Software

Question

Locked

Safemode, Norton Hijackthis Blocked, Computer crashes with blue screen etc

By jameswesleycheng ·
Thank you very much in advance for helping me out. I'm currently on an internship in Vietnam and don't exactly speak the language here, which translate into "damnit I can't get techies to do all the work for me". I'd really appreciate it if someone could shed some light on how to save my poor laptop or at least stall the problem until I get back to Hong Kong in August. So without further ado:

Main symptoms:
- Cannot enter safemode and crashes with blue screen
- Computer crashes with blue screen (photo: http://fc01.deviantart.com/fs32/f/2008/1**/b/f/Crash_crash_crash_by_Unidentifiedname.jpg)
- It used to crash once in a while and I thought it was because of overheating, but today it crashed 7 times and blocked Norton, and I guessed something fishy is going on
- Norton Internet Security cannot be opened
- All Microtrend software including Hijackthis cannot be run
- Any weblink that contains the term "antivirus" will be closed upon opening (sounds really like a worm) - tried Opera, IE, Firefox, Safari
- Unknown file xgsslm.exe reopens after force-closing. It says it's from system32 but I can't find it even though I have hidden files on. Couldn't find anything about this file from google search.
- MS Config can be opened but cannot be closed
- Computer overheats

History: (http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=267679&messageID=2536696)
- 3 weeks of CPU and GPU overheating despite the Laptop fan running at 3400 rpm (see link: http://unidentifiedname.deviantart.com/art/Screenshot-Overheating-Comp-90235694)
- Symptom subsided after disabling winblinds and updating computer through the Lenovo support center
- Relapsed after 2 days, in the form of Norton incapable of updating itself (definitions stuck on 26th June)

Specs:
IBM Lenovo T60 Laptop
ATI Radeon Mobility X1400
IBM Thinkpad T60 Dual core 2.0 GHz 1GB RAM
80 GB Harddisk with 12% freespace
1 GB RAM
Windows XP Home SP 3

Remarks:
- I ran Uniblue Spyeraser and it showed no results, Registry Mechanic showed nothing wrong.
- Browsers run fine until I click on a link that has the term "antivirus" in the url and it just closes. If I'm quick enough to close the tab upon restarting the browser then it stops closing down by itself.
- Connected to the network in office through WiFi. I know one of the computers in the office is in deep crap, so it could be some contagiuos infection.

Log:
Since I couldn't run Hijackthis, I installed X-RayPc and generated a log through that:

Logfile of X-RayPc Build 39029 (Installed 1215655216)
Scan saved at 10/7/2008 2:00:32

Registry Settings:
IE Start Page (User) :
IE Start Page (Global) : http://go.microsoft.com/fwlink/?LinkId=6**57
IE Blank Page : C:\WINDOWS\system32\blank.htm
IE Default Page : http://go.microsoft.com/fwlink/?LinkId=6**57
IE Search Page (User) : http://www.google.com
IE Search Page (Global) : http://go.microsoft.com/fwlink/?LinkId=54896
IE Default Search : http://go.microsoft.com/fwlink/?LinkId=6**57
HOSTS Directory : %SystemRoot%\System32\drivers\etc

