[Harmy]

HI there everyone. Hopefully this is nothing, but I am curious. It only started today but while on my computer, its shut down twice on its own. I've been running my scans like I usually do (weekly), so I thought this was odd. And the scans aren't showing anything, so I'm puzzled.

Was wondering if I should do a hijack log & post it???

Thanks for taking the time to read this.

Harm

Edited by Harmy, 19 April 2008 - 10:27 PM.

[Advertisements]

There could be many other reasons why it's doing this, especially if it's shutting down. Could be due to overheating issues. Post the HijackThis log here if you want since you opened this topic. We'll take a quick look. While you do that, see if you made any changes to your computer recently. Make sure all the fans inside are spinning and nothing are blocking the vents.

[greyknight17]

There could be many other reasons why it's doing this, especially if it's shutting down. Could be due to overheating issues. Post the HijackThis log here if you want since you opened this topic. We'll take a quick look. While you do that, see if you made any changes to your computer recently. Make sure all the fans inside are spinning and nothing are blocking the vents.

[Harmy]

Hi there. I just wanted to say "thanks" again for taking the time to check this for me. I did as you asked & checked all my cords, fans & whatnot. Everything seems to be working properly. It's just very puzzling why it would shut down all on its own. Only did it 2 or 3 times yesterday & has yet to do it today.

Posting my log below.

Thanks again..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:30 AM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myleague.com/lottsolions
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 6985 bytes

[greyknight17]

Looks good from here....let's have a virus scan also to see if it shows us anything.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

Report back with a status on whether the shutdown occurred again.

[Harmy]

OK.. Did the Panda scan & here are the results. Only thing I'm wondering is... I haven't used IE for so long that I did the scan with Mozilla. Do I need to redo it with IE or will the results be the same? Sorry I didn't pay closer attention.

Results posted below.....

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-22 00:16:12
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
McAfee VirusScan Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\mel\favorites\health
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\mel\Desktop\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\mel\Desktop\Virus Protection\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\mel\Desktop\Virus Protection\SmitfraudFix\Process.exe
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\mel\Desktop\Virus Protection\ComboFix.exe[ComboFixT\nircmd.cfexe]
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\nircmd.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\mel\Desktop\SmitfraudFix\restart.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\mel\Desktop\Virus Protection\SmitfraudFix\restart.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\mel\Desktop\Virus Protection\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/restart.exe]
01650472 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\mel\Desktop\Virus Protection\SmitfraudFix.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\mel\Desktop\Virus Protection\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location 
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description 
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================


Only other info I can think to give is that there are 2 users on this computer (myself & my husband). Do I need to do scans using the other user's page??

Also. Wanted to let you know that I haven't had any more shut downs.

Thanks

[greyknight17]

I need to update the part where it says Internet Explorer. Panda updated their scanner so it now works on Firefox and probably other browsers as well. The scan you have there is ok.

It doesn't matter. These scanners will usually pickup from other accounts as well.

Delete this folder:

c:\documents and settings\mel\favorites\health

Did you run combofix and smitfraudfix recently? If not, I want you to download a new copy of combofix and run it (see below).

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

[Harmy]

Ok.. Kinda lost. Went & read all the stuff about putting Combofix on & when I went to install it, my computer started beeping... Kinda made me nervous, so I'm wondering if it's doing that because of the other virus stuff I have. Both Spybot S & D, & McAfee showed messages about allowing the install. Is that why it started to beep???

I tried to run my Smitfraud & it wouldn't let me.. Said I was missing some files, so do I need to dl an updated version of that somewhere?

I am not posting a log at this time until I hear from you. I don't want to cause more damage by doing something I'm unsure of.

Thanks

Oh, I did remove the file you suggested though. It was a folder I had saved some favorites on.

Edited by Harmy, 22 April 2008 - 09:38 PM.

[greyknight17]

Did Combofix finish running? If so, it should have presented you a log or you can find it at C:\Combofix.txt Post that log here.

Smitfraudfix is not needed here (at least not yet until we figure out what's the problem). You should not keep most of the tools we ask you to download here. Many are used for a specific infection and they also tend to be outdated if you keep them. There's always new updates since there are many variants of an infection that could spring up any time. For Smitfraudfix, you may get an updated file here.

