• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1302
  • Last Modified:

Virus or malware causing WIndows firewall not to functionn & PC keeps shutting down

This week I've had 2 computers come in from different customers - both shutting down randomly and Windows Firewall is not functioning.
Computers were dreadfully slow also.
Spyware Doctor and Quick Heal Antivrus are running on both PCs.
I've ran Trend Micro Housecall on both
0
Teresa_B
Asked:
Teresa_B
2 Solutions
 
rpggamergirlCommented:
Hi,

Let's look at a hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
gonzal13RetiredCommented:
Try disconnecting the Windows firewall and installing the zonealarm.com firewall.
0
 
Teresa_BAuthor Commented:
Results of Hijackthis: FOR COMPUTER NUMBER 1 this was done after several attempts of Spyware Doctor. System only seem to shut down now when trying to instal IE7. Comodo Firewall used now instead of Windows because Windows stopped working.

Logfile of HijackThis v1.99.1
Scan saved at 9:59:37 PM, on 21/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\QUICKH~1\scanwscs.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\QUICKH~1\UPSCHD.EXE
C:\PROGRA~1\QUICKH~1\SCANMSG.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\QUICKH~1\OnlineNT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Documents and Settings\Jamie\My Documents\My Music\iTunesHelper.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\QUICKH~1\emlproxy.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX01.188\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\QUICKH~1\SCANMSG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Jamie\My Documents\My Music\iTunesHelper.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\emlproxy.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /check
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161705569906
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
Teresa_BAuthor Commented:
Logfile of HijackThis v1.99.1 FOR COMPUTER NUMBER 2 this was done after several attempts of Spyware Doctor. System shuts down now when trying to iupdate Spyware Doctor, Scan with Spyware Doctor, clean Registry with RegSeeker. PC very sluggish still
Scan saved at 3:50:50 PM, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE
C:\PROGRA~1\QUICKH~1\scanwscs.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\QUICKH~1\EmlProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\QUICKH~1\UPSCHD.EXE
C:\PROGRA~1\QUICKH~1\SCANMSG.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\QUICKH~1\OnlineNT.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Mega Man\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\EmlProxy.exe
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\QUICKH~1\SCANMSG.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\RunOnce: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk571YYAU
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?f05eb129981c4c57aebc05de7fe68930
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?f05eb129981c4c57aebc05de7fe68930
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Run - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE
O23 - Service: Total Security Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Startup Handler - Unknown owner - C:\PROGRA~1\QUICKH~1\strtsvc.exe

0
 
r-kCommented:
For future reference, you can post the HJT log directly to: http://www.hijackthis.de/ and click on the "Analyze" button there and then "Save Analysis" on the next page. Finally just post a link to the saved page.

I did this for you, and the links are:

Computer-1
http://www.hijackthis.de/logfiles/cc5fb11674bd947d0a6f890bcbc502ea.html

Computer-2
http://www.hijackthis.de/logfiles/0b11c382cb318bd6d154304863db274d.html

For computer-2, I would fix the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk571YYAU 
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBIniti alSetup1.0.0.15.cab
O20 - Winlogon Notify: Run - C:\WINDOWS\

(for that last O20 entry I would just edit the Registry manually with Regedit and remove that entry from the following key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify)

For computer-1 I can't see too much wrong.

You might try an online scan for both machines at: http://safety.live.com/site/en-us/default.htm (click on the "Full Service Scan" button there). Also get the trial version of AVG anti-spyware from http://www.ewido.net/en/download/ and scan both machines.
0
 
Teresa_BAuthor Commented:
Thankyou. I will give it a try on Computer 2.
0
 
Teresa_BAuthor Commented:
FYI: The message that comes up regarding Windows Firewall says, "Due to an unidentified problem Windows cannot display Windows Firewall settings."

I've removed those entries - no shut down as yet.
0
 
rpggamergirlCommented:
hmmm... looks like you've got it sorted out then?

If problem still exists, try this article:
http://windowsxp.mvps.org/sharedaccess.htm
0
 
Teresa_BAuthor Commented:
I'm 84% through Full Scan using Spyware Doctor and no shut downs as yet. Dare I hope...?
With latest definitions, Spyware Dr has detected still 55 infections on customers PC. This is the 3rd time in approx 5 weeks I have had to clean up her spyware etc. I was finally able to talk her into getting antivirus & spyware programs as there was nothing on her PC to prevent infection.
I'll hold my breath to see whether there's a shut down. I will keep you informed. thatnks for your help so far - rpggamegirl and r-k
0
 
rpggamergirlCommented:
>>I was finally able to talk her into getting antivirus & spyware programs as there was nothing on her PC to prevent infection.<<
Yeah, it is important for every pc to have at least the basics of protection;
1. resident updated antivirus (I use the free Avast)
2. Firewall (I have Zone Alarm Pro)
3. An antispyware program with real-time monitor

And in my pc I also added "Spyware Blaster" because I use IE as my browser, :)
0
 
Teresa_BAuthor Commented:
Woo Hoo!!! This is the first time since I had the PC since Thursday (Australia) and it's now Saturday (Aus) and a complete spyware scan could be done without PC shutting down. Thankyou thankyou!
55 infections were found in registry - trojan.PWStealBS and removed also.
Now onto fixing firewall...
0
 
Teresa_BAuthor Commented:
No I did not know that - wish I had now. Do you work in IT industry?
My email address is *************** in case we get told off for chatting on here.
Still no shutdowns...everything appears ok still :)


*** Email address removed by rpggamergirl, PE ***
0
 
Teresa_BAuthor Commented:
ok cheers - i should know that but I'm deliriously tired.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now