PDA

View Full Version : Smart BuG shuts down computer



landslide
2006-02-19, 16:46
Any advice most welcome:

Sony Vaio laptop 933Mghz, 256MB RAM 30GB HDD WinXP Pro 1st edition, no SP2. IE6

BuG shuts down computer when threatened, such as:

Windows update
Pest Patrol install
SpyBot scan
Safe Mode startup
WindowsXP reinstall to same drive
WindowsXP clean install on NEW DRIVE!
Drive with Win2000 preinstalled fails -- BSOD
Sony BIOS flash utility (windows application)
Knoppix search for rootkit from CD

Successes -->>
IEspyAd installed to restricted sites list in browser
I interrupted a SpyBot scan before it crashed to delete about 10 problems. NOD32 deleted over 200 trojans. Just deleting directories helped as well. HiJAckThis scan and Fix improved some issues. Still the BuG persists and shuts down the computer when threatened.

The real question is where is this BuG? in the BIOS? Battery removed, BIOS settings restored to default but no effect on the BuG, of course. This BuG has staked its claim and it doesn't want to give ground.

Many the BuG's sidekicks have been tromped on, but still he vexes me.

SpyBotSD crashes while scanning CoolWWWSearchFeat2.dll

What would you do?
:confused:

landslide
2006-02-20, 14:19
stealth BuG in the MBR. Once he takes up space in memory, he won't give it up >> power off rather than lose ground, reload again. Once Windows loads, he can call on the disk files that are also stealth and they have a list of .exe files, URLs, msi files, for triggers and probably some random number / timers tied to windows events to just keep things messy. Another stealth .dll keeps a few bad guy addresses and he phones them when there is a little available internet connection time. System is slowed by their 'business' and the longer it is left to its own, it will take over. Stealth DoS BuhGH. More fun than a barrel of bad memory chips.

tashi
2006-02-20, 18:27
Hello. Do you have a problem downloading HJT?
Before you post a log (http://forums.spybot.info/showthread.php?t=288)

landslide
2006-02-24, 02:34
Here is the most recent HJT listing.

Logfile of HijackThis v1.99.1
Scan saved at 1:44:18 PM, on 2/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\UTILIT~1\WINPAT~1\winpatrol.exe
C:\Utilities\WinTasks5\wintasks.exe
C:\Utilities\HiJack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\SpyBot\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinPatrol] C:\UTILIT~1\WINPAT~1\winpatrol.exe
O4 - Global Startup: WinTasks.lnk = C:\Utilities\WinTasks5\wintasks.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140067353351
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140067336667
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

~~~~~~~END~~~~

LonnyRJones
2006-02-24, 07:21
Hello

It would have helped to see what was there before you started troubleshooting, can you give us and idea of what was ?

Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them.....legitimate files can be listed.

Post a silent runners log
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.


Post a startup list made with hijackthis while the pc in in safe mode
Post a startup list from hijackthis
Start Hijackthis click config misc tools >
plcase a check in [X] list also minor sections
and [X] list empty sections, then click gernerate startuplist log.

tashi
2006-03-01, 21:49
This topic is closed due to lack of a response to volunteer helper.