Here is the first post I made about this problem.

http://forums.spybot.info/showthread.php?t=12379

Spybot S&D does a full scan in safe mode but restarts the PC in normal mode.
It even does a full scan on my daughters old Pentium 3 in normal mode without restarting.

To date I've done an online eTrust Antivirus Web Scan with nothing found.
Ran Spybot S&D in safe mode with No Immediate Threats found.
Ran AdAware found 9 objects and deleted them.
Avast Antivirus scan nothing found either.

And sorry to the helper but I done an online HJT analyzer.The 2 files I had fixed began O9 - Extra button: (no name) and had (file missing) at the end.
I did not recognise the file name and thought It would be ok to fix.

Anyway here is my latest HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 17:31:23, on 04/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rmctrl.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.93.68.55:8888
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB94F70D-1BCD-4539-B18E-8B9BE698D96E}: NameServer = 62.31.64.39,62.31.112.39,62.31.144.39
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SVCLOAD - Unknown owner - c:\windows\system32\dllcache\sys32\winlogon.exe
O23 - Service: SVCMGR - Unknown owner - c:\windows\system32\dllcache\sys32\winlogon.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Thanx in advance, deeboi :bigthumb:

hi deeboi,

these two services look mighty suspicious. lets stop them for now, then try the spybot scan to see if it completes. we may have to remove them manually.

go to start>run and type in--> services.msc,<--in the list of services that comes up under the name column look for these two:

SVCLOAD
SVCMGR

for each one do this:
right click on it and select properties. under the general tab:
make sure that the service status is: Stopped
and the Startup type is: disabled

reboot your computer and scan with spybot.

shelf life

Thanks for helping shelf life.

Ok the 2 services were already stopped and I disabled them as well then rebooted the PC.

Sorry to say the PC restarted again during the scan, the temp was only 45.6 degrees C.

While running Spybot S&D in safe mode the temp runs at a constant 69/70 degrees C until the scan finishes which makes me think It's some sort of Malware and not overheating.

Will wait for your reply, thanks again.

deeboi.

hi deeboi,



and not overheating.
if it was shutting down due to the cpu overheating, then it would be happening with other apps also. i cant think that spybot would be any more CPU intensive then some other apps, like encoding video with Alcohol Soft. have you had any reboots when using any other software on your computer? the log looks ok as far as malware goes.

shelf life

Hi shelf life, thanks for the reply, I have no reboots at all with any other Apps, the most demanding probably being DVD2SVCD (converting .avi files to .mp2 + .mpv files) which runs at over 70 degrees C for just over 3 hours.

It's strange eh! If it's not Malware I wonder what it could be?

I never had any bother with Spybot S&D before I upgraded to version 1.4.
All is not lost though as I can still run it in safe mode.:bigthumb:

thanks again, deeboi.

hi deeboi,


It's strange eh!
it is. the log looks ok as far as malware goes. you have spybot and ad aware. i cant offer any explanation for why spybot reboots your computer. just to get another look for malware, why not download,install, update and scan with avg antispyware:

http://free.grisoft.com/doc/20/lng/us/tpl/v5



converting .avi files to .mp2 + .mpv files
i use the excellent encoder TMPGEnc

Thanks for all your help shelf life,
If there's no malware in the logs then thats good enough for me, I'll just run Spybot S&D in safe mode.

Before I used Avast Antivirus I used to use AVG Antivirus (Another excelent free Antivirus program) I'll check out AVG Antispyware though.:bigthumb:

I use TMPGEnc for .mpg files but it takes forever to encode.I also always use TMPGEnc Author 1.6 for authouring, editing and menus.
DVD2VCD uses Cinema Craft Encoder for the encoding part so produces excelent results in just 3 hours.
The Movie Machine is also meant to be a really good program, but I've never used it.

Thanks agaim m8, deeboi. :D:

hi deeboi,

i dont see any malware in the hjt log other than those two services, but a hjt log dosnt show all malware. thats why scanning with AVG would be a good second look. you have two questionable services and spybot is choking on something during a scan. it might be one of those services. it can complete a scan in safe mode because only minimal services,drivers etc are loaded.


iam still concerned about these two:

O23 - Service: SVCLOAD - Unknown owner - c:\windows\system32\dllcache\sys32\winlogon.exe

O23 - Service: SVCMGR - Unknown owner - c:\windows\system32\dllcache\sys32\winlogon.exe

lets do this to get the files checked out:
to show all files/folders:

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

go to this website:
http://www.virustotal.com/en/indexf.html

browse for both winlogon.exe files and upload them to be checked.
it looks like they are in a folder called sys32 thats in the dllcache dir.

if flagged as malware, delete them both. make sure you get the right ones, because there is a legit winlogon.exe in the dllcache dir.
looks like you have a extra folder in there called sys32, where the two questionable winlogon.exe's should be

shelf life

Hi shelf life,

I forgot I already had AVG Antispyware installed and I scanned with it.
It found 9 tracking cookies which I deleted I also deleted everything in the Temp and Temp Internet Files folders.

I also located the dodgy winlogon file and uploaded it to virustotal.
Most said there was no virus found or no threat detected exept Ikarus which said it was a Trojan-PWS.Win32.Agent.cq so I deleted it.