C:\WINDOWS\system32\services.exe (108544 0e776ed5f7cc9f94299e70461b7b8185)
C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
C:\WINDOWS\system32\ibmpmsvc.exe (36136 35d08de36eb85f66731b7808768d512c)
C:\WINDOWS\system32\Ati2evxx.exe (495616 46e2dac60303e69e1884daf20c9d027c)
C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (114753 44a95584057c2cfda9dff328232e123
C:\WINDOWS\system32\Ati2evxx.exe (495616 46e2dac60303e69e1884daf20c9d027c)
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (540745 4dc83ba53b8c42839a32b108b9e8c145)
C:\WINDOWS\system32\spoolsv.exe (57856 d8e14a61acc1d4a6cd0d38aebac7fa3b)
C:\WINDOWS\system32\IPSSVC.EXE (108080 00d8e9daebe72a5df3986fd418a995eb)
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (86016 5ef5625e1e5a2c2503e0a9c8b83cdb2b)
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (110592 3a4982df893f198a2dfbccd4ce10f93a)
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (243064 7c813eb232c7aefa627a12a104dda221)
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe (258103 0ab7a2e4ec1a207f1caa1507552aed9b)
C:\Program Files\MozyHome\mozybackup.exe (87344 4ad0f23c07847894dbb13314e318ea4
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (217164 99ba5c9e9e59db26180fecfc1efe7b47)
C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (644408 9626746a9b120d2ed537dd8d76278405)
C:\WINDOWS\System32\TPHDEXLG.exe (37424 3663c0f611711dac453636af562f0831)
C:\WINDOWS\system32\TpKmpSVC.exe (32768 dfb268ff0a6dcb9280015ff527f892ff)
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe (1384448 495516af335599927bcbf446fbcb4be4)
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (1122304 e9ea448f1174be4052416b62263ea4ee)
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe (188416 7e9fde9e2a36137839e12bc8331a8fef)
c:\program files\lenovo\system update\suservice.exe (32768 f08e3e3a22e170b1e4f77add1d1cd171)
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe (118784 64d1f2a20efa778f1a1fdcc72c53f66f)
C:\WINDOWS\system32\wscntfy.exe (13824 f92e1076c42fcd6db3d72d8cfe9816d5)
C:\WINDOWS\system32\ctfmon.exe (15360 5f1d5f88303d4a4dbc8e5f97ba967cc3)
C:\WINDOWS\Explorer.EXE (1033728 12896823fb95bfb3dc9b46bcaedc9923)
C:\WINDOWS\system32\dlxdyc.exe (38502 35ba35dec433e42bd3a495**1762ab32)
C:\WINDOWS\system32\xgsslm.exe (38502 35ba35dec433e42bd3a495**1762ab32)
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (122880 125481afa36d3e3ab44e3d745dba05eb)
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (524288 65eb543efeb395ddf4e0bb764de089d0)
C:\WINDOWS\system32\TpShocks.exe (181536 686cd234bf4b816291a858782c71269b)
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe (243248 3280a362fec14ebc0791f6af548c88e3)
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (66928 31ccbe6b693b9dfdd914c3e20be25374)
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe (144728 7146df9479dc9f98770dd5ba69e3e679)
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe (75040 c017c4a30f1783284207b5654898ace3)
C:\WINDOWS\System32\DLA\DLACTRLW.EXE (122940 3c2d6a88715f7426102b2ac2b1f9cbcb)
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe (1996336 6902f7c3cf78150d7900cb5c13015a06)
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe (4**52 c997e2accd65259e49875f4d4ba80733)
C:\Program Files\Lenovo\Zoom\TpScrex.exe (111904 b8c77332394d978dd23c3687a459ec67)
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (425984 de17c87e63b4a542a21114167c780e2e)
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe (124248 33d95edeef56ec73abd6a8bf76426f04)
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (126976 cf897e774d1af68528c8995335fddc76)
C:\WINDOWS\system32\rundll32.exe (33280 037b1e7798960e0420003d05bb577ee6)
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (31016 38d198a2dd54a67120040566a38103ba)
C:\WINDOWS\system32\conime.exe (27648 abc9002269e569538901109441660dd2)
C:\Program Files\Common Files\Real\Update_OB\realsched.exe (185896 89d583fc41d48328128a974c25afaeb7)
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (487424 58c27ebbbeb67a26484a1c50909c002c)
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe (124248 33d95edeef56ec73abd6a8bf76426f04)
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (59680 7a777a863431ed9a32d980448be9382a)
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE (4**52 e681281d9bfc9d45d3b72532717e5880)
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (**688 78374c795b65347220250f15186b5c67)
C:\Program Files\Analog Devices\Core\smax4pnp.exe (925696 115332a83ac2726fa974d30db4bfd8de)
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe (1289000 5515eb5e3a8b073f66cfc697eb0d4b55)
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe (9442584 23d7b8c29b86861e9dcba0cbbc5da4d1)
C:\Program Files\Messenger\msmsgs.exe (1695232 3e930c641079443d4de036167a69caa2)
C:\Program Files\Windows Media Player\WMPNSCFG.exe (204288 7eaed08ccca4ddde61a388c82598cfa9)
C:\PROGRA~1\MICROS~3\rapimgr.exe (199464 7d4a768dea3dc643cbb65222d5b1377b)
C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (581693 7f37e078e3b80f33921946880c9cef7e)
C:\Program Files\Digital Line Detect\DLG.exe (50688 f03ffc962e18f36a922e61f96be09925)
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe (2074360 e471429971566a7da7b123a8cd2e504
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe (4**52 25ca1677aaa3cdc99cd4fcf940886f3c)
C:\WINDOWS\system32\msiexec.exe (78848 5879d691e842574a20fe63817cb76df9)
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe (397381 3ac4e603c4f070c039c29edbc45d7de6)
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe (118336 7fa0aa2f3daba5beb2c4ac1eec054efa)
C:\Program Files\PCDR5\pcdr5cuiw32.exe (11949856 f835804a059a3ae6979a6fe8ed7eb990)
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe (71288 6c37ad8c2212d3ddc456bb48a3aa398e)
C:\Program Files\Opera\opera.exe (98816 56765388a6fa93c76128af9ef679ac0d)
C:\Program Files\PCDR5\pcdrsmart.p5x (40448 b376dac5b653fb57bcf62f7b46ed4b64)
C:\Documents and Settings\James Wesly Cheng\Desktop\x-raypc.exe (348928 df5ba440e4384adcd1a0bf653da84387)