[Harmy]

I was going to send the log for combofix since I was able to install it & run it, but it didn't save to my desktop & I can't find it. Do I need to run another scan & attempt to save it again????

I was also unable to install the recovery console.

Got a message that said "d:\i386 refers to a location that's unavailable. Could be on hard drive or on a network. Check disk *(which I did), connection to internet *(which I did), & try again. If still not located, the information might have been moved to another location."

So, I ran combo fix without the recovery console & now I can't find the scan log for combofix.

Edited by Harmy, 23 April 2008 - 09:59 PM.

[greyknight17]

Did you check C:\Combofix.txt? Post that file here...

For the recovery console, skip the part where it shows you how to install it using the CD. Go to the next section and download the bootdisk file instead. Then drag and drop it into Combofix to install the recovery console

[Harmy]

Ok. Did what you asked & downloaded the file. Worked very easily..

Here's the combofix log. This is the one I just did. I still haven't been able to find the one from yesterday. My time right now is short, so I'll look again later.

ComboFix 08-04-22.5 - mel 2008-04-24 15:22:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.490 [GMT -4:00]
Running from: C:\Documents and Settings\mel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mel\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-22 23:57 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-22 23:57 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-22 23:57 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-21 23:00 . 2008-04-21 23:01 <DIR> d-------- C:\Program Files\Panda Security
2008-04-21 00:46 . 2008-04-21 00:46 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 03:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-22 21:35 --------- d-----w C:\Program Files\McAfee
2008-04-18 22:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-18 22:10 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-18 22:05 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-14 03:23 --------- d-----w C:\Documents and Settings\mel\Application Data\ComcastToolbar
2008-03-21 20:30 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-04 17:04 606,848 ----a-w C:\WINDOWS\flashax.exe
2008-03-04 17:04 194,560 ----a-w C:\WINDOWS\Jungle Gin Screen Saver #1.scr
2008-03-04 17:04 12,288 ----a-w C:\WINDOWS\impborl.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-14 05:50 551,883 ----a-w C:\WINDOWS\pug_scrsvr.scr
2008-02-14 05:50 400,690 ----a-w C:\WINDOWS\thedogscr1.scr
2008-02-14 05:49 377,226 ----a-w C:\WINDOWS\wht_scrsvr1.scr
2008-02-12 14:56 691,545 ----a-w C:\WINDOWS\unins001.exe
2008-02-12 14:34 72,748 ----a-w C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_23.36.22.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 03:23:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 19:12:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-24 03:29:17 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-24 19:17:36 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-24 03:29:17 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-24 19:17:36 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 11:42 36904]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33 582992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-04-28 11:40 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 08:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0b491cf-c841-11da-9903-806d6172696f}]
\Shell\AutoRun\command - D:\atisetup.exe
\Shell\launch\command - D:\atisetup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 05:11:58 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-03-01 06:07:24 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-04-24 19:15:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 15:23:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-24 15:25:35
ComboFix-quarantined-files.txt 2008-04-24 19:24:59
ComboFix2.txt 2008-04-24 03:37:53
ComboFix3.txt 2007-04-24 17:00:13

Pre-Run: 138,403,938,304 bytes free
Post-Run: 138,373,545,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

114 --- E O F --- 2008-04-23 03:44:02

[greyknight17]

Did you download these screensavers?
C:\WINDOWS\Jungle Gin Screen Saver #1.scr
C:\WINDOWS\pug_scrsvr.scr
C:\WINDOWS\thedogscr1.scr
C:\WINDOWS\wht_scrsvr1.scr

Everything looks good still. See if you can figure out if there's a pattern of the shutdown issue if it occurs again. Could be hardware related...

[Harmy]

Yeah, I did download those screensavers.. Why, do I need to get rid of them???

Thank you so much. It hasn't shut down on me since I had those 2 or 3 episodes a few nights ago. It hasn't happened since. I appreciate you taking the time to help me out though.

Thanks & have a great night.

[greyknight17]

Nope, you may keep them. Just want to make sure they were legitimate

Glad it's ok now. I suggest installing some antispyware prevention tools since there have been many malware infections floating around nowadays.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.