Hi,

First off i have done everything in the sticky on things to do before you post, this is my first ever post to a forumas well so please go easy on me :)

I have a problem with my PC freezing. I try to move my mouse and nothing works (ctrl - alt - dlt as well). I then have to restart my computer and when starting up XP sometimes it freezes - in which case i have to keep trying - pressing the restart button.

Sometimes the system appears normal aand i dont usually have any problems with running the net - hence why i can post this request for help here.

I have noticed though that the PC freezes up when i do the following things:

Run S&D scan - it goes through a few files and it brings up mailbot in the problems found screen. Sometimes it goes through 28000 of 38000 then it freezes up. It also comes up with a box saying it has stopped i386p and when it doesnt freeze up it come up in the problems found field saying - user aborted.

I have the PC networked up as a host PC to my laptop in my room - i use this mainly to have a game of age of empires II against a friend of mine. When we play since i've had the problem (the last day or so) - our games cut out as the main host pc freezes. i have this problem due to a silly error of my own doing - i turned off the firewall to continue playing against my friend and i still had my internet on downloading music. Iknow this let in a virus or malware - stupid me.

I tried using Ewido and running a scan and it froze when it got to: [1904]
D:\windows\appPatch\acgeral.dll

Have tried hijack this, panda, mcafee free online scan. AVG as well. all freeze and never complete. Hijack this log is:Logfile of HijackThis v1.99.1
Scan saved at 20:07:26, on 17/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\svchost.exe
D:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4759/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE66EF4E-D341-4CD7-B5DB-6B624F3170E1}: NameServer = 200.165.132.154 200.149.55.142
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

If you can please help me i will be very grateful!!!!!!! :)

Me again.....

i done another scan on hijack this cos i saw i used the one i had in c drive. So here is the one executed from program files in d drive.

Logfile of HijackThis v1.99.1
Scan saved at 15:09:25, on 19/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Arquivos de programas\iTunes\iTunesHelper.exe
D:\Arquivos de programas\QuickTime\qttask.exe
D:\Arquivos de programas\iPod\bin\iPodService.exe
D:\Arquivos de programas\Internet Explorer\iexplore.exe
D:\DOCUME~1\Gringo\CONFIG~1\Temp\Diretório temporário 3 para hijackthis.zip\HijackThis.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "D:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148040284657
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE66EF4E-D341-4CD7-B5DB-6B624F3170E1}: NameServer = 200.165.132.154 200.149.55.142
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Arquivos de programas\iPod\bin\iPodService.exe

If anyone can help me as soon as poss i will really appreciate it. Waiting almost 2 days for a reply ....... anyone here???????? sorry i know u guys are prolly really busy helping everyone else too ........just thought id wave my hand for the life guards to come help me too......

cheers!

We are sorry for the wait, new infections (not necessarily on your own computer) are taking longer to clean up.

A helper will be try to assist you as soon as possible. :)

Just in case, please see the pinned sticky topic:
If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

Thankyou for replying :) I will await any help anybody suggests. Thanks again!

D:\DOCUME~1\Gringo\CONFIG~1\Temp\Diretório temporário 3 para hijackthis.zip\HijackThis.exe

Make a folder such as d:\antispyware unzip hijackthis and run it from that new folder, that log isnt showing any 04's, do you have items on its ignorelist or have you disabled anything using msconfig or third party startup tools ?

Make and post a new log
Also Post a report from this tool if any FILES show
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

Hi thanks for replying!

I haven't disable anything with msconfig - i don't know how - and i haven't been playing around with any settings. I haven't downloaded any third part tools either. Have created antispyware folder in D drive and unzipped hijack this there - ran a scan here are the results: PS (sorry it appears in portuguese - i'm now living in Brasil with my wife and the problems on her PC)

Logfile of HijackThis v1.99.1
Scan saved at 10:32:41, on 23/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Arquivos de programas\iTunes\iTunesHelper.exe
D:\Arquivos de programas\iPod\bin\iPodService.exe
D:\Arquivos de programas\QuickTime\qttask.exe
D:\Arquivos de programas\Internet Explorer\iexplore.exe
D:\Arquivos de programas\eMule\emule.exe
D:\antispyware\HijackThis.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "D:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148040284657
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE66EF4E-D341-4CD7-B5DB-6B624F3170E1}: NameServer = 200.165.132.154 200.149.55.142
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Arquivos de programas\iPod\bin\iPodService.exe


Heres the blacklight text file that appeared where i installed the program. Not too sure if its a scan result or not. Thanks again for your help!

