute and then shut down my computer

is it a virus or something how can i stop it happening again

**evilfantasy** · #2 18th Jan 2008, 10:12

Welcome to TCF.

Download and rename HijackThis (HJT)

Double-click on HJTInstall.
Click on the Install button.
It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
Upon install, HijackThis should open for you.
- Close HijackThis and rename it.
- Go to C:\Program Files\Trend Micro\HijackThis.exe
- Right click on HijackThis.exe and select Rename.
- Type in sniper.exe and press Enter.
- Right-click on sniper.exe and select Send To > Desktop (create shortcut)
From the desktop open HiackThis.
If using Windows Vista, be sure to Run As Administrator
Click on the Do a system scan and save a log file button
HijackThis will scan and then a log will open in notepad.
Copy and then paste the log in your post.
- Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Even though we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

**betamax bandit** · #3 18th Jan 2008, 10:34

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:33:35, on 18/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\A?pPatch\spool32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qgb8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qgb8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qgb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qgb8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qgb8.hpwis.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\System32\ldr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1817AE3B-1DAE-1753-ABB8-64A3E08AF0CD} - C:\WINDOWS\System32\weuthenx.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Tzijaucb\xxyphruv.dll (file missing)
O2 - BHO: (no name) - {2AE4005E-689F-4FB9-8C3D-D2B8B58AC072} - C:\WINDOWS\System32\xxywwwx.dll (file missing)
O2 - BHO: (no name) - {57bc02c5-5656-484f-96c0-ccd82441b36a} - C:\WINDOWS\system32\grapo32.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {840A22C7-F337-4325-83AF-1A32B7991E7E} - C:\WINDOWS\System32\geedd.dll (file missing)
O2 - BHO: (no name) - {B49E8E80-A68D-43AD-A8F9-0615562C1C3D} - C:\WINDOWS\System32\gebcc.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v5.dll (file missing)
O2 - BHO: {42cd6e6e-0210-32f9-7864-3230906f349f} - {f943f609-0323-4687-9f23-0120e6e6dc24} - C:\WINDOWS\System32\wsiaekwj.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ojszovgr] rundll32.exe "C:\Program Files\jefqpsfc\bijoxqfm.dll",Init
O4 - HKLM\..\Run: [hijafobs] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hijafobs.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [98850bb0] rundll32.exe "C:\WINDOWS\System32\qyvvfpse.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Nob] "C:\Program Files\Common Files\A?pPatch\spool32.exe"
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\tracert.e xe" -vt ndrv
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1198254563093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1198254540484
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c00C1AE1.dat
O20 - Winlogon Notify: xxywwwx - xxywwwx.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\xictbygy.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8696 bytes

**Hybr!d** · #4 18th Jan 2008, 10:44

I may be way off here but I have come across this before, more than once.

In these instances the PCs were fresh XP installs so we're 100% clean but they were not running service pack 2 or a hardware firewall on the broadband equipment.

Fixing it involved getting sp2 on the machines as this installed a firewall, other methods would be to install a 3rd party firewall or a hardware firewalled router.

To this day I don't know what caused it, maybe a hacker had these machines IPs previously and were let in automatically without installing a virus because of the lack of firewalled security.

**evilfantasy** · #5 18th Jan 2008, 10:46

Quote:

Originally Posted by Dave Hybrid

I may be way off here but I have come across this before, more than once.

In these instances the PCs were fresh XP installs so we're 100% clean but they were not running service pack 2 or a hardware firewall on the broadband equipment.

Fixing it involved getting sp2 on the machines as this installed a firewall, other methods would be to install a 3rd party firewall or a hardware firewalled router.

Why is the computer not have SP2?

You do have some problems also so don't update it until they are gone.

**Hybr!d** · #6 18th Jan 2008, 10:48

Quote:

Originally Posted by evilfantasy

Why is the computer not have SP2?

You do have some problems also so don't update it until they are gone.

It happened when I have done system restores on old machines using older manufacturers discs.

The were pre SP2, the machines would go into shut down as soon as they connected to the Internet.

A firewall fixed it.

This may all be irrelevant, but if this is only happening when online and you don't run a firewall SP2 or not, get one.

**betamax bandit** · #7 18th Jan 2008, 10:49

ok how do i fix the problems then??

**evilfantasy** · #8 18th Jan 2008, 10:51

I'm working on a fix, it will take a few minutes as there are some serious malware entries in the log.

Be back to you in a few.

**betamax bandit** · #9 18th Jan 2008, 10:54

thnx

**evilfantasy** · #10 18th Jan 2008, 11:04

Step 1

Go to My Computer->Tools->Folder Options->View tab:

Under the Hidden files and folders heading:
Select Show hidden files and folders.
Uncheck Hide protected operating system files (recommended) option.
Also, make sure there is no checkmark beside Hide file extensions for known file types.
Click OK

Step 2

Please click Start > Run and type in: services.msc
Click OK
In the Services window find: DomainService
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Step 3

Open HijackThis and select Do a system scan only then place a check mark next to:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: (no name) - {1817AE3B-1DAE-1753-ABB8-64A3E08AF0CD} - C:\WINDOWS\System32\weuthenx.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Tzijaucb\xxyphruv.dll (file missing)
O2 - BHO: (no name) - {2AE4005E-689F-4FB9-8C3D-D2B8B58AC072} - C:\WINDOWS\System32\xxywwwx.dll (file missing)
O2 - BHO: (no name) - {57bc02c5-5656-484f-96c0-ccd82441b36a} - C:\WINDOWS\system32\grapo32.dll (file missing)
O2 - BHO: (no name) - {840A22C7-F337-4325-83AF-1A32B7991E7E} - C:\WINDOWS\System32\geedd.dll (file missing)
O2 - BHO: (no name) - {B49E8E80-A68D-43AD-A8F9-0615562C1C3D} - C:\WINDOWS\System32\gebcc.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v5.dll (file missing)
O2 - BHO: {42cd6e6e-0210-32f9-7864-3230906f349f} - {f943f609-0323-4687-9f23-0120e6e6dc24} - C:\WINDOWS\System32\wsiaekwj.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O20 - Winlogon Notify: xxywwwx - xxywwwx.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\xictbygy.exe (file missing)

Close all windows except for HijackThis and click Fix checked

Exit Hijackthis.

Step 4

Double click My Computer on the desktop.

Open the C:\ drive and locate this file and delete it.

C:\WINDOWS\System32\xictbygy.exe

Step 5

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click Options...
Move the arrow down to Standard CleanUp!
Uncheck the following:
- Delete Newsgroup cache
- Delete Newsgroup Subscriptions
Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Step 6

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

IMPORTANT - Combofix.exe MUST be saved to your your Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc)
Close/disable all anti virus and anti malware programs so they do not interfere with Combofix. <-- IMPORTANT
- Click on this link to see a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
Double click combofix.exe & follow the prompts.
- From the keyboard select 1 and press Enter
When finished, it will produce a log for you.
Post that log in your next reply.

Do not mouseclick combofix's window while it's running.
The scan will temporarily disable your desktop.
If interrupted it may leave your computer frozen.
If this occurs, please reboot to restore the desktop.

Step 7

Run a new Hijackthis scan and save the log

Next post please add
Combofix log
New Hijackthis log