Question

  • Creator
    Topic
  • #2149697

    Safemode, Norton Hijackthis Blocked, Computer crashes with blue screen etc

    Locked

    by jameswesleycheng ·

    Thank you very much in advance for helping me out. I’m currently on an internship in Vietnam and don’t exactly speak the language here, which translate into “damnit I can’t get techies to do all the work for me”. I’d really appreciate it if someone could shed some light on how to save my poor laptop or at least stall the problem until I get back to Hong Kong in August. So without further ado:

    Main symptoms:
    – Cannot enter safemode and crashes with blue screen
    – Computer crashes with blue screen (photo: http://fc01.deviantart.com/fs32/f/2008/191/b/f/Crash_crash_crash_by_Unidentifiedname.jpg)
    – It used to crash once in a while and I thought it was because of overheating, but today it crashed 7 times and blocked Norton, and I guessed something fishy is going on
    – Norton Internet Security cannot be opened
    – All Microtrend software including Hijackthis cannot be run
    – Any weblink that contains the term “antivirus” will be closed upon opening (sounds really like a worm) – tried Opera, IE, Firefox, Safari
    – Unknown file xgsslm.exe reopens after force-closing. It says it’s from system32 but I can’t find it even though I have hidden files on. Couldn’t find anything about this file from google search.
    – MS Config can be opened but cannot be closed
    – Computer overheats

    History: (http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=267679&messageID=2536696)
    – 3 weeks of CPU and GPU overheating despite the Laptop fan running at 3400 rpm (see link: http://unidentifiedname.deviantart.com/art/Screenshot-Overheating-Comp-90235694)
    – Symptom subsided after disabling winblinds and updating computer through the Lenovo support center
    – Relapsed after 2 days, in the form of Norton incapable of updating itself (definitions stuck on 26th June)

    Specs:
    IBM Lenovo T60 Laptop
    ATI Radeon Mobility X1400
    IBM Thinkpad T60 Dual core 2.0 GHz 1GB RAM
    80 GB Harddisk with 12% freespace
    1 GB RAM
    Windows XP Home SP 3

    Remarks:
    – I ran Uniblue Spyeraser and it showed no results, Registry Mechanic showed nothing wrong.
    – Browsers run fine until I click on a link that has the term “antivirus” in the url and it just closes. If I’m quick enough to close the tab upon restarting the browser then it stops closing down by itself.
    – Connected to the network in office through WiFi. I know one of the computers in the office is in deep crap, so it could be some contagiuos infection.

    Log:
    Since I couldn’t run Hijackthis, I installed X-RayPc and generated a log through that:

    Logfile of X-RayPc Build 39029 (Installed 1215655216)
    Scan saved at 10/7/2008 2:00:32

    Registry Settings:
    IE Start Page (User) :
    IE Start Page (Global) : http://go.microsoft.com/fwlink/?LinkId=69157
    IE Blank Page : C:\WINDOWS\system32\blank.htm
    IE Default Page : http://go.microsoft.com/fwlink/?LinkId=69157
    IE Search Page (User) : http://www.google.com
    IE Search Page (Global) : http://go.microsoft.com/fwlink/?LinkId=54896
    IE Default Search : http://go.microsoft.com/fwlink/?LinkId=69157
    HOSTS Directory : %SystemRoot%\System32\drivers\etc