Is that sys32 folder anything to do with windows? If not I will just delete it.
There's a welcome.txt file inside it which says

Welcome to +-+ An.UNDeRGRoUND.FTP.SITE +-+
===================================================
You are Connecting From %IP
%u24h users have visited in the last 24 hours.
This server has been running for
%ServerDays Days, %ServerHours Hours, %ServerMins Mins, %ServerSecs Secs
===================================================
Amout of Logins Since Server Started: %loggedInAll total
Logged in Users: %Unow
Total Kb downloaded: %ServerKbDown Kb
Total Kb uploaded: %ServerKbUp Kb
Amout of Files downloaded: %ServerFilesDown
Amout of Files uploaded: %ServerFilesUp
Average Speed: %ServerAvg Kb/sec
Current Speed: %ServerKBps Kb/sec
Free Disk Space: %DFree MB
===================================================
I've never heard of An.UNDeRGRoUND.FTP.SITE before.

Anyway after I did as you said I rebooted then tried Spybot S&D again but the same thing happened.

deeboi.

hi deeboi,

good, thanks for the info.


Is that sys32 folder anything to do with windows?
most likely no. is there anything located in the sys32 dir other than the winlogon.exe and the welcome .txt?
when spybot chokes, can you notice if its always at the same spot or file every time?

shelf life

Hello again shel life,

These files are also in the sys32 folder.

Empty folder called upload.
hide.exe
cygcrypt-0.dll
cygwin1.dll
libeay32.dll
ssleay32.dll
sys.dll
TzoLibr.dll
winmgtr.dll
ServUDaemon.ini
hydrant.bat
pshut.bat
run.bat
nfo.nfo
hide.RB0
ServUStartUpLog.txt
spooldc.log
welcome.txt

I did 5 scans and yes Spybot chokes at the same point everytime.
It reboots while scanning for coolwwwsearch.FEAT2.dll
Its quite hard to see as the screen just goes black without any warning but I'm pretty sure thats the correct spelling of the file.

deeboi.

hi deeboi,

good. thanks for the info. yes you can delete the entire sys32 folder. must be a left over from some malware. you wouldnt have a FTP server on your computer unless you put it there.

for the spybot problem we can try CWSshredder. you can download it from trendmicro here:

http://www.trendmicro.com/cwshredder/

you can use the scan only button then if anything is found, go back to the main screen and use the Fix button.

shelf life

Hi shelf life,

I downloaded CWShredder and scanned my PC, it says CoolWebSearch was not found on this system.

I also deleted the sys32 folder.

deeboi.

hi deeboi,

ok good. we could add that file to the exception list in spybot. with spybot open, click on mode at the top and select advanced. then in the left pane click on settings then ignore products. under the All Products tab find:

coolWWWsearch.Feat2dll and select the checkbox. close spybot. it should now skip that check. why its having problems with it i dont really know. in any case CWShredder came up clean for any coolwebsearch on your computer.

shelf life

Hi shelf life,

I did as you said with the checkbox in Spybot but it just rebooted at something else.

It took a while but I ticked all the checkboxes where Spybot reebooted the PC.

The files I ticked were
CoolWWWSearch.Feat2DLL
CoolWWWSearch.Feat2installer
CoolWWWSearch.HomeSearch
CoolWWWSearch.mshp
CoolWWWSearch.Service
WarezP2P
Win23.PE
Win32.Agent-gen.cws

After doing this Spybot successfully managed a full scan without rebooting.Nothing was found.

deeboi.

hi deeboi,

good. at least we are making progress. why spybot is choking on those i have no idea. one more download to scan with. please download and install avg antirootkit:

http://www.grisoft.com/doc/products-avg-anti-rootkit/us/crp/2

requires a reboot after the install. select "in-depth search" from the main menu.

shelf life

Hi shelf life,

I downloaded and ran antirootkit, here is the results.

c:\Program Files\Folder Lock\Locked,Hidden Directory
c:\Program Files\Folder Lock\Locked\desktop.ini,Hidden File
c:\Program Files\Folder Lock\Locked\pegtag.$s8,Hidden File
c:\Program Files\Folder Lock\Locked\³▒À░ʳ,Hidden Directory
c:\Program Files\Folder Lock\Locked\³▒À░ʳ\New Folder,Hidden Directory
c:\Program Files\Folder Lock\Locked\³▒À░ʳ\New Folder\IMG00133.JPG,Hidden File
c:\Program Files\Folder Lock\Locked\³▒À░ʳ\New Folder\IMG00135.JPG,Hidden File
c:\Program Files\Folder Lock\Locked\³▒À░ʳ\New Folder\IMG00137.JPG,Hidden File
c:\sccfg.sys,Hidden File

The only unexplained one is sccfg.sys.
I used Folder Lock at christmas time to hide photos of presents for the kids lol.:D:
Just to remind us what we had.I can get rid of it now though.Actually forgot it was installed.

deeboi.

hi deeboi,

thanks for the info. nothing there to be worried about. actually that sccfg.sys file does seem to be related to folder lock:

http://forum.sysinternals.com/forum_posts.asp?TID=3377&PN=1

i think your computer is malware free. cant explain spybots problem.
you can leave those items checked in spybot and still scan with it. but if spybot or avg flag malware (not cookies) i would uncheck them and run spybot in safe mode just to be safe. of course you can run avg in safe mode also. just to cover all your bases anyway.

shelf life

i think your computer is malware free. cant explain spy bots problem.
you can leave those items checked in spy bot and still scan with it. but if spy bot or avg flag Malware (not cookies) i would unchecked them and run spybot in safe mode just to be safe. of course you can run avg in safe mode also. just to cover all your bases anyway.

shelf life

OK mate understood, many thanks for your help and perseverance with this problem.:bigthumb:

deeboi.:D:

hi deeboi,

glad to help. happy safe surfing out there. for your reference:

Prevention-or How Can I Help Myself? (http://security-central.us/SafeHex/prevention.htm)

Glad we could help, as the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.