05/23/06 10:37:02 [Info]: BlackLight Engine 1.0.36 initialized
05/23/06 10:37:02 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/23/06 10:37:02 [Note]: 7019 4
05/23/06 10:37:02 [Note]: 7005 0
05/23/06 10:37:07 [Note]: 7006 0
05/23/06 10:37:07 [Note]: 7011 604
05/23/06 10:37:07 [Note]: 7026 0
05/23/06 10:37:07 [Note]: 7026 0
05/23/06 10:37:19 [Note]: FSRAW library version 1.7.1015
05/23/06 10:46:53 [Note]: 7007 0

Thanks

Submit this files here
D:\windows\appPatch\acgeral.dll
Submit a file--VirusTotal: http://www.virustotal.com/flash/index_en.html

Open a command prompt (start run type cmd press enter) type
sc query i386p
press enter, type exit and press enter to exit the command prompt
what did you see ?

What version of SpyBot is it you have ?

Hi,

1)
Went to that site (http://www.virustotal.com/vt/en/resultadof?c0e7d286744633587f5a7d2d2f572c40) and ran a search on : D:\windows\appPatch\acgeral.dll - No virus found on any of the anti virus. Results:

STATUS: FINISHEDComplete scanning result of "acgeral.dll_", received in VirusTotal at 05.23.2006, 23:34:40 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.32 05.23.2006 no virus found
Authentium 4.93.8 05.23.2006 no virus found
Avast 4.6.695.0 05.23.2006 no virus found
AVG 386 05.23.2006 no virus found
BitDefender 7.2 05.23.2006 no virus found
CAT-QuickHeal 8.00 05.23.2006 no virus found
ClamAV devel-20060426 05.22.2006 no virus found
DrWeb 4.33 05.23.2006 no virus found
eTrust-InoculateIT 23.72.15 05.23.2006 no virus found
eTrust-Vet 12.4.2224 05.23.2006 no virus found
Ewido 3.5 05.23.2006 no virus found
Fortinet 2.77.0.0 05.23.2006 no virus found
F-Prot 3.16c 05.23.2006 no virus found
Ikarus 0.2.65.0 05.23.2006 no virus found
Kaspersky 4.0.2.24 05.23.2006 no virus found
McAfee 4768 05.23.2006 no virus found
Microsoft 1.1440 05.22.2006 no virus found
NOD32v2 1.1553 05.22.2006 no virus found
Norman 5.90.17 05.23.2006 no virus found
Panda 9.0.0.4 05.23.2006 no virus found
Sophos 4.05.0 05.23.2006 no virus found
Symantec 8.0 05.23.2006 no virus found
TheHacker 5.9.8.146 05.22.2006 no virus found
UNA 1.83 05.23.2006 no virus found
VBA32 3.11.0 05.23.2006 no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

2) Ran sc query i386p in CMD. Came up with the following:

SERVICE_NAME: i386p
TYPE :1 KERNEL_DRIVER
STATE :1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT HINT : 0x0

3) Using Spybot Search and Destroy 1.4

Thanks again for your ongoing support :)

Aditional Information
File size: 0 bytes
Either the file is empty or its in use and couldnt be submited
See if you can rename it to acgeral.dllxxx, any luck ?
You might have to do so while in safe mode

Open a command prompt again an type
sc delete i386p

restart into safe mode and get a startup list
Post a startup list from hijackthis
Start Hijackthis click config misc tools >
place a check in [X] list also minor sections
and [X] list empty sections, then click gernerate startuplist log.
safe mode instructions (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx)
Restart back to normal and post that please

Ok,

Got the startup list generated during safe mode and i thought i'd do another hijack this log as well (normal scan) - funny thing i just noticed is my web cam which was installed with correct drivers etc was no longer recognized and i can no longer install it - i know resolving the prob with this malware with resolve that - so thanks! - i use it to keep in touch with the folks back home.