    C:\WINDOWS\system32\services.exe (108544 0e776ed5f7cc9f94299e70461b7b8185)
    C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
    C:\WINDOWS\system32\ibmpmsvc.exe (36136 35d08de36eb85f66731b7808768d512c)
    C:\WINDOWS\system32\Ati2evxx.exe (495616 46e2dac60303e69e1884daf20c9d027c)
    C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (114753 44a95584057c2cfda9dff328232e1238)
    C:\WINDOWS\system32\Ati2evxx.exe (495616 46e2dac60303e69e1884daf20c9d027c)
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (540745 4dc83ba53b8c42839a32b108b9e8c145)
    C:\WINDOWS\system32\spoolsv.exe (57856 d8e14a61acc1d4a6cd0d38aebac7fa3b)
    C:\WINDOWS\system32\IPSSVC.EXE (108080 00d8e9daebe72a5df3986fd418a995eb)
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (86016 5ef5625e1e5a2c2503e0a9c8b83cdb2b)
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (110592 3a4982df893f198a2dfbccd4ce10f93a)
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (243064 7c813eb232c7aefa627a12a104dda221)
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe (258103 0ab7a2e4ec1a207f1caa1507552aed9b)
    C:\Program Files\MozyHome\mozybackup.exe (87344 4ad0f23c07847894dbb13314e318ea48)
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (217164 99ba5c9e9e59db26180fecfc1efe7b47)
    C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (644408 9626746a9b120d2ed537dd8d76278405)
    C:\WINDOWS\System32\TPHDEXLG.exe (37424 3663c0f611711dac453636af562f0831)
    C:\WINDOWS\system32\TpKmpSVC.exe (32768 dfb268ff0a6dcb9280015ff527f892ff)
    C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe (1384448 495516af335599927bcbf446fbcb4be4)
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (1122304 e9ea448f1174be4052416b62263ea4ee)
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe (188416 7e9fde9e2a36137839e12bc8331a8fef)
    c:\program files\lenovo\system update\suservice.exe (32768 f08e3e3a22e170b1e4f77add1d1cd171)
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe (118784 64d1f2a20efa778f1a1fdcc72c53f66f)
    C:\WINDOWS\system32\wscntfy.exe (13824 f92e1076c42fcd6db3d72d8cfe9816d5)
    C:\WINDOWS\system32\ctfmon.exe (15360 5f1d5f88303d4a4dbc8e5f97ba967cc3)
    C:\WINDOWS\Explorer.EXE (1033728 12896823fb95bfb3dc9b46bcaedc9923)
    C:\WINDOWS\system32\dlxdyc.exe (38502 35ba35dec433e42bd3a495911762ab32)
    C:\WINDOWS\system32\xgsslm.exe (38502 35ba35dec433e42bd3a495911762ab32)
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (122880 125481afa36d3e3ab44e3d745dba05eb)
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (524288 65eb543efeb395ddf4e0bb764de089d0)
    C:\WINDOWS\system32\TpShocks.exe (181536 686cd234bf4b816291a858782c71269b)
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe (243248 3280a362fec14ebc0791f6af548c88e3)
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (66928 31ccbe6b693b9dfdd914c3e20be25374)
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe (144728 7146df9479dc9f98770dd5ba69e3e679)
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe (75040 c017c4a30f1783284207b5654898ace3)
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE (122940 3c2d6a88715f7426102b2ac2b1f9cbcb)
    C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe (1996336 6902f7c3cf78150d7900cb5c13015a06)
    C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe (49152 c997e2accd65259e49875f4d4ba80733)
    C:\Program Files\Lenovo\Zoom\TpScrex.exe (111904 b8c77332394d978dd23c3687a459ec67)
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (425984 de17c87e63b4a542a21114167c780e2e)
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe (124248 33d95edeef56ec73abd6a8bf76426f04)
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (126976 cf897e774d1af68528c8995335fddc76)
    C:\WINDOWS\system32\rundll32.exe (33280 037b1e7798960e0420003d05bb577ee6)
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (31016 38d198a2dd54a67120040566a38103ba)
    C:\WINDOWS\system32\conime.exe (27648 abc9002269e569538901109441660dd2)
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe (185896 89d583fc41d48328128a974c25afaeb7)
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (487424 58c27ebbbeb67a26484a1c50909c002c)
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe (124248 33d95edeef56ec73abd6a8bf76426f04)
    C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (59680 7a777a863431ed9a32d980448be9382a)
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE (49152 e681281d9bfc9d45d3b72532717e5880)
    C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (91688 78374c795b65347220250f15186b5c67)
    C:\Program Files\Analog Devices\Core\smax4pnp.exe (925696 115332a83ac2726fa974d30db4bfd8de)
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe (1289000 5515eb5e3a8b073f66cfc697eb0d4b55)
    C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe (9442584 23d7b8c29b86861e9dcba0cbbc5da4d1)
    C:\Program Files\Messenger\msmsgs.exe (1695232 3e930c641079443d4de036167a69caa2)
    C:\Program Files\Windows Media Player\WMPNSCFG.exe (204288 7eaed08ccca4ddde61a388c82598cfa9)
    C:\PROGRA~1\MICROS~3\rapimgr.exe (199464 7d4a768dea3dc643cbb65222d5b1377b)
    C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (581693 7f37e078e3b80f33921946880c9cef7e)
    C:\Program Files\Digital Line Detect\DLG.exe (50688 f03ffc962e18f36a922e61f96be09925)
    C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe (2074360 e471429971566a7da7b123a8cd2e5048)
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe (49152 25ca1677aaa3cdc99cd4fcf940886f3c)
    C:\WINDOWS\system32\msiexec.exe (78848 5879d691e842574a20fe63817cb76df9)
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe (397381 3ac4e603c4f070c039c29edbc45d7de6)
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe (118336 7fa0aa2f3daba5beb2c4ac1eec054efa)
    C:\Program Files\PCDR5\pcdr5cuiw32.exe (11949856 f835804a059a3ae6979a6fe8ed7eb990)
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe (71288 6c37ad8c2212d3ddc456bb48a3aa398e)
    C:\Program Files\Opera\opera.exe (98816 56765388a6fa93c76128af9ef679ac0d)
    C:\Program Files\PCDR5\pcdrsmart.p5x (40448 b376dac5b653fb57bcf62f7b46ed4b64)
    C:\Documents and Settings\James Wesly Cheng\Desktop\x-raypc.exe (348928 df5ba440e4384adcd1a0bf653da84387)

