9 replies to this topic

[Quinntessential]

Hi There new to the forum.

I have a serious problem with one of my pc's. When ever I try and do a spyware search my pc just shuts down and I have to restart it and go through the same process again. One time when it shut down I managed to see that it mention Isass.exe and I have searched long and hard to try and get rid of this but to no avail. Please can you guys help me get my pc running smoothly again.

Her is my Hijackthis log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:58 PM, on 2008/03/27
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.absa.co.za/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Network -p \\Fair2\hpLaserJ -pn "" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = Bin\w3dbsmgr.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.79\AMVConverter\grab.html
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.10\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.10\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{4E6D1D84-6A72-45CD-A9D4-D0AB9D93ADFF}: NameServer = 168.167.168.34 168.167.253.21
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

[Quinntessential]

I have managed to download process explorer and cancel the process lsass.exe then quickly press start and run and type cmd and then type Shutdown -a. This way the pc does not shutdown however if I still run a spyware search program then the pc switches off. Please help.

[Scotty]

Hello and welcome to the forum.

Sorry about the delay in responding

If you still need help, Scan again with HijackThis, and "copy/paste" a new log file into this thread.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.


Also please describe how your computer behaves at the moment.

[Quinntessential]

Scotty thanks for replying to my post. What I figured out is that the pc switches off every time it needs to process something big and that got me thinking that perhaps my cpu is overheating and just switches off my pc. I opened the case and found that the cpu sits right beneath the psu with almost no space so a bit of re modification and another fan or two I managed to cool it down considerably. I managed to run spybot search and destroy and it found a whole host of problems which I have gotten rid of. Thanks allot for taking the time to try and help me much appreciated.

[Scotty]

Hi

Ive noticed a problem you really need to resolve. You have no Service packs installed. These are mainly security updates for Windows and without them you are likely to be continually infected. I dont think Spybot will fully clean you up. if you wish to continue please follow these instructions.

You are currently using an unpatched version of Microsoft XP. It is CRITICAL that you update to Service Pack 1a
Please visit this link:
Microsoft Service Pack 1a

and install Service Pack 1a. If you run into troubles, please post them here.

IMPORTANT: DO NOT update to Service pack 2. Doing so before your computer is clean can cause Windows to become unstable.
We will update to SP2 when you are clean.


Please post back with a HJT log and your computer running with Service pack 1a, or with any problems you are having updating.

[Quinntessential]

Thanks Scotty Once I finished cleaning the pc with spybot I went ahead and installed service pack 2 and any other updates that come out after that. By doing this have I potentially harmed the pc or left it vulnerable to more attacks?

[Scotty]

Well, installing SP2 before being clean could cause problems, but not always. I would still like to help you out though, because my intial glance at your first post tells me there was something there that I dont believe Spybot could properly clean.

[Quinntessential]

Ok thanks Scotty. I will only be able to post a new hijack this log on Monday and then you can take a look. Once again thanks for helping me out.

[Scotty]

[Scotty]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log