AllExperts > Computer Security & Viruses 
Search      
Computer Security & Viruses
Volunteer
Answers to thousands of questions
 Home · More Computer Security & Viruses Questions · Answer Library  · Encyclopedia ·
More Computer Security & Viruses Answers
Question Library

Ask a question about Computer Security & Viruses
Volunteer
Experts of the Month
Expert Login

Awards

About Us
Tell friends
Link to Us
Disclaimer

 
 
 
 
About Brian Benosky
Expertise
I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (including Vista) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience
I have over 25 years experience in using, building, and repairing computers. I have helped over a thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributer of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

 
   

You are here:  Experts > Computing/Technology > Internet/Network Security > Computer Security & Viruses > CMD Auto Shutdown

Computer Security & Viruses - CMD Auto Shutdown

Expert: Brian Benosky - 9/21/2008

Question
QUESTION: Hi Brian,

I think your the right person to help me.
My PC Automatically shut down whenever i run cmd.exe.
When i reboot my PC an error that says scvcshosts.exe was not found appears.
When i open Internet Explorer the Title Bar Displays "TAGA LIPA ARE".
here is the hijacklist result


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:19, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\CimLicense.exe
C:\FujiFlexa\Client\Bin\FNCTCSVC.EXE
C:\FujiFlexa\Common\Bin\FNCTRAGT.EXE
C:\FUJICC\CCSERV\BIN\FujiRshService.exe
C:\FUJICC\CCSERV\BIN\ccsvsrv.exe
C:\FUJICC\CCSERV\BIN\rshd.exe
C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\GEMHostService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\FUJICC\CCSERV\BIN\ccslogd.exe
C:\FUJICC\CCSERV\BIN\mcmon.exe
C:\FUJICC\CCSERV\BIN\mcmng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\FUJICC\CCSERV\BIN\mcrwhand.exe
C:\FUJICC\CCSERV\BIN\prodmng.exe
C:\FUJICC\CCSERV\BIN\schedule.exe
C:\FUJICC\CCSERV\BIN\mclog.exe
C:\FUJICC\CCSERV\BIN\hostlog.exe
C:\FUJICC\CCSERV\BIN\listmng.exe
C:\FUJICC\CCSERV\BIN\flresrc.exe
C:\FUJICC\CCSERV\BIN\procview.exe
C:\FUJICC\CCSERV\BIN\cmdserv.exe
C:\FUJICC\CCSERV\BIN\mcrqrecp.exe
C:\FUJICC\CCSERV\BIN\ccclient.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\FujiFlexa\Common\Bin\FncSCUsrMng.exe
C:\FujiFlexa\Server\Bin\FNCDTMGR.EXE
C:\FujiFlexa\Server\Bin\FNCRPUMG.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\FujiFlexa\Common\Bin\FNCRTVIW.EXE
C:\FujiFlexa\Client\Bin\FncLineReportMessenger.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://flexaserver/fujiflexa/Reports/ShowHistory.asp?id=Feeder&Path=history/noel...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TAGA LIPA ARE!
F2 - REG:system.ini: Shell=Explorer.exe scvshosts.exe
F2 - REG:system.ini: UserInit=C:\\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [\\FLEXASERVER\EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P37 "\\FLEXASERVER\EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [Auto EPSON Stylus C67 Series on FLEXASERVER] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P43 "Auto EPSON Stylus C67 Series on FLEXASERVER" /O23 "\\FLEXASERVER\EPSON C67" /M "Stylus C67"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [N3228c] "C:\WINDOWS\_default20802.pif"
O4 - HKCU\..\Policies\Explorer\Run: [f3444Adm] "C:\Documents and Settings\Administrator\Local Settings\Application Data\dv6211500x\yesbron.com"
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [y3114SYS] "C:\Documents and Settings\LocalService\Local Settings\Application Data\dv6191700x\yesbron.com" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [y474] "C:\Documents and Settings\LocalService\Local Settings\Application Data\dv633300x\yesbron.com" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [y3114SYS] "C:\Documents and Settings\LocalService\Local Settings\Application Data\dv6191700x\yesbron.com" (User 'Default user')
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Remote Viewer.lnk = ?
O4 - Global Startup: Result Viewer.lnk = C:\FujiFlexa\Client\Bin\FncLineReportMessenger.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CIMLicense - Unknown owner - C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\CimLicense.exe
O23 - Service: FNC User Manager - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Common\Bin\FncSCUsrMng.exe
O23 - Service: FNC Machine Communicate Service (FNCDTMGR) - Fuji Machine Mfg. Co., Ltd - C:\FujiFlexa\Server\Bin\FNCDTMGR.EXE
O23 - Service: FNC Web Service (FNCRPUMG) - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Server\Bin\FNCRPUMG.EXE
O23 - Service: FNC Protocol Client (FncTcsvc) - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Client\Bin\FNCTCSVC.EXE
O23 - Service: FNC Remote Command Agent (FncTragt) - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Common\Bin\FNCTRAGT.EXE
O23 - Service: Fuji RemoteShell Server - Fuji Machine Mfg. Co., Ltd - C:\FUJICC\CCSERV\BIN\FujiRshService.exe
O23 - Service: Fuji Communication Center (FujiCC) - Unknown owner - C:\FUJICC\CCSERV\BIN\ccsvsrv.exe
O23 - Service: GEMHostService - Cimetrix, Inc. - C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\GEMHostService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel PDS - Unknown owner - C:\WINDOWS\system32\cba\pds.exe (file missing)
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 8643 bytes