    Service: AcPrfMgrSvc C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (86016 5ef5625e1e5a2c2503e0a9c8b83cdb2b)
    Service: AcSvc C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe (188416 7e9fde9e2a36137839e12bc8331a8fef)
    Service: ALG C:\WINDOWS\System32\alg.exe (44544 8c515081584a38aa007909cd02020b3d)
    Service: Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (110592 3a4982df893f198a2dfbccd4ce10f93a)
    Service: Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe (495616 46e2dac60303e69e1884daf20c9d027c)
    Service: AudioSrv C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: Automatic LiveUpdate Scheduler C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (243064 7c813eb232c7aefa627a12a104dda221)
    Service: BITS C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: Browser C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: btwdins C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe (258103 0ab7a2e4ec1a207f1caa1507552aed9b)
    Service: CryptSvc C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: DcomLaunch C:\WINDOWS\system32\svchost -k DcomLaunch
    Service: Dhcp C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: Dnscache C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: ERSvc C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: Eventlog C:\WINDOWS\system32\services.exe (108544 0e776ed5f7cc9f94299e70461b7b8185)
    Service: EventSystem C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: EvtEng C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (114753 44a95584057c2cfda9dff328232e1238)
    Service: HTTPFilter C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: IBMPMSVC C:\WINDOWS\system32\ibmpmsvc.exe (36136 35d08de36eb85f66731b7808768d512c)
    Service: IPSSVC C:\WINDOWS\system32\IPSSVC.EXE (108080 00d8e9daebe72a5df3986fd418a995eb)
    Service: Irmon C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: lanmanserver C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: lanmanworkstation C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: LmHosts C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: mozybackup C:\Program Files\MozyHome\mozybackup.exe (87344 4ad0f23c07847894dbb13314e318ea48)
    Service: MSIServer C:\WINDOWS\system32\msiexec.exe (78848 5879d691e842574a20fe63817cb76df9)
    Service: Netman C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: Nla C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: PlugPlay C:\WINDOWS\system32\services.exe (108544 0e776ed5f7cc9f94299e70461b7b8185)
    Service: PolicyAgent C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
    Service: ProtectedStorage C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
    Service: RasAuto C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: RasMan C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: RegSrvc C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (217164 99ba5c9e9e59db26180fecfc1efe7b47)
    Service: RpcSs C:\WINDOWS\system32\svchost -k rpcss
    Service: S24EventMonitor C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (540745 4dc83ba53b8c42839a32b108b9e8c145)
    Service: SamSs C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
    Service: Schedule C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: seclogon C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: SENS C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: SharedAccess C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: ShellHWDetection C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: Spooler C:\WINDOWS\system32\spoolsv.exe (57856 d8e14a61acc1d4a6cd0d38aebac7fa3b)
    Service: SSDPSRV C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: stisvc C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: SUService c:\program files\lenovo\system update\suservice.exe (32768 f08e3e3a22e170b1e4f77add1d1cd171)
    Service: TapiSrv C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: TermService C:\WINDOWS\System32\svchost -k DComLaunch
    Service: Themes C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: ThinkVantage Registry Monitor Service C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (644408 9626746a9b120d2ed537dd8d76278405)
    Service: TPHDEXLGSVC System32\TPHDEXLG.exe
    Service: TpKmpSVC C:\WINDOWS\system32\TpKmpSVC.exe (32768 dfb268ff0a6dcb9280015ff527f892ff)
    Service: TrkWks C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: TSSCoreService C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe (722480 1f7ccced8d0e539dc80fcd8db2ca0b0c)
    Service: TVT Backup Service C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe (1384448 495516af335599927bcbf446fbcb4be4)
    Service: TVT Scheduler C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (1122304 e9ea448f1174be4052416b62263ea4ee)
    Service: upnphost C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: W32Time C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: WebClient C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: winmgmt C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe (913408 f74e3d9a7fa9556c3bbb14d4e5e63d3b)
    Service: wscsvc C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: wuauserv C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)
    Service: WZCSVC C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e18)

    O2 – BHO: (IE7Pro BHO) – {00011268-e188-40df-a514-835fcd78b1bf} – C:\Program Files\IEPro\iepro.dll (736360 80b3c5494cfd157996886da629cfa2f9)
    O2 – BHO: (Adobe PDF Reader Link Helper) – {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} – C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (59032 4ea3a6cd9d20584ffafdb1e47dbf0e20)
    O2 – BHO: (DriveLetterAccess) – {5ca3d70e-1895-11cf-8e15-001234567890} – C:\WINDOWS\System32\DLA\DLASHX_W.DLL (110652 d730dff2df12cd1a30a4186a12c60322)
    O2 – BHO: (CoIEPlg.CoIEPlgObj) – {602adb0e-4aff-4217-8aa1-95dac4dfa408} – C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll (316784 6bc066fcc66bb0ee33a618ebc65683d5)
    O2 – BHO: (Symantec Intrusion Prevention) – {6d53ec84-6aae-4787-aeee-f4628f01010c} – C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (116088 fa3e00177b57d5b2bf058d560931d750)
    O2 – BHO: (Groove GFS Browser Helper) – {72853161-30c5-4d22-b7f9-0bbc1d38a37e} – C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL (2210608 786dd1892b553efe5a004ac39775c851)
    O2 – BHO: (no name) – {7e853d72-626a-48ec-a868-ba8d5e23e045} –
    O2 – BHO: (Windows Live 登入小幫手) – {9030d464-4c02-4abf-8ecc-5164760863c6} – C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (328752 59cf5bf6684afcf906cadad39b4214de)
    O2 – BHO: (Mouse Gestures) – {a6a49249-57ae-4295-8d4d-18a9502c7d8e} – C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll (376832 f9e933c8dd36c849543a3ad870a5fa03)
    O2 – BHO: (Windows Live Toolbar Helper) – {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} – C:\Program Files\Windows Live Toolbar\msntb.dll (546320 cee1be1da21300208d07fbeae9ea2b51)

