Please help.. Comp shuts down after 5 min
I am unable to make changes on this computer. It belongs to a friend and I am logged in as an Admin. but I still do not have right to make changes. Please help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:37 PM, on 3/22/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\TEMP\F8C6.tmp
C:\WINDOWS\shell.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MAGICS~1\LOCALS~1\Temp\TEMPOR~1.ZIP\HIJACK~1.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lanmanwrk.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = h̓
8gGè»Á
hÌ“àEG<þÍÖM
ðýÚÖM
<þTþ³×M
<þàEG`MG8EG¨PGl<F
8gG
¨Xüý
*-5
€èKž@˜;¿
üý˜þÖÝM
8gG
`þIÞM
˜þ°þƒÞM
˜þàEG`MG8EG¨PGl<F
d
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - C:\WINDOWS\System32\jkkjjki.dll
O2 - BHO: (no name) - {C6370EF8-CAD8-4892-BCC0-5DDD6AA8589B} - C:\WINDOWS\System32\pmnli.dll
O4 - HKLM\..\Run: [cssrss.exe] cssrss.exe
O4 - HKLM\..\Run: [vmlib] vmlib.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [_] c:\windows\system32\drivers\dcbcg.exe
O4 - HKLM\..\Run: [WinMed] winmed.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\wind32.exe
O4 - HKLM\..\Run: [kfatoj] rundll32.exe "C:\WINDOWS\TEMP\tgbqhof.sys" WLEntryPoint
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\System32\wbem\csrss.exe
O4 - HKLM\..\Run: [qehdhkcm] C:\WINDOWS\system32\qehdhkcm.exe
O4 - HKLM\..\Run: [uxswqerf] C:\Program Files\Xkqflmpy\uxswqerf.exe
O4 - HKLM\..\Run: [svunqhcr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\svunqhcr.dll"
O4 - HKLM\..\Run: [bdqopeae] rundll32.exe "C:\WINDOWS\TEMP\tgbqhof.sys" WLEntryPoint
O4 - HKLM\..\Run: [28cd6fbb] rundll32.exe "C:\WINDOWS\System32\ipqllrbf.dll",b
O4 - HKLM\..\Run: [BM2bfe5c27] Rundll32.exe "C:\WINDOWS\System32\mkpmucnh.dll",s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\PROGRA~1\PEERGU~1\pg2.exe
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKLM\..\Policies\Explorer\Run: [kjalormd] rundll32.exe "C:\WINDOWS\System32\epsbmponqdo.sys" WLEntryPoint
O4 - HKLM\..\Policies\Explorer\Run: [zr080f9MxM] C:\WINDOWS\System32\OS1ZN2~1.EXE
O4 - HKUS\S-1-5-18\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'Default user')
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O10 - Unknown file in Winsock LSP: c:\windows\system32\lcnahcne.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lcnahcne.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C72B6C7B-53C5-44DE-9CE9-2067BCEBBEB3}: NameServer = 85.255.114.194,85.255.112.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.194 85.255.112.120
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.194 85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.194 85.255.112.120
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: jkkjjki - C:\WINDOWS\SYSTEM32\jkkjjki.dll
O20 - Winlogon Notify: mp3res - C:\WINDOWS\SYSTEM32\mp3res.dll
O20 - Winlogon Notify: ofilgbil - C:\WINDOWS\SYSTEM32\ofilgbil.dll
O20 - Winlogon Notify: tuvvwww - tuvvwww.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O21 - SSODL: zTmCAOu - {28CD6F15-8267-C5BF-26B1-493A5DFCBA5C} - C:\WINDOWS\system32\sef.dll
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - (no file)
O23 - Service: 1Google Online Search Service - Unknown owner - C:\WINDOWS\System32\winlegal.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
--
End of file - 7497 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:37 PM, on 3/22/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\TEMP\F8C6.tmp
