Here my taskbar, may one of this process be a virus?
Full Version: Automatic Random Reboot
Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking
The computer here is automatic shutting down, I suspect a virus, but my updated Norton did not solve it.
Here my taskbar, may one of this process be a virus?
Here my taskbar, may one of this process be a virus?
One of the esteemed experts will probably ask for a lot more information.
However,
1) Are all your Windows Critical Updates current?
2) Is Norton up to date?
3) Referencing #1, did you download the patch for the most recent Win2k problem. It caused random shutdowns. Look at this:
http://www.microsoft.com/security/malwarer...efault.mspx#run
Please post back. You may want to journey over to security and post a HJT log.
Chris
However,
1) Are all your Windows Critical Updates current?
2) Is Norton up to date?
3) Referencing #1, did you download the patch for the most recent Win2k problem. It caused random shutdowns. Look at this:
http://www.microsoft.com/security/malwarer...efault.mspx#run
Please post back. You may want to journey over to security and post a HJT log.
Chris
| QUOTE (chrisjea @ Aug 30 2005, 01:11 PM) |
| One of the esteemed experts will probably ask for a lot more information. However, 1) Are all your Windows Critical Updates current? 2) Is Norton up to date? 3) Referencing #1, did you download the patch for the most recent Win2k problem. It caused random shutdowns. Look at this: http://www.microsoft.com/security/malwarer...efault.mspx#run Please post back. You may want to journey over to security and post a HJT log. Chris |
Hi Chris,
Thanks for your answer.
1 and 2 is ok,
The number 3 I will try it.
I also found in the regedit the "sdbot" value... I want to erase it, but I'm not sure... It's really a malware?
best regards
Winandy,
I cannot answer this. Hang around for awhile. A more talented person than I will see this. Again, I encourage a HJT log in SAF Security
Instructions are easy to follow.
Chris
| QUOTE |
| I also found in the regedit the "sdbot" value... I want to erase it, but I'm not sure... It's really a malware? |
I cannot answer this. Hang around for awhile. A more talented person than I will see this. Again, I encourage a HJT log in SAF Security
Instructions are easy to follow.
Chris
Hi Charlie,
You can read more on sdbot at http://securityresponse.symantec.com/avcen...door.sdbot.html
I will move this thread to the Malicious code forum. Please run updated versions of AdAware SE and Spybot S&D, perform a housecall online virus check and finally, post a HijackThis log here.
Chris
Spybot - http://www.safer-networking.org/en/mirrors/index.html
AdAware - http://www.download.com/3000-2144-10045910.html
Housecall - http://housecall.trendmicro.com/
HijackThis - http://www.suggestafix.com/index.php?act=S...ST&f=15&t=16053
You can read more on sdbot at http://securityresponse.symantec.com/avcen...door.sdbot.html
I will move this thread to the Malicious code forum. Please run updated versions of AdAware SE and Spybot S&D, perform a housecall online virus check and finally, post a HijackThis log here.
Chris
Spybot - http://www.safer-networking.org/en/mirrors/index.html
AdAware - http://www.download.com/3000-2144-10045910.html
Housecall - http://housecall.trendmicro.com/
HijackThis - http://www.suggestafix.com/index.php?act=S...ST&f=15&t=16053
Thanks Ironbender,
I just erase it ("sdbot" key value in regedit) and the problem is over (until now).
If it return I'll try thouse tips.
I just erase it ("sdbot" key value in regedit) and the problem is over (until now).
If it return I'll try thouse tips.
The problem has returned,
I run the microsoft most recent tool (tip by chrisjea) and I don't find any malware.
After that I run the software HIJACKTHIS (tip by Ironbender).
Now I am posting the logfile:
---------------
Logfile of HijackThis v1.99.1
Scan saved at 16:33:57, on 31/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Symantec AntiVirus\DefWatch.exe
C:\Arquivos de programas\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Arquivos de programas\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\internat.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\WINNT\system32\hppapml0.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
\Servidor\Charles\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINNT\Downloaded Program Files\gbiehabn.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP LaserJet Director.lnk = C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://netbanking2.banespa.com.br/OCX/Secu...reControl2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124310407391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125409633125
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sorri.sorri
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA919D4-86E1-4AA7-9949-B15DF08732C7}: NameServer = 200.204.0.10,200.204.0.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sorri.sorri
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sorri.sorri
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Arquivos de programas\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Arquivos de programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe
-------------------------------
Thanks for any help...
I run the microsoft most recent tool (tip by chrisjea) and I don't find any malware.
After that I run the software HIJACKTHIS (tip by Ironbender).
Now I am posting the logfile:
---------------
Logfile of HijackThis v1.99.1
Scan saved at 16:33:57, on 31/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Symantec AntiVirus\DefWatch.exe
C:\Arquivos de programas\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Arquivos de programas\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\internat.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\WINNT\system32\hppapml0.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
\Servidor\Charles\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINNT\Downloaded Program Files\gbiehabn.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP LaserJet Director.lnk = C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://netbanking2.banespa.com.br/OCX/Secu...reControl2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124310407391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125409633125
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sorri.sorri
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA919D4-86E1-4AA7-9949-B15DF08732C7}: NameServer = 200.204.0.10,200.204.0.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sorri.sorri
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sorri.sorri
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Arquivos de programas\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Arquivos de programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe
-------------------------------
Thanks for any help...
This was the logfile of the main user (Administrator).
