AllExperts > Computer Security & Viruses 
Search      
Computer Security & Viruses
Volunteer
Answers to thousands of questions
 Home · More Computer Security & Viruses Questions · Answer Library  · Encyclopedia ·
More Computer Security & Viruses Answers
Question Library

Ask a question about Computer Security & Viruses
Volunteer
Experts of the Month
Expert Login

Awards

About Us
Tell friends
Link to Us
Disclaimer

 
 
 
 
About Brian Benosky
Expertise
I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (including Vista) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience
I have over 25 years experience in using, building, and repairing computers. I have helped over a thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributer of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

 
   

You are here:  Experts > Computing/Technology > Internet/Network Security > Computer Security & Viruses > CMD Auto Shutdown

Computer Security & Viruses - CMD Auto Shutdown

Expert: Brian Benosky - 9/20/2008

Question
Hi Brian,

I think your the right person to help me.
My PC Automatically shut down whenever i run cmd.exe.
When i reboot my PC an error that says scvcshosts.exe was not found appears.
When i open Internet Explorer the Title Bar Displays "TAGA LIPA ARE".
here is the hijacklist result


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:19, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\CimLicense.exe
C:\FujiFlexa\Client\Bin\FNCTCSVC.EXE
C:\FujiFlexa\Common\Bin\FNCTRAGT.EXE
C:\FUJICC\CCSERV\BIN\FujiRshService.exe
C:\FUJICC\CCSERV\BIN\ccsvsrv.exe
C:\FUJICC\CCSERV\BIN\rshd.exe
C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\GEMHostService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\FUJICC\CCSERV\BIN\ccslogd.exe
C:\FUJICC\CCSERV\BIN\mcmon.exe
C:\FUJICC\CCSERV\BIN\mcmng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\FUJICC\CCSERV\BIN\mcrwhand.exe
C:\FUJICC\CCSERV\BIN\prodmng.exe
C:\FUJICC\CCSERV\BIN\schedule.exe
C:\FUJICC\CCSERV\BIN\mclog.exe
C:\FUJICC\CCSERV\BIN\hostlog.exe
C:\FUJICC\CCSERV\BIN\listmng.exe
C:\FUJICC\CCSERV\BIN\flresrc.exe
C:\FUJICC\CCSERV\BIN\procview.exe
C:\FUJICC\CCSERV\BIN\cmdserv.exe
C:\FUJICC\CCSERV\BIN\mcrqrecp.exe
C:\FUJICC\CCSERV\BIN\ccclient.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\FujiFlexa\Common\Bin\FncSCUsrMng.exe
C:\FujiFlexa\Server\Bin\FNCDTMGR.EXE
C:\FujiFlexa\Server\Bin\FNCRPUMG.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\FujiFlexa\Common\Bin\FNCRTVIW.EXE
C:\FujiFlexa\Client\Bin\FncLineReportMessenger.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://flexaserver/fujiflexa/Reports/ShowHistory.asp?id=Feeder&Path=history/noel...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TAGA LIPA ARE!
F2 - REG:system.ini: Shell=Explorer.exe scvshosts.exe
F2 - REG:system.ini: UserInit=C:\\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [\\FLEXASERVER\EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P37 "\\FLEXASERVER\EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [Auto EPSON Stylus C67 Series on FLEXASERVER] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P43 "Auto EPSON Stylus C67 Series on FLEXASERVER" /O23 "\\FLEXASERVER\EPSON C67" /M "Stylus C67"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [N3228c] "C:\WINDOWS\_default20802.pif"
O4 - HKCU\..\Policies\Explorer\Run: [f3444Adm] "C:\Documents and Settings\Administrator\Local Settings\Application Data\dv6211500x\yesbron.com"
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [y3114SYS] "C:\Documents and Settings\LocalService\Local Settings\Application Data\dv6191700x\yesbron.com" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [y474] "C:\Documents and Settings\LocalService\Local Settings\Application Data\dv633300x\yesbron.com" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [y3114SYS] "C:\Documents and Settings\LocalService\Local Settings\Application Data\dv6191700x\yesbron.com" (User 'Default user')
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Remote Viewer.lnk = ?
O4 - Global Startup: Result Viewer.lnk = C:\FujiFlexa\Client\Bin\FncLineReportMessenger.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CIMLicense - Unknown owner - C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\CimLicense.exe
O23 - Service: FNC User Manager - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Common\Bin\FncSCUsrMng.exe
O23 - Service: FNC Machine Communicate Service (FNCDTMGR) - Fuji Machine Mfg. Co., Ltd - C:\FujiFlexa\Server\Bin\FNCDTMGR.EXE
O23 - Service: FNC Web Service (FNCRPUMG) - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Server\Bin\FNCRPUMG.EXE
O23 - Service: FNC Protocol Client (FncTcsvc) - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Client\Bin\FNCTCSVC.EXE
O23 - Service: FNC Remote Command Agent (FncTragt) - Fuji Machine Mfg. Co., Ltd. - C:\FujiFlexa\Common\Bin\FNCTRAGT.EXE
O23 - Service: Fuji RemoteShell Server - Fuji Machine Mfg. Co., Ltd - C:\FUJICC\CCSERV\BIN\FujiRshService.exe
O23 - Service: Fuji Communication Center (FujiCC) - Unknown owner - C:\FUJICC\CCSERV\BIN\ccsvsrv.exe
O23 - Service: GEMHostService - Cimetrix, Inc. - C:\Program Files\GEM Host Manager Light\bin\Ix86-NT40\GEMHostService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel PDS - Unknown owner - C:\WINDOWS\system32\cba\pds.exe (file missing)
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 8643 bytes

Thanks in advance.


Answer
Hi cROELty

"TAGA LIPA ARE" is a worm that spreads through removable drives, such as USB drives and iPods.  Let's start by downloading Malwarebytes' Anti-Malware to your desktop from here:

http://www.besttechie.net/tools/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
 * At the end, be sure a checkmark is placed next to
       o Update Malwarebytes' Anti-Malware
       o and Launch Malwarebytes' Anti-Malware
 * then click Finish.
 * If an update is found, it will download and install the latest version.
 * Once the program has loaded, select Perform full scan, then click Scan.
 * When the scan is complete, click OK, then Show Results to view the results.
 * Be sure that everything is checked, and click Remove Selected.
 * When completed, a log will open in Notepad.  Copy that log and a new HJT log here in a follow-up.

Brian


Add to this Answer    Ask a Question



  Rate this Answer
   Was this answer helpful?
Not at allDefinitely              
   12345  

     
About Us | Advertise on This Site | User Agreement | Privacy Policy | Help
Copyright  © 2008 About, Inc. About and About.com are registered trademarks of About, Inc. The About logo is a trademark of About, Inc. All rights reserved.