    O3 – Toolbar: Windows Live Toolbar {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} – C:\Program Files\Windows Live Toolbar\msntb.dll (546320 cee1be1da21300208d07fbeae9ea2b51)
    O3 – Toolbar: 顯示 Norton 工具列 {7febefe3-6b19-4349-98d2-ffb09d4b49ca} – C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (316784 6bc066fcc66bb0ee33a618ebc65683d5)

    O4 – HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (122880 125481afa36d3e3ab44e3d745dba05eb)
    O4 – HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (524288 65eb543efeb395ddf4e0bb764de089d0)
    O4 – HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (868352 ac4dbf4b495bd25f6c9b9f55da640420)
    O4 – HKLM\..\Run: [TpShocks] C:\WINDOWS\system32\TpShocks.exe (181536 686cd234bf4b816291a858782c71269b)
    O4 – HKLM\..\Run: [TP4EX] C:\WINDOWS\system32\tp4ex.exe (65536 38f143a10a8e723026499041501b9563)
    O4 – HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe (243248 3280a362fec14ebc0791f6af548c88e3)
    O4 – HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (66928 31ccbe6b693b9dfdd914c3e20be25374)
    O4 – HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (716800 81a5a2ca780340784969d2edcab0800f)
    O4 – HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe (144728 7146df9479dc9f98770dd5ba69e3e679)
    O4 – HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE (122940 3c2d6a88715f7426102b2ac2b1f9cbcb)
    O4 – HKLM\..\Run: [cssauth] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe (1996336 6902f7c3cf78150d7900cb5c13015a06)
    O4 – HKLM\..\Run: [PDService.exe] C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe (49152 c997e2accd65259e49875f4d4ba80733)
    O4 – HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (425984 de17c87e63b4a542a21114167c780e2e)
    O4 – HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (126976 cf897e774d1af68528c8995335fddc76)
    O4 – HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 – HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 – HKLM\..\Run: [IBM Warranty Notification] C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe (106496 da1dc95523484ae608853ac282b85265)
    O4 – HKLM\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (31016 38d198a2dd54a67120040566a38103ba)
    O4 – HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (51048 e67200b6ef51bbf60c14c64d60fad482)
    O4 – HKLM\..\Run: [osCheck] C:\Program Files\Norton Internet Security\osCheck.exe (714608 91535a86f6bd48baccc3d58e6653456a)
    O4 – HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (185896 89d583fc41d48328128a974c25afaeb7)
    O4 – HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (487424 58c27ebbbeb67a26484a1c50909c002c)
    O4 – HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe (124248 33d95edeef56ec73abd6a8bf76426f04)
    O4 – HKLM\..\Run: []
    O4 – HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (90112 033ff248550305ed52ed2d2844a8a11b)
    O4 – HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (59680 7a777a863431ed9a32d980448be9382a)
    O4 – HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (91688 78374c795b65347220250f15186b5c67)
    O4 – HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (925696 115332a83ac2726fa974d30db4bfd8de)
    O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (15360 5f1d5f88303d4a4dbc8e5f97ba967cc3)
    O4 – HKCU\..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\Wcescomm.exe (1289000 5515eb5e3a8b073f66cfc697eb0d4b55)
    O4 – HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe (9442584 23d7b8c29b86861e9dcba0cbbc5da4d1)
    O4 – HKCU\..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (5724184 bbfba2c7d867d11669ff6ae775f0dd09)
    O4 – HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (1695232 3e930c641079443d4de036167a69caa2)
    O4 – HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (204288 7eaed08ccca4ddde61a388c82598cfa9)
    O4 – HKLM\..\ShellServiceObjectDelayLoad: [PostBootReminder] C:\WINDOWS\system32\SHELL32.dll (8461312 0cf50b1f45dab08430c1dbb79fe2ca5b)
    O4 – HKLM\..\ShellServiceObjectDelayLoad: [CDBurn] C:\WINDOWS\system32\SHELL32.dll (8461312 0cf50b1f45dab08430c1dbb79fe2ca5b)
    O4 – HKLM\..\ShellServiceObjectDelayLoad: [WebCheck] C:\WINDOWS\system32\webcheck.dll (233472 963362c552a52bf5a9885e8f68703c07)
    O4 – HKLM\..\ShellServiceObjectDelayLoad: [SysTray] C:\WINDOWS\system32\stobject.dll (121856 50512fc9b7878e3c2c147bc17326a7db)
    O4 – HKLM\..\ShellServiceObjectDelayLoad: [WPDShServiceObj] C:\WINDOWS\system32\WPDShServiceObj.dll (133632 045e228f71c31901084b64be59093499)
    O4 – HKLM\..\Run: [dlxdyc.exe] C:\WINDOWS\system32\dlxdyc.exe (38502 35ba35dec433e42bd3a495911762ab32)
    O4 – HKLM\..\Run: [xgsslm.exe] C:\WINDOWS\system32\xgsslm.exe (38502 35ba35dec433e42bd3a495911762ab32)