Now I'm posting the logfile of one other user (it's the same computer):
---------
Logfile of HijackThis v1.99.1
Scan saved at 17:38:26, on 31/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\VPTray.exe
C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\WINNT\system32\hppapml0.exe
C:\TEMP\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINNT\Downloaded Program Files\gbiehabn.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [SysBrand] "C:\ARQUIV~1\iGv6\sysbrand.exe"
O4 - HKCU\..\Run: [WinSX] C:\WINDOWS\Downloader.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://netbanking2.banespa.com.br/OCX/Secu...reControl2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124310407391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125409633125
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sorri.sorri
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA919D4-86E1-4AA7-9949-B15DF08732C7}: NameServer = 200.204.0.10,200.204.0.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sorri.sorri
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sorri.sorri
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Arquivos de programas\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Arquivos de programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe
------------
Now I'm posting the logfile of one other user (it's the same computer):
---------
Logfile of HijackThis v1.99.1
Scan saved at 17:38:26, on 31/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\VPTray.exe
C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\WINNT\system32\hppapml0.exe
C:\TEMP\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINNT\Downloaded Program Files\gbiehabn.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [SysBrand] "C:\ARQUIV~1\iGv6\sysbrand.exe"
O4 - HKCU\..\Run: [WinSX] C:\WINDOWS\Downloader.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Arquivos de programas\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://netbanking2.banespa.com.br/OCX/Secu...reControl2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124310407391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125409633125
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sorri.sorri
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA919D4-86E1-4AA7-9949-B15DF08732C7}: NameServer = 200.204.0.10,200.204.0.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sorri.sorri
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sorri.sorri
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Arquivos de programas\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Arquivos de programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe
------------
Hi winandy...I don't see much in the Admin account log, but there are some malware items in the other log. There is nothing showing that would cause the shutdown problem, so it may be a hardware or overheating problem.
Are you familiar with this domain?
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sorri.sorri
Run a HijackThis scan in the other user account and put checks in the boxes next to these lines:
O2 - BHO: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O4 - HKCU\..\Run: [SysBrand] "C:\ARQUIV~1\iGv6\sysbrand.exe"
O4 - HKCU\..\Run: [WinSX] C:\WINDOWS\Downloader.exe
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
Click on 'Fix checked' and reboot. Locate and delete the iGv6 folder and Downloader.exe in the Windows folder.
Are you familiar with this domain?
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sorri.sorri
Run a HijackThis scan in the other user account and put checks in the boxes next to these lines:
O2 - BHO: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O4 - HKCU\..\Run: [SysBrand] "C:\ARQUIV~1\iGv6\sysbrand.exe"
O4 - HKCU\..\Run: [WinSX] C:\WINDOWS\Downloader.exe
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
Click on 'Fix checked' and reboot. Locate and delete the iGv6 folder and Downloader.exe in the Windows folder.
Thanks HKed,
Yes, it's the company domain, where I work, "sorri.sorri" means smile.smile (it's a dentistry institutional company).
I'll try your suggestion as soon as I arrive at my work place.
best regards
| QUOTE |
| Are you familiar with this domain? O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sorri.sorri |
Yes, it's the company domain, where I work, "sorri.sorri" means smile.smile (it's a dentistry institutional company).
I'll try your suggestion as soon as I arrive at my work place.
best regards
| QUOTE (winandy @ Sep 1 2005, 07:59 PM) |
| Yes, it's the company domain, where I work, "sorri.sorri" means smile.smile (it's a dentistry institutional company). |
| QUOTE (HKEd @ Sep 1 2005, 12:46 AM) |
| There is nothing showing that would cause the shutdown problem, so it may be a hardware or overheating problem. |
Hi Charlie,
Just "Googled" this for you... Win2k has an "Automatic Reboot" Feature that you can disable, as you will have some error code showing after the crash, instead of recovery and reboot:
| QUOTE |
| Turn off automatic rebooting on unrecoverable errors. Go to <System Properties/Advanced/Sartup & Recovery> check off "Automatic Reboot" Then when you get an error, report it. |
Chris
| QUOTE (HKEd @ Aug 31 2005, 08:46 PM) |
| There is nothing showing that would cause the shutdown problem, so it may be a hardware or overheating problem. |
HKed was right,
The CPU temperature was at 112ºC and the cooler only 2200RPM (is that normal for a AMD 950 MHz with 256 MB?)...
By the way, I run the hijack and fixed the itens showed by HKed.
Ah, thanks Ironbender, for the tip!
233.6 F ??? And it did not melted ! Good ol'e AMD chip.Change the cooler and clean the heatsink. (normal is above 4000 RPM, 7000 is better). Remember to apply a thermal paste on it.
Chris
PS - Hey HKEd, have you ever seen a cpu welded on the motherboard ? (Like on Charles workstation)
| QUOTE (Ironbender @ Sep 1 2005, 04:34 PM) |
| PS - Hey HKEd, have you ever seen a cpu welded on the motherboard ? (Like on Charles workstation) |
Yeah, is really strange!
I never see before a on-board processor.
| QUOTE (Ironbender @ Sep 2 2005, 07:34 AM) |
| PS - Hey HKEd, have you ever seen a cpu welded on the motherboard? |
No, Chris...but winandy's CPU nearly got to the point of soldering itself to the mobo.
| QUOTE (HKEd @ Sep 1 2005, 09:40 PM) | ||
No, Chris...but winandy's CPU nearly got to the point of soldering itself to the mobo. |
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.