Thanks in advance.


ANSWER: Hi cROELty

"TAGA LIPA ARE" is a worm that spreads through removable drives, such as USB drives and iPods.  Let's start by downloading Malwarebytes' Anti-Malware to your desktop from here:

http://www.besttechie.net/tools/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
 * At the end, be sure a checkmark is placed next to
       o Update Malwarebytes' Anti-Malware
       o and Launch Malwarebytes' Anti-Malware
 * then click Finish.
 * If an update is found, it will download and install the latest version.
 * Once the program has loaded, select Perform full scan, then click Scan.
 * When the scan is complete, click OK, then Show Results to view the results.
 * Be sure that everything is checked, and click Remove Selected.
 * When completed, a log will open in Notepad.  Copy that log and a new HJT log here in a follow-up.

Brian


---------- FOLLOW-UP ----------

QUESTION: Hi Brian'

Thanks for the reply.
PC shutdown when CMD is open still occurs even after the Malware scan.

Here is the Malware log.

Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 5.1.2600 Service Pack 2

9/21/2008 11:13:06
mbam-log-2008-09-21 (11-13-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 89120
Time elapsed: 45 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\a (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\secdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

and here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:37, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\CimLicense.exe
C:\FujiFlexa\Client\Bin\FNCTCSVC.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\FujiFlexa\Common\Bin\FNCTRAGT.EXE
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\FujiFlexa\Common\Bin\FNCRTVIW.EXE
C:\FujiFlexa\Client\Bin\FncLineReportMessenger.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\FUJICC\CCSERV\BIN\FujiRshService.exe
C:\FUJICC\CCSERV\BIN\rshd.exe
C:\FUJICC\CCSERV\BIN\ccsvsrv.exe
C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\GEMHostService.exe
C:\FUJICC\CCSERV\BIN\ccslogd.exe
C:\FUJICC\CCSERV\BIN\mcmon.exe
C:\FUJICC\CCSERV\BIN\mcmng.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\FUJICC\CCSERV\BIN\mcrwhand.exe
C:\FUJICC\CCSERV\BIN\prodmng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\FUJICC\CCSERV\BIN\schedule.exe
C:\FUJICC\CCSERV\BIN\mclog.exe
C:\FUJICC\CCSERV\BIN\hostlog.exe
C:\FUJICC\CCSERV\BIN\listmng.exe
C:\FUJICC\CCSERV\BIN\flresrc.exe
C:\FUJICC\CCSERV\BIN\procview.exe
C:\FUJICC\CCSERV\BIN\cmdserv.exe
C:\FUJICC\CCSERV\BIN\mcrqrecp.exe
C:\FUJICC\CCSERV\BIN\ccclient.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\FujiFlexa\Common\Bin\FncSCUsrMng.exe
C:\FujiFlexa\Server\Bin\FNCDTMGR.EXE
C:\FujiFlexa\Server\Bin\FNCRPUMG.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\FujiFlexa\Server\Bin\FncTfSrv.exe
C:\FujiFlexa\Server\Bin\FncPiSrv.exe
C:\FujiFlexa\Server\Bin\FncTfSrv2.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://flexaserver/fujiflexa/Reports/ShowHistory.asp?id=Feeder&Path=history/noel...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Bulakenyo Ako!
F2 - REG:system.ini: Shell=Explorer.exe scvshosts.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [\\FLEXASERVER\EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P37 "\\FLEXASERVER\EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [Auto EPSON Stylus C67 Series on FLEXASERVER] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P43 "Auto EPSON Stylus C67 Series on FLEXASERVER" /O23 "\\FLEXASERVER\EPSON C67" /M "Stylus C67"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [N3228c] "C:\WINDOWS\_default20802.pif"