    O16 – DPF: (Microsoft XML Parser for Java)- file://C:\WINDOWS\Java\classes\xmldso.cab
    O16 – DPF: {08b0e5c0-4fcb-11cf-aaa5-00401c608500} (Microsoft VM)- http://games.hinet.net/webgame/manual/msjavx86.exe
    O16 – DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class)- http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab – C:\WINDOWS\Downloaded Program Files\as2stubie.inf (289 111437964545dc8e4bd0585ba7bc06ed)
    O16 – DPF: {2dad3559-2923-4935-ad49-b673d2539944} (IASRunner Class)- https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
    O16 – DPF: {3ac7f64e-6154-47b0-82b5-764ed4077f77} (DataStorage Class)- http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
    O16 – DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class)- http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168300187046
    O16 – DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Plug-in 1.4.2)- http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab – C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll (77824 31cfe610fd747b4515213db2409d6c9f)
    O16 – DPF: {8ffbe65d-2c9c-4669-84bd-5829dc0b603c} – http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    O16 – DPF: {cafeefac-0014-0002-0000-abcdeffedcba} (Java Plug-in 1.4.2)- http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab – C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll (77824 31cfe610fd747b4515213db2409d6c9f)
    O16 – DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object)- http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 – DPF: {d91afab8-165a-11d6-b481-00b0d03f6d12} (rtf.rtfControl)- http://www.med.hku.hk/ideal/include/rtfControl.cab

    020 – HKLM\..\Notify: [ACNotify] C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll (32768 210da66ca4d2579e9220b1a8e57f8681)
    020 – HKLM\..\Notify: [AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll (122880 d74301954d86528a08d65c98c8017939)
    020 – HKLM\..\Notify: [crypt32chain] C:\WINDOWS\system32\crypt32.dll (599040 bdaaf79dd63f194434d31a74b9bb8b77)
    020 – HKLM\..\Notify: [cryptnet] C:\WINDOWS\system32\cryptnet.dll (64512 c14350fc0d47d806699c4f907fc6785b)
    020 – HKLM\..\Notify: [cscdll] C:\WINDOWS\system32\cscdll.dll (101888 515a7fae2070c2b0242b2353443e2f11)
    020 – HKLM\..\Notify: [dimsntfy] C:\WINDOWS\System32\dimsntfy.dll (19456 e2092f0a1d7abc243f9c2362483d150d)
    020 – HKLM\..\Notify: [NavLogon]
    020 – HKLM\..\Notify: [ScCertProp] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e12649196)
    020 – HKLM\..\Notify: [Schedule] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e12649196)
    020 – HKLM\..\Notify: [sclgntfy] C:\WINDOWS\system32\sclgntfy.dll (20480 63ff9068e5bda0bc9ecd38fbbb216e24)
    020 – HKLM\..\Notify: [SensLogn] C:\WINDOWS\system32\WlNotify.dll (92672 2cc34e8bb667eef78899546e12649196)
    020 – HKLM\..\Notify: [termsrv] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e12649196)
    020 – HKLM\..\Notify: [tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll (34344 0c3e484bf4aec2749a9f4d0a91870780)
    020 – HKLM\..\Notify: [tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll (28672 451cd42b003ab6a04346db4abc624717)
    020 – HKLM\..\Notify: [WB] C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll (24576 9f884c45f10aaee442d4370ba90a1f89)
    020 – HKLM\..\Notify: [WgaLogon] C:\WINDOWS\system32\WgaLogon.dll (236928 d7dcfb4d0c58ffb569de93e1681fd37a)
    020 – HKLM\..\Notify: [wlballoon] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e12649196)

    I’ve also posted this in Techsupportforum and I’ll update you all if I received any updates from there. Once again thank you in advance.

All Answers

  • Author
    Replies
    • #2912693

      Clarifications

      by jameswesleycheng ·

      In reply to Safemode, Norton Hijackthis Blocked, Computer crashes with blue screen etc

      Clarifications

    • #2912683

      You didn’t last long :)

      by rob miners ·

      In reply to Safemode, Norton Hijackthis Blocked, Computer crashes with blue screen etc

      Download an emergency copy of SAV32CLI. http://www.sophos.com/support/knowledgebase/article/13251.html Install it and extract the IDE files to the SAV32CLI folder then copy it to a medium that can be write-protected. EG: CD/ROM or Flash Stick.

      Restart the computer in Safe Mode. Go to Start|Shut Down. Select ‘Restart’ from the dropdown list and click ‘OK’. Windows will restart. Press F8 when you see the following text at the bottom of the screen “For troubleshooting and advanced startup options for Windows 2000, press F8”. In the Windows 2000 Advanced Options Menu, select the third option ‘Safe Mode with Command Prompt’.
      At the affected computer, place the CD in the CD drive (D: in this example). At the command prompt type

      D:

      to access the CD drive. Type: CD SAV32CLI

      Then type: SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

      to remove the file.

      Before leaving Safe Mode, check the Log File to make sure that everything has been removed, this should give you the Name of the Virus.

      Download Spybot – Search & Destroy 1.5.2 and install it. Update it. http://www.safer-networking.org/en/download/index.html

      Run it after Sophos in Safe Mode and check to make sure that it can remove everything.

      If you cant get the others to work use this as a last resort.

      avast! Virus Cleaner – free virus removal tool: http://www.avast.com/eng/avast-virus-cleaner.html

      Let us know how you get on.

      < add a bit >

      Start, run and type in msconfig and press Enter

      Click on the Boot.ini Tab and tick SafeBoot

      This should get you into Safe Mode.

