Possible Vista Infection

[mxer394]

Okay, some may have seen my other thread. It would be a good idea to read it anyway, so here's a link: http://www.pcguide.com/vb/showthread.php?t=62392.

Post there or here, I check both. Here's what's been happening.

The computer shuts down with the message "Windows has detected a risk to Windows, and is shutting down to prevent further damage." Not exactly what it says, but those are along the lines. I have yet to have a .dmp file to use the debugger with, but I'm trying to fix that.

Possible culprits:

1. Not a large enough PSU. It's 600 watts, and the setup is: 8800GT 512MB
Asus P5N32-E SLI Mobo
Intel Core 2 Quad 2.4 GHz, 1066 FSB
4 GB of DDR2 800 RAM, 4 times 1 GB
Arctic Cooler Intel Certified Fan and Heatsink
2 Extra Case fans
A DVD Drive

2. Overheating (solved, it can't be that because the core temp has been checked).

3. Driver issue, this is where the Debugger comes in.

4. Something I'm not seeing.

5. A virus.

#5 is the reason I posted here. I have Norton, but I know Norton can't stop everything, so here's the deal. I need to find out whether or not my computer has a virus. Walk me through the steps to find out. I know there is going to be tons of information you want me to post, so if you need something out of the norm, explain it, because I'm not good with computers. Learning fast, but not good.

Thanks guys, I look forward to working with you to help iron this out!

[mxer394]

Never had to bump something on the PC Guide before, but there's a first time for everything...

[George Hallam]

Never had to bump something on the PC Guide before, but there's a first time for everything...

Maybe the virus experts arn't online

Well first try to update windows and install new drivers

Make sure it isn't a hardware problem

Also post a HJT log and classic should be able to help

[Ajmukon]

standard Speech:
Hello and welcome to the PCguide forums. Please go here for information on what to do.

Post a highjack this Log. Do not post it as an attachment, and use as many posts as needed!

download Hijackthis from here

Remember, Hijack this is a powerful tool that can be both good and bad…

DO NOT do anything unless a certified malware expert tells you to!!!!

A malware expert will come by and have look at it. Unfortunately I am not one of them.

[mxer394]

Highjack log?

Explain, please...

Never mind, just DLed it. That was fast. Here it is, I think...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:02 AM, on 2/29/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\AIM6\aim6.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files (x86)\AIM6\aolsoftware.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Xfire\xfire.exe
C:\Program Files (x86)\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~2\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] "C:\Program Files (x86)\ASUS\AASP\1.00.24\AsRunHelp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\Mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\Program Files (x86)\McAfee\VirusScan\mcsysmon.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7679 bytes

[classicsoftware]

Nothing obvious in your log:

Please follow the instructions here, and post a Combofix log and say how the system is running.

[mxer394]

For some reason, when I download the Combofix, it says I need Administrator privileges. I'll keep trying, but I just checked, and my account is the only account enabled,and it's set as administrator.

[mxer394]

Combofix is no good.

I'll download it, then once it's downloaded, (I'm using Firefox) in the DL box, it shows a big red X instead of the little Icon. It makes me close Firefox. So I'll open it, the normal disclaimer comes up, and I click I Agree, then a small dialog box pops up saying 1 in 100 computers make it through it. Um. Okay. I clicked continue, and it ran for a second, said that something couldn't be downloaded, said it twice about two seperate things, and then it closed. I go to click Firefox to get back online, but the connection is gone, the only way to restore it is to restart my compy.

Safe to say, I'm not going near that again. Unless you know whats happening.

[classicsoftware]

I don't know for sure what's going on since SWI is down and I can get any more information about Combofix now. In the mean time:

* Using Internet Explorer, Click here to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.

• Then click the F-Secure Online Scanner Next Generation Beta link.
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
• Click the Full System Scan button.
• It will start to download scanner components and databases. This can take a while.
• The main scan will start.
• Once the scan finished scanning, click the Automatic cleaning (recommended) button
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
• The cleaning can take a while, so please be patient.
• Then click the Show report button and copy and paste what's present under results in your next reply.

Download AVG Anti-Spyware from HERE

• Install AVG Anti-Spyware
• Double-click the icon on Desktop to launch AVG Anti-Spyware

You will need to update AVG Anti-Spyware to the latest definition files.

• On the top of the main screen click Shield and then [active] to change it to inactive
• On the top of the main screen click Update and then Start Update.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions: (...it's important that all windows must be closed)

* Click Scanner and then the Scan tab
* Click Complete System Scan to begin scanning.

Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Once finished, click the Save report button, then click Save Report As and save it to your Desktop. (make sure to remember where you saved that file, this is important).

Close AVG Anti-Spyware and Reboot.

Post the logs and let me know how things seem to be running...

[mxer394]

For the online scanner, does it have to be IE, because I removed that in favor of Firefox. If I have to, I'll download it, but only if I have to.

I currently have Norton installed. Should I remove Norton and install AVG. I don't want to have two different protection applications installed, for the potential loss of performance.

As far as running goes, it's running okay. A slightly noticeable loss in performance since the beginning however, but that is only noticeable when I either have several applications going at once, or when playing a game.

[classicsoftware]

You cannot remove IE from your system and get Windows Updates which only come through IE. I you removed IE, it's not surprising your system is unstable as it is wound through the OS.

If you read the instructions, this AVG anti-spyware and it says to not install the real time scanner...

[mxer394]

Oh, really? I didn't know that. I feel stupid now. Something odd though. I don't find Internet Explorer in the Add or Remove programs menu, but I can find it in the program files. Odd. So technically it's still installed. Weird.

Edit: Sorry, I hadn't followed the link. Probably should have before asking about the scanner. Anyway, back to the question: would just AVG be enough for my computer, or should I keep Norton installed?

[classicsoftware]

Norton is AV and the AVG I asked you to install is Anti-Spyware. They are different. Let's get you clean then we can speak about what the best preventive measures are....

[mxer394]

Great. More problems. Okay. The show report button doesn't work. Finished the scan, cleaned the computer, and the show report button doesn't work.

Woo. This is going to be fun. I'm going to rescan, hope it works this time.

[mxer394]

A new development in this case. It seems that it might be because of my hardware, not software, that the computer is crashing. This is because (as it has been explained to me), when a software crash occurs, it creates a Minidump file for the Windows Debugger to analyze, and when the computer crashes because of hardware, no dump occurs. I have been having trouble finding the .dmp files for the debugger to analyze, and this is probably why.

However.

I am still going to continue getting the logs from the scanner and anti-spyware, in the chance that it is a virus.

Thanks.

Also, classic, I just rescanned, and for some reason, with the F-Secure online scanner, the Show Report button won't show the report. I'm going to start the AVG scanner now.