The start up list is way to big to post - exceeded the 20000 limit.


The Hijack this log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 23:17:16, on 23/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Arquivos de programas\iTunes\iTunesHelper.exe
D:\Arquivos de programas\QuickTime\qttask.exe
D:\Arquivos de programas\MSN Messenger\msnmsgr.exe
D:\Arquivos de programas\iPod\bin\iPodService.exe
D:\Arquivos de programas\Internet Explorer\iexplore.exe
D:\Arquivos de programas\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\antispyware\HijackThis.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "D:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148040284657
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE66EF4E-D341-4CD7-B5DB-6B624F3170E1}: NameServer = 200.165.132.154 200.149.55.142
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Arquivos de programas\iPod\bin\iPodService.exe

Cheers!

Send the startup list to submitlonny AT subratam.org
Replace AT with @ and remove spaces, then include a link back to this thread.
Or you con attach it here
http://www.thespykiller.co.uk/forum/index.php?board=1.0

Hi,

Emailed you the startup list at your subratam addy. Thanks fo everything.

Download Pocket Killbox to the desktop (version 2.0.0.648)
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox ensure it is the latest version. ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

D:\WINDOWS\system32\xbdtqiyj.nye
D:\windows\appPatch\acgeral.dll
D:\WINDOWS\system32\xbdtqiyj.exe

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.

Killbox would have made a backup folder and put them there, zip it up and send it to me please.
d:\!killbox, zip up and send the entire folder

Im still unsure if that dll is indeed bad

Have emailed zipped folder. Hopefully done it properly.

1: Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to you d:\ drive2: Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XBDTQIYJ
Files to delete:
D:\WINDOWS\system32\xbdtqiyj.nye
D:\windows\appPatch\acgeral.dll
D:\WINDOWS\system32\xbdtqiyj.exe



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3: Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.4: The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to d:\avenger\backup.zip.5: Please copy/paste the content of d:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply[/quote]

Send me this file please
d:\avenger\backup.zip

Hi,

It restarted the pc this time and went into command prompt etc.
Here is the new Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 17:03:43, on 24/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Arquivos de programas\iTunes\iTunesHelper.exe
D:\Arquivos de programas\QuickTime\qttask.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Arquivos de programas\MSN Messenger\msnmsgr.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\notepad.exe
D:\Arquivos de programas\iPod\bin\iPodService.exe
D:\Arquivos de programas\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\antispyware\HijackThis.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "D:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148040284657
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE66EF4E-D341-4CD7-B5DB-6B624F3170E1}: NameServer = 200.165.132.154 200.149.55.142
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Arquivos de programas\iPod\bin\iPodService.exe

Here is the Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wutuelic

*******************

Script file located at: \??\D:\WINDOWS\sgwbmkbx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XBDTQIYJ deleted successfully.


File D:\WINDOWS\system32\xbdtqiyj.nye not found!
Deletion of file D:\WINDOWS\system32\xbdtqiyj.nye failed!

Could not process line:
D:\WINDOWS\system32\xbdtqiyj.nye
Status: 0xc0000034



File D:\windows\appPatch\acgeral.dll not found!
Deletion of file D:\windows\appPatch\acgeral.dll failed!

Could not process line:
D:\windows\appPatch\acgeral.dll
Status: 0xc0000034



File D:\WINDOWS\system32\xbdtqiyj.exe not found!
Deletion of file D:\WINDOWS\system32\xbdtqiyj.exe failed!

Could not process line:
D:\WINDOWS\system32\xbdtqiyj.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

I have emailed you the avengerzip backup file as requested, many thanks!

I expected to see a file or two deleted, atleast that rouge service is out of the picture.

Hows the PC running ?

Hi,

The PC is running the internet fine and most other programs. I did however go into age of empires II and it froze and i have another game i loaded on starcraft which i loaded on - which has also frozen.

Tried to run a full scan on spy bot (1.4) and the pc froze - was showing aze mail something or other that came up. Do you have any further suggestions?

Hi
How long has the PC had these problems now ?
We could probaly use system restore and got back a few days before the infection.

Update SpyBot and your antivirus programs and run them one at a time while in safe mode, while your there also get a silent runners log.

http://www.silentrunners.org/sr_scriptuse.html
When you run it click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Please allow it to run after a bit box will say done.