      • #2912681

        While not related to the above fix

        by oh smeg ·

        In reply to You didn’t last long :)

        You should purchase a Cool Pad for the NB as well to keep things cool and clean on the air intakes and CPU and other Heat sinks that are cooled by the Systems Fan/s.

        Something like this

        http://tinyurl.com/ny8zn

        Will help the NB to keep working but will do nothing to prevent infections. You should be able to pickup a cheap no name copy where you are that will do the job. 😀

        Col

      • #2912675

        Yehh… ’twas naught but false hope

        by jameswesleycheng ·

        In reply to You didn’t last long :)

        Hehe.. thanks. Trying as you speak.

        The *thing* tried closing my winzip self-extractor for the sophos AV but I kept on competing with it speedwise and overcame it by having a sticky enter key

        So far:
        Could not open boot.ini.
        Could not open a certain message_id in opera\mail\indexer

        Seems to have progress though, because at lesat the program runs unlike PCTools and Norton and Trend Micro and every AV that I tried…

        • #2912674

          Found virus.. yay

          by jameswesleycheng ·

          In reply to Yehh… ’twas naught but false hope

          Mal/Behav-043
          Mal/Behav-132
          Emogen-E

          All in Temp Internet Files\IE5

          And to think that I’m safe by not using IE… hehe

        • #2912672

          Turn off

          by rob miners ·

          In reply to Yehh… ’twas naught but false hope

          System Restore as it could be lurking in there to.

          Can you run regedt32

          Start, Run and type in regedt32 and press Enter. Navigate to Run.

          HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

          and delete these two files.

          dlxdyc.exe

          xgsslm.exe

        • #2912667

          oh no…

          by jameswesleycheng ·

          In reply to Turn off

          Cannot uncheck boot.ini /safeboot. MSConfig crashes immediately

          Sophos Antivirus was closed the moment it finished scanning. Not that I should have run it in normal mode anyway.

          Cannot open registry through Run or by 3rd party software like registry booster.

          Not looking good.

        • #2912663

          Wow..

          by jameswesleycheng ·

          In reply to oh no…

          Blocked bootsafe as well.

          Also blocks update modes of spyeraser and spybot.

          Tried Avant Antivirus before, it just closes the installation program since the program has the word antivirus on it. BAsically it tries to close ANYTHING that has the word Virus in the title. Even if I search Virus on Wiki.

          Did an experiment by downloading an HTML page and renaming it without the word Virus in the title and it works fine.

          This thing does have some class

        • #2912622

          OK then you need something that can run off a boot Disc

          by oh smeg ·

          In reply to Wow..

          So that Windows and the Infection/s are not loaded. Do you have access to a Live Linux CD? Here I would use Knoppix myself and try a On Line Scan and removal.

          But to be quite honest when I run into things like this I just save the data on the drive and then blow away the entire thing wipe the drive so everything is destroyed and then do a clean install. It’s faster easier and better that way and cheaper for the customer as well.

          The T60 should have a Recovery Partition on the HDD so you should be able to format the drive and rebuild the original Factory Software install from there. Of course if the writers of this piece of junk took thta into account it may reappear on the new install and put you right back into this position again.

          This happens because when you Format a Drive only every third Sector is access by the Windows Format Utility so there are two thirds of the driv left untouched which can allow infections to carry on unaffected.

          Not much help but that how things happen.

          Col

        • #2912614

          I agree with Col

          by dumphrey ·

          In reply to OK then you need something that can run off a boot Disc

          Even with good cd-rom media (knoppix, UBCD4WIN, AV rescue disk, etc) it can take 2-5 hours to clean out a deeply rooted virus, and even then you never really know…
          Use a live cd to copy your data to a cd/usb stick and reload the OS from scratch. I would format the system partition et all. Personally, I would delete all partitions before starting install from a clean disk, though the OEM restore partition should be safe.
          http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
          http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
          Are both good tools if you can not wipe out a disk. Process Monitor will allow you to “sleep” several virus/trojan/work processes and delete them as a group to get around the issue of a process watching and restarting an infection process.

        • #2913625

          Blocked Autorun

          by jameswesleycheng ·

          In reply to OK then you need something that can run off a boot Disc

          Thanks… so that means I’ll have to stagger on until I head back to Hong Kong and get my disk.

          Yeh it has a recovery partition.

          Process Explorer could block the processes the virus opens, while Sophos identifed the virus without being able to eliminate it. Couldn’t open autorun though.

          (This would have been so much easier if I were at home – just backup and wipe everything out… most of the time no need to see what the heck is happening… but no point in complaining here)

          I searched one of the processes sophos found and here’s a review from search expert. Basically this process disables safemode…

          http://72.14.235.104/search?q=cache:0vc3FeldeAgJ:www.threatexpert.com/report.aspx%3Fuid%3Da9c6be3b-481b-4414-8f90-9655c3bb2dd1+muwdcwm&hl=en&ct=clnk&cd=1

          And I guess the registry changes disabled all my antivirus and stuff?

        • #2913620

          Call IBM

          by shhite ·

          In reply to OK then you need something that can run off a boot Disc

          Why dont you call IBM and see if you can get another recovery disk for your computer. It might not be free but should be worth the cost so you don’t have to fight with the computer until august.