Service: AcPrfMgrSvc C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (86016 5ef5625e1e5a2c2503e0a9c8b83cdb2b)
Service: AcSvc C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe (188416 7e9fde9e2a36137839e12bc8331a8fef)
Service: ALG C:\WINDOWS\System32\alg.exe (44544 8c515081584a38aa007909cd02020b3d)
Service: Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (110592 3a4982df893f198a2dfbccd4ce10f93a)
Service: Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe (495616 46e2dac60303e69e1884daf20c9d027c)
Service: AudioSrv C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Automatic LiveUpdate Scheduler C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (243064 7c813eb232c7aefa627a12a104dda221)
Service: BITS C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Browser C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: btwdins C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe (258103 0ab7a2e4ec1a207f1caa1507552aed9b)
Service: CryptSvc C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: DcomLaunch C:\WINDOWS\system32\svchost -k DcomLaunch
Service: Dhcp C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Dnscache C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: ERSvc C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Eventlog C:\WINDOWS\system32\services.exe (108544 0e776ed5f7cc9f94299e70461b7b8185)
Service: EventSystem C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: EvtEng C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (114753 44a95584057c2cfda9dff328232e123
Service: HTTPFilter C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: IBMPMSVC C:\WINDOWS\system32\ibmpmsvc.exe (36136 35d08de36eb85f66731b7808768d512c)
Service: IPSSVC C:\WINDOWS\system32\IPSSVC.EXE (108080 00d8e9daebe72a5df3986fd418a995eb)
Service: Irmon C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: lanmanserver C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: lanmanworkstation C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: LmHosts C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: mozybackup C:\Program Files\MozyHome\mozybackup.exe (87344 4ad0f23c07847894dbb13314e318ea4
Service: MSIServer C:\WINDOWS\system32\msiexec.exe (78848 5879d691e842574a20fe63817cb76df9)
Service: Netman C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Nla C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: PlugPlay C:\WINDOWS\system32\services.exe (108544 0e776ed5f7cc9f94299e70461b7b8185)
Service: PolicyAgent C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
Service: ProtectedStorage C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
Service: RasAuto C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: RasMan C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: RegSrvc C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (217164 99ba5c9e9e59db26180fecfc1efe7b47)
Service: RpcSs C:\WINDOWS\system32\svchost -k rpcss
Service: S24EventMonitor C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (540745 4dc83ba53b8c42839a32b108b9e8c145)
Service: SamSs C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
Service: Schedule C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: seclogon C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: SENS C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: SharedAccess C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: ShellHWDetection C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Spooler C:\WINDOWS\system32\spoolsv.exe (57856 d8e14a61acc1d4a6cd0d38aebac7fa3b)
Service: SSDPSRV C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: stisvc C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: SUService c:\program files\lenovo\system update\suservice.exe (32768 f08e3e3a22e170b1e4f77add1d1cd171)
Service: TapiSrv C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: TermService C:\WINDOWS\System32\svchost -k DComLaunch
Service: Themes C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: ThinkVantage Registry Monitor Service C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (644408 9626746a9b120d2ed537dd8d76278405)
Service: TPHDEXLGSVC System32\TPHDEXLG.exe
Service: TpKmpSVC C:\WINDOWS\system32\TpKmpSVC.exe (32768 dfb268ff0a6dcb9280015ff527f892ff)
Service: TrkWks C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: TSSCoreService C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe (722480 1f7ccced8d0e539dc80fcd8db2ca0b0c)
Service: TVT Backup Service C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe (1384448 495516af335599927bcbf446fbcb4be4)
Service: TVT Scheduler C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (1122304 e9ea448f1174be4052416b62263ea4ee)
Service: upnphost C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: W32Time C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: WebClient C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: winmgmt C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe (**3408 f74e3d9a7fa9556c3bbb14d4e5e63d3b)
Service: wscsvc C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: wuauserv C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: WZCSVC C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1