Restart back to normal post that silent runners log and an SSD log

Hello,

Unfortunately a friend of mine (who unfortunately doesn't live in the same city anymore) Made some adjustments to the system last time i had a problem - he turned off system restore so i cant restore to any earlier point. I think the problem has existed for the last week and a half or so.

I have tried running SSD to get a log but no go again with it freesing about 2thirds the way through.

Rebooted PC in safe mode and ran all the anti virus programs i have :
SSD (froze in safe mode) AVG, ewido.

here is the post from the silent runnersscript i rtan in safe mode. Hope it enlightens the situation on my bedarkened PC.

Silent runners script:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\system32\CTFMON.EXE" [MS]
"AVG7_Run" = "D:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"iTunesHelper" = ""D:\Arquivos de programas\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""D:\Arquivos de programas\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "D:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "D:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default) = "Personalização do navegador"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "D:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup"
\StubPath = "D:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall D:\WINDOWS\system32\themeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""D:\Arquivos de programas\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Catálogo de endereços 6"
\StubPath = ""D:\Arquivos de programas\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Atualização da área de trabalho do Windows"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6"
\StubPath = "D:\WINDOWS\system32\ie4uinit.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "D:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"
-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Extensão de ícone de arquivo do Outlook"
\InProcServer32\(Default) = "D:\Arquivos de programas\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Arquivos de programas\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "D:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "D:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Arquivos de programas\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "D:\Arquivos de programas\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "D:\Arquivos de programas\ICQLite\ICQLiteShell.dll" [empty string]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "D:\Arquivos de programas\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "D:\Arquivos de programas\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "D:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "D:\Arquivos de programas\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Arquivos de programas\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "D:\Arquivos de programas\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Arquivos de programas\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "D:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Arquivos de programas\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "%SystemRoot%\System32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "D:\Arquivos de programas\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

D:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
(unwritable string)

Missing lines (compared with English-language version):
[Version]: 2 lines
[RestoreHomePage]: 1 line
[RestoreHomePage.reg]: 1 line
[RestoreBrowserSettings.reg]: 12 lines
[DeleteTemplates.reg]: 5 lines
[DeleteAutosearch.reg]: 1 line
[Strings]: 1 line
[RestoreBrowserSettings]: 2 lines
[Strings]: 3 lines


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

Adaptador de desempenho WMI, WmiApSrv, "D:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]
AVG E-mail Scanner, AVGEMS, "D:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
HTTP SSL, HTTPFilter, "D:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"D:\WINDOWS\System32\w3ssl.dll" [MS]}
InstallDriver Table Manager, IDriverT, ""D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
iPodService, iPodService, "D:\Arquivos de programas\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Serviço administrativo do gerenciador de disco lógico, dmadmin, "D:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Serviço de Configuração de Rede, xmlprov, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\xmlprov.dll" [MS]}
Serviço de Número de Série de Mídia Portátil, WmdmPmSN, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor PIXMA iP1000\Driver = "CNMLM6e.DLL" ["CANON INC."]
PrimoMon\Driver = "Primomonnt.dll" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 172 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 31 seconds.
---------- (total run time: 273 seconds)


Obrigado(thanks)

Im not sure what to suggest
Sounds like your PC is overheating, have you ever replaced the heatsink and fan ?
Provide some specifics about it.

Hi,

I know that its not hardware - because it only happens when im doing one of the following:

1)Trying to run the scan on the latest version of spybot (1.4) have deleted it and reinstalled it 4 times.

2) Playing age of empires II or starcraft.(not networked)

3) Playing a networked game with other pc.

I can be on the PC using the net and doing word processing for hours but these are the instances that the PC shuts down. If you have any other idea - or advise anotherprogram i could try i would be greatly indebted. Thanks for all your help so far.

Several of us have discused this, we still think it an overheating issue, other than that i have no further advice, good luck.

One example
http://forums.spybot.info/showthread.php?t=4582

Thanks for all your help! I think you guys do a great job and have been of immense help - to at least have someone willing to lend a hand.
I will take the pc in to a techy and get a quote about the overheating problem. All the best!

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread. :)

Applies only to the original topic starter.