        • #2913591

          PROGRESS, FINALLY, Regedit back up, Browser no longer auto-closes

          by jameswesleycheng ·

          In reply to OK then you need something that can run off a boot Disc

          Okay I guess I’ll give that a try as a last resort… Thanks for the suggestion though.. hehe

          Btw. I tried indigenously renaming some antivirus files and it could run after that… lemme test the effects now.

          Edit:

          Made some progress, renamed files and changed registry using autorun,
          There was a Debugger = “ntsd -d” for all files mentioned here: http://www.threatexpert.com/report.aspx?uid=a9c6be3b-481b-4414-8f90-9655c3bb2dd1

          Edit2: Blocked the virus processes that started in startup and blocked regedit using autoruns, then deleted the registry stuff.

          Got Norton back up.

          Got bold and reentered all the deleted stuff/modified stuff in the registry – first time I dared myself to do that.. see how desperation changes a man.. hehe

          Should be fine now.. I’ll keep you posted.

    • #2913529

      Can you try this

      by rob miners ·

      In reply to Safemode, Norton Hijackthis Blocked, Computer crashes with blue screen etc

      as you won’t get on top of it until you can get into Safe Mode.

      Restoring Safe Mode with a .REG file

      • #2905066

        Whoops.. replied to wrong topic

        by jameswesleycheng ·

        In reply to Can you try this

        But yeh, solved the problem except the overheating problem, ran a few more scans to verify that. But the blue-screen crash still persists though – I guess it’s because of overheating?

        • #2913975

          Can you

          by rob miners ·

          In reply to Whoops.. replied to wrong topic

          PM me your Minidump files. Check below for instructions.

          Minidump Files can be found here. C:\WINDOWS\Minidump\Mini122707-02.dmp

          My Computer, Properties, Advanced, Startup and Recovery and untick Automatically restart. While you are there make sure that Small memory dump (64 KB) is selected and the output is %SystemRoot%\Minidump. The Blue Screen will dump the Minidump file.

        • #2913834

          I would really suggest that you invest in a Cool Pad

          by oh smeg ·

          In reply to Whoops.. replied to wrong topic

          Personally I don’t sell a NB and offer any Guarantee above the makers without one being used. In every case where I sell a Cool Pad and it is used there just are not any problems with the NB sucking in dust and other junk blocking the airways and no chance of the NB picking up anything on the desk blocking the airways. I have not had a single case of Overheating in any NB that I sell with a Cool Pad and now my clients are buying their own for any NB’s that I haven’t supplied them as they have much better results.

          Col

        • #2914239

          Okies

          by jameswesleycheng ·

          In reply to I would really suggest that you invest in a Cool Pad

          I’ll scout for one this weekend =)

          Thanks

    • #2913730

      Along with some excellent advice from OH Smeg

      by rob miners ·

      In reply to Safemode, Norton Hijackthis Blocked, Computer crashes with blue screen etc

      Can you check the location of these two files and see if they are legitimate. Update all of your Motherboard Device Drivers.ie: Video and Chipset.

      intelppm.sys

      The process Processor Device Driver belongs to the software Microsoft? Windows? Operating System or Intel Processor Driver by Microsoft Corporation (www.microsoft.com).

      Description: intelppm.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 36096 bytes (90% of all occurrence), 39424 bytes.
      The driver can be started or stopped from Services in the Control Panel or by other programs. The program has no visible window. The file is a trustworthy file from Microsoft.

      Important: Some malware camouflage themselves as intelppm.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the intelppm.sys process on your pc whether it is pest.

      NDIS.sys

      The process NDIS 5.1 wrapper driver or NDIS 6.0 wrapper driver belongs to the software Microsoft? Windows? Operating System or NDIS System Driver by Microsoft Corporation (www.microsoft.com).

      Description: File NDIS.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 182912 bytes (88% of all occurrence), 167552 bytes, 500840 bytes, 182528 bytes, 266500 bytes.
      The driver can be started or stopped from Services in the Control Panel or by other programs. The file is a Windows core system file. The program is not visible. It is a Microsoft signed file. The service has no detailed description. NDIS.sys seems to be a compressed file. Therefore the technical security rating is 1% dangerous, however also read the users reviews.

      Important: Some malware camouflage themselves as NDIS.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the NDIS.sys process on your pc whether it is pest.

      pifCrawl.exe

      Appears to be part of Norton.

      ati2mtag.sys

      driver from ATI Technologies Inc

      • #2914240

        Hmm…

        by jameswesleycheng ·

        In reply to Along with some excellent advice from OH Smeg

        intelppm.sys: 36352 bytes
        ndis.sys: 182656 bytes

        Doing a driver update now. What sohuld I do about the NDIS.sys?

        • #2914237

          What service pack

          by rob miners ·

          In reply to Hmm…

          are you running?

          Just to be on the safe side when you finish do an online scan with Bitdefender.

          http://www.bitdefender.com/scan8/ie.html

          BitDefender RootkitUncover

          http://www.majorgeeks.com/BitDefender_RootkitUncover_d5157.html

          When you think that you are clean re-enable Systen Restore.

        • #2914209

          SP3

          by jameswesleycheng ·

          In reply to What service pack

          Which was installed during the outbreak of the virus… should I reinstall it?

        • #2914203

          Not just yet

          by rob miners ·

          In reply to SP3

          where was ndis.sys found?