C:\WINDOWS\shell.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MAGICS~1\LOCALS~1\Temp\TEMPOR~1.ZIP\HIJACK~1.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lanmanwrk.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = h̓
8gGè»Á
hÌ“àEG<þÍÖM
ðýÚÖM
<þTþ³×M
<þàEG`MG8EG¨PGl<F
8gG
¨Xüý
*-5
€èKž@˜;¿
üý˜þÖÝM
8gG
`þIÞM
˜þ°þƒÞM
˜þàEG`MG8EG¨PGl<F
d
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - C:\WINDOWS\System32\jkkjjki.dll
O2 - BHO: (no name) - {C6370EF8-CAD8-4892-BCC0-5DDD6AA8589B} - C:\WINDOWS\System32\pmnli.dll
O4 - HKLM\..\Run: [cssrss.exe] cssrss.exe
O4 - HKLM\..\Run: [vmlib] vmlib.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [_] c:\windows\system32\drivers\dcbcg.exe
O4 - HKLM\..\Run: [WinMed] winmed.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\wind32.exe
O4 - HKLM\..\Run: [kfatoj] rundll32.exe "C:\WINDOWS\TEMP\tgbqhof.sys" WLEntryPoint
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\System32\wbem\csrss.exe
O4 - HKLM\..\Run: [qehdhkcm] C:\WINDOWS\system32\qehdhkcm.exe
O4 - HKLM\..\Run: [uxswqerf] C:\Program Files\Xkqflmpy\uxswqerf.exe
O4 - HKLM\..\Run: [svunqhcr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\svunqhcr.dll"
O4 - HKLM\..\Run: [bdqopeae] rundll32.exe "C:\WINDOWS\TEMP\tgbqhof.sys" WLEntryPoint
O4 - HKLM\..\Run: [28cd6fbb] rundll32.exe "C:\WINDOWS\System32\ipqllrbf.dll",b
O4 - HKLM\..\Run: [BM2bfe5c27] Rundll32.exe "C:\WINDOWS\System32\mkpmucnh.dll",s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\PROGRA~1\PEERGU~1\pg2.exe
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKLM\..\Policies\Explorer\Run: [kjalormd] rundll32.exe "C:\WINDOWS\System32\epsbmponqdo.sys" WLEntryPoint
O4 - HKLM\..\Policies\Explorer\Run: [zr080f9MxM] C:\WINDOWS\System32\OS1ZN2~1.EXE
O4 - HKUS\S-1-5-18\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'Default user')
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O10 - Unknown file in Winsock LSP: c:\windows\system32\lcnahcne.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lcnahcne.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C72B6C7B-53C5-44DE-9CE9-2067BCEBBEB3}: NameServer = 85.255.114.194,85.255.112.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.194 85.255.112.120
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.194 85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.194 85.255.112.120
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: jkkjjki - C:\WINDOWS\SYSTEM32\jkkjjki.dll
O20 - Winlogon Notify: mp3res - C:\WINDOWS\SYSTEM32\mp3res.dll
O20 - Winlogon Notify: ofilgbil - C:\WINDOWS\SYSTEM32\ofilgbil.dll
O20 - Winlogon Notify: tuvvwww - tuvvwww.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O21 - SSODL: zTmCAOu - {28CD6F15-8267-C5BF-26B1-493A5DFCBA5C} - C:\WINDOWS\system32\sef.dll
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - (no file)
O23 - Service: 1Google Online Search Service - Unknown owner - C:\WINDOWS\System32\winlegal.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
--
End of file - 7497 bytes
0
Comments
Not much I can provide as far as encouragement here. That system has no rights, except for those the malware dictates. XP with no upgrades or security patches or updates, and so seriously infected that it truly is under the control of someone other than you all there. This needs to be reformatted and the operating system reinstalled, and after that all upgrades and updates installed as well. I would not suggest trying to offload too much of personal data either, as any executables there may be compromised as well.
If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.
If you are not the user who started this thread, you must start your own Thread instead