I need some help

[DeWalt_Racing17]

My computer is being dumb. Whenever i dial up onto the internet my computer will restart on me, it always happens but sometimes i can be on the net for an hour and then get restarted and sometimes i can be on for a minute and get restarted. sometimes a message will pop up and tell me that NT Authority/system has activated a sytem shutdown or something and it has a 1:00 timer until it restarts. it must be some kind of virus but my norton antivirus has not picked it up. its not spyware because i got a spyware cleaner that removes that crap. im not sure what to do, can someone help me?

 

[Exlax]

Get Ad Aware Se and run that. Then see if it still does it. Then get Spybot S&D and run it. Wait for someone more knoweledgable than me. Sooner or later you will have to get Hijack THis! and post a log.

 

[southernlady]

DeWalt_Racing17, I need a HiJack log to see what is going on...

Did you follow the steps outlined in this thread: http://www.techist.com/showthread.php?s=&threadid=34713 Liz

 

[DeWalt_Racing17]

i was told it was the blaster virus, so i looked for an msblast file and found 2 of them and deleted them and my computer still restarts on me. but now i followed the steps and got a hijack log, here it is.

Logfile of HijackThis v1.98.2
Scan saved at 6:46:16 PM, on 12/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\ns.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\scheduler.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\documents and settings\owner.your-us67pi6luv.002\local settings\temp\JpgEZExW.exe
C:\WINDOWS\System32\cvmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hcpd.exe
C:\WINDOWS\System32\Xnt10UI.exe
C:\WINDOWS\System32\OlabI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\ipconfig.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pbnation.com/forumdisplay.php?forumid=16
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mwt.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=146274
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mwt.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Provided by MWT.NET
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\PROGRA~1\Lycos\IEagent\CSBB.DLL
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho13.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [P2P Networking3] C:\WINDOWS\System32\P2P Networking\P2P Networking3.exe /AUTOSTART
O4 - HKLM\..\Run: [JpgEZExW] C:\documents and settings\owner.your-us67pi6luv.002\local settings\temp\JpgEZExW.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\IovoDv.exe
O4 - HKLM\..\Run: [cvmonitor.exe] cvmonitor.exe
O4 - HKLM\..\Run: [Service Scheduler] scheduler.exe
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [P2P Networking4] C:\WINDOWS\System32\P2P Networking\P2P Networking4.exe /AUTOSTART
O4 - HKLM\..\Run: [hcpd] C:\WINDOWS\System32\hcpd.exe
O4 - HKLM\..\RunServices: [cvmonitor.exe] cvmonitor.exe
O4 - HKLM\..\RunServices: [Service Scheduler] scheduler.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mwt.net/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{961B4DAF-F524-47E8-8402-172171C96895}: NameServer = 207.190.94.2 207.190.94.129

 

[southernlady]

First download and run the PeperFix.exe program from http://www.spyware911.net/downloads/PeperFix.exe
Click "Find and Fix" and let it do its thing.

Then get over to windows update and get all available updates for your system. Except SP2.

when completed Download Adaware SE from http://www.majorgeeks.com/download506.html
In Ad-aware
1) Run the WebUpdate feature.

2) Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Advanced Button
Logfile Detail Level:
All options under this should be checked (Green).

Tweak Button
Check (Green) the following:
Log Files
Include basic Ad-Aware settings in logfile:
Include additional Ad-Aware settings in logfile:
Please do not check (Green): Include Module list in logfile:

Click on "Proceed"

3) Click on "Scan Now"

4) Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
If these are included in your logfile it will be removed as it just takes up space and we will not give advice on them, they are users choice.

5) Run the scanner using the Full Scan (Perform full system scan) mode.
A full scan is the in-depth scan mode that scans your whole computer for Spyware infections. When performing a full scan the following scan settings are used:

- Full Memory Scan is performed
- Registry Scan is performed
- Deep Registry scan is performed
- Cookie-Scan is performed
- Favorites are scanned
- Hosts file is scanned
- Conditional scans are performed
- Archive files are scaned
- All fixed drives are scanned
__________________________________________________________
Then go here http://www.spyware911.net/xcleaner.htm and run the online spyware scan, remove anything found and reboot if nessecary.

Next, turn off system restore http://www.spyware911.net/forum/index.php?showtopic=16 by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Go to add/Remove programs and Remove Spybot. You managed to get an infected copy and you can't use it ever again unless you completely re-format.

Go here http://tinyurl.com/0 and apply Norton's Spybot Worm fix for your computer.

Next, go to add/remove programs and remove the P2P Networking programs. That clogs up your computer and is probably the cause of the peper trojan.

Next, empty the recycle bin.

Reboot.

Then post a fresh hijack log please. We will deal with the rest of the log after you post the new log and we see what is left. Liz

 

[southernlady]

Closing thread due to lack of activity. Liz