          If it was found in either of these places delete it.

          c:\windows or c:\windows\system32

          How did the online scan go?

          Are you still haveing problems.

        • #2914042

          Seems fine now…

          by jameswesleycheng ·

          In reply to Not just yet

          It’s in the /drivers folder so sohuld be fine.

          Been having problems switching the computer off – have to manually force every process to end. Didn’t happen after a system scan and some driver updates though.

          Just finished running the scan. Bitdefender detected a yqbbih.nls, part of the safeboot hijack virus that I thought to have totally removed. Seems that SAV32CLI didn’t delete the whole virus.

          Norton also presented with a Backdoor Greybird warning and is currently unable to update its virus definitions. I’ll see if it works after reboot now that yqbbih.nls is deleted.

        • #2914005

          Go back into

          by rob miners ·

          In reply to Seems fine now…

          Safe Mode and run Avast again along with Spybot.

          keep in touch.

        • #2925738

          Hmm..

          by jameswesleycheng ·

          In reply to Seems fine now…

          Ran both and no problems were found, but I still get the blue screen crash problem on RAM intensive activities including when I change CD Roms during installation of software.

          And the resource hog Norton still refuses to admit that it’s got up-to-date definitions despite continuous live updates.

          Weird.

    • #2925731

      Send me

      by rob miners ·

      In reply to Safemode, Norton Hijackthis Blocked, Computer crashes with blue screen etc

      your latest minidumps. Then we will see where we go from there.

    • #2925694

      This should sort that out

      by rob miners ·

      In reply to Safemode, Norton Hijackthis Blocked, Computer crashes with blue screen etc

      Boot into Safe Mode and follow these instructions.

      Start Task Manager, Ctrl+Alt+Del and select the Processes tab, select these processes and click End Process

      Stop the following Backdoor.GrayBird processes:

      -396109520.exe

      50b825f5.exe

      930905eb.exe

      backdoor.graybird.c.exe

      backdoor.graybird.e.exe

      backdoor.graybird.f.exe

      backdoor.graybird.m.exe

      backdoor.graybird.p.exe

      backdoor.graybird.w.exe

      h_client.exe

      brc_Server.exe

      WINDOWS111.exe

      Server1.2.exe

      Hacker.com.cn.exe

      GrayPigeon.exe

      prsvr.exe

      VPort1.1.exe

      Then run regedt32:

      Remove the following Backdoor.GrayBird registry key:

      SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\RAVMOND

      Click Start, Run and type in cmd then press Enter.

      Type in regsvr32 /u filename.dll where filename is the name of the files below that you need to Unregister and press Enter.

      backdoor.graybird.l.dll

      backdoor.graybird.l[2].dll

      backdoor.graybird.m.dll

      backdoor.graybird.s.dll

      brc_Server.dll

      Open Explorer and locate and delete the following Backdoor.GrayBird files:

      -396109520.exe

      50b825f5.exe

      930905eb.exe

      backdoor.graybird.c.exe

      backdoor.graybird.e.exe

      backdoor.graybird.f.exe

      backdoor.graybird.m.exe

      backdoor.graybird.p.exe

      backdoor.graybird.w.exe

      h_client.exe

      backdoor.graybird.l.dll

      backdoor.graybird.l[2].dll

      backdoor.graybird.m.dll

      backdoor.graybird.s.dll

      cserver.dat

      cserver_dll.dat

      h_client.chs

      h_client.cht

      heibai.net.txt

      help.chm

      operate.ini

      sserver.dat

      brc_Server.dll

      brc_Server.exe

      RAVMOND

      WINDOWS111.exe

      Server1.2.exe

      Hacker.com.cn.exe

      GrayPigeon.exe

      prsvr.exe

      VPort1.1.exe

      cmdle.com

      • #2925685

        Hmmm…

        by jameswesleycheng ·

        In reply to This should sort that out

        Couldn’t find any of the files/entries. I’ve removed the registry entry already the first time I was attacked last week. Norton might’ve removed the rest of the files despite prompting that it oculdn’t remove it.

        • #2925461

          A bit more

          by rob miners ·

          In reply to Hmmm…

          ati2mtag.sys Has this driver been updated.

          Check the memory.
          You can test the memory by running Windows Memory Diagnostic that can be downloaded from http://oca.microsoft.com/en/windiag.asp. If memory problems are found, try re-seating the RAM. If it doesn’t work, replace the defective RAM.

          fltmgr.sys

          Probably caused by Norton which has corrupted. Uninstall it and either reinstall or try Avast which will require registering within a month.

        • #2926654

          Hmm..

          by jameswesleycheng ·

          In reply to A bit more

          no probs with the RAM according to the test…

          I guess the fan chip just got fried maybe. I’ll be back in HK in two weeks, so I guess I’ll survive.. hehe

          Thanks everyone for helping out though =)

        • #2927005

          No Problems :)

          by rob miners ·

          In reply to Hmm..

          glad we could help.

    • #2810180

      easy way to solve

      by adithiyan ·

      In reply to Safemode, Norton Hijackthis Blocked, Computer crashes with blue screen etc

      just press f2 at starting
      an boot menu appears
      on the main tab
      select boot
      and choose ide
      save the settings
      and restart
      if it does not works visit me @ adhithiya_1994@yahoo.co.in

Viewing 6 reply threads