O4 - HKCU\..\Policies\Explorer\Run: [f3444Adm] "C:\Documents and Settings\Administrator\Local Settings\Application Data\dv6211500x\yesbron.com"
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [y3114SYS] "C:\Documents and Settings\LocalService\Local Settings\Application Data\dv6191700x\yesbron.com" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [y474] "C:\Documents and Settings\LocalService\Local Settings\Application Data\dv633300x\yesbron.com" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [y3114SYS] "C:\Documents and Settings\LocalService\Local Settings\Application Data\dv6191700x\yesbron.com" (User 'Default user')
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Remote Viewer.lnk = ?
O4 - Global Startup: Result Viewer.lnk = C:\FujiFlexa\Client\Bin\FncLineReportMessenger.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CIMLicense - Unknown owner - C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\CimLicense.exe
O23 - Service: FNC User Manager - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Common\Bin\FncSCUsrMng.exe
O23 - Service: FNC Machine Communicate Service (FNCDTMGR) - Fuji Machine Mfg. Co., Ltd - C:\FujiFlexa\Server\Bin\FNCDTMGR.EXE
O23 - Service: FNC Web Service (FNCRPUMG) - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Server\Bin\FNCRPUMG.EXE
O23 - Service: FNC Protocol Client (FncTcsvc) - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Client\Bin\FNCTCSVC.EXE
O23 - Service: FNC Remote Command Agent (FncTragt) - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Common\Bin\FNCTRAGT.EXE
O23 - Service: Fuji RemoteShell Server - Fuji Machine Mfg. Co., Ltd - C:\FUJICC\CCSERV\BIN\FujiRshService.exe
O23 - Service: Fuji Communication Center (FujiCC) - Unknown owner - C:\FUJICC\CCSERV\BIN\ccsvsrv.exe
O23 - Service: GEMHostService - Cimetrix, Inc. - C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\GEMHostService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel PDS - Unknown owner - C:\WINDOWS\system32\cba\pds.exe (file missing)
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 8803 bytes

By the way, do you know what "TAGA LIPA ARE" means, it means "I am from Lipa", Lipa is a City in the Philippines, just some sort of trivia if you wouldn't mind.

Thank you very much.

Answer
Hi cROELty

Thanks for the info, I was thinking it was some sort of anagram or latin phrase.  The CMD shutdown can be evidence of further infection, or possibly corrupt system files.  
Download SDFix and save it to your Desktop:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

   * Restart your computer
   * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
   * Instead of Windows loading as normal, the Advanced Options Menu should appear
   * Select the first option, to run Windows in Safe Mode, then press Enter
   * Choose your usual account.

   * Open the extracted SDFix folder and double click RunThis.bat to start the script.
   * Type Y to begin the cleanup process.
   * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
   * Press any Key and it will restart the PC.
   * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
   * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
   * Finally paste the contents of the Report.txt here with a new HijackThis log.

Brian

Add to this Answer    Ask a Question



  Rate this Answer
   Was this answer helpful?
Not at allDefinitely              
   12345  

     
About Us | Advertise on This Site | User Agreement | Privacy Policy | Help
Copyright  © 2008 About, Inc. About and About.com are registered trademarks of About, Inc. The About logo is a trademark of About, Inc. All rights reserved.