O2 - BHO: (IE7Pro BHO) - {00011268-e188-40df-a514-835fcd78b1bf} - C:\Program Files\IEPro\iepro.dll (736360 80b3c5494cfd157996886da629cfa2f9)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (59032 4ea3a6cd9d20584ffafdb1e47dbf0e20)
O2 - BHO: (DriveLetterAccess) - {5ca3d70e-1895-11cf-8e15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (110652 d730dff2df12cd1a30a4186a12c60322)
O2 - BHO: (CoIEPlg.CoIEPlgObj) - {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll (316784 6bc066fcc66bb0ee33a618ebc65683d5)
O2 - BHO: (Symantec Intrusion Prevention) - {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (116088 fa3e00177b57d5b2bf058d560931d750)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL (2210608 786dd1892b553efe5a004ac39775c851)
O2 - BHO: (no name) - {7e853d72-626a-48ec-a868-ba8d5e23e045} -
O2 - BHO: (Windows Live 登入小幫手) - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (328752 59cf5bf6684afcf906cadad39b4214de)
O2 - BHO: (Mouse Gestures) - {a6a49249-57ae-4295-8d4d-18a9502c7d8e} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll (376832 f9e933c8dd36c849543a3ad870a5fa03)
O2 - BHO: (Windows Live Toolbar Helper) - {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files\Windows Live Toolbar\msntb.dll (546320 cee1be1da21300208d07fbeae9ea2b51)

O3 - Toolbar: Windows Live Toolbar {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files\Windows Live Toolbar\msntb.dll (546320 cee1be1da21300208d07fbeae9ea2b51)
O3 - Toolbar: 顯示 Norton 工具列 {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (316784 6bc066fcc66bb0ee33a618ebc65683d5)

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (122880 125481afa36d3e3ab44e3d745dba05eb)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (524288 65eb543efeb395ddf4e0bb764de089d0)
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (868352 ac4dbf4b495bd25f6c9b9f55da640420)
O4 - HKLM\..\Run: [TpShocks] C:\WINDOWS\system32\TpShocks.exe (181536 686cd234bf4b816291a858782c71269b)
O4 - HKLM\..\Run: [TP4EX] C:\WINDOWS\system32\tp4ex.exe (65536 38f143a10a8e723026499041501b9563)
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe (243248 3280a362fec14ebc0791f6af548c88e3)
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (66928 31ccbe6b693b9dfdd914c3e20be25374)
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (716800 81a5a2ca780340784969d2edcab0800f)
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe (144728 7146df9479dc9f98770dd5ba69e3e679)
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE (122940 3c2d6a88715f7426102b2ac2b1f9cbcb)
O4 - HKLM\..\Run: [cssauth] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe (1996336 6902f7c3cf78150d7900cb5c13015a06)
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe (4**52 c997e2accd65259e49875f4d4ba80733)
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (425984 de17c87e63b4a542a21114167c780e2e)
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (126976 cf897e774d1af68528c8995335fddc76)
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [IBM Warranty Notification] C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe (106496 da1dc95523484ae608853ac282b85265)
O4 - HKLM\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (31016 38d198a2dd54a67120040566a38103ba)
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (51048 e67200b6ef51bbf60c14c64d60fad482)
O4 - HKLM\..\Run: [osCheck] C:\Program Files\Norton Internet Security\osCheck.exe (714608 **535a86f6bd48baccc3d58e6653456a)
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (185896 89d583fc41d48328128a974c25afaeb7)
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (487424 58c27ebbbeb67a26484a1c50909c002c)
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe (124248 33d95edeef56ec73abd6a8bf76426f04)
O4 - HKLM\..\Run: []
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (90112 033ff248550305ed52ed2d2844a8a11b)
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (59680 7a777a863431ed9a32d980448be9382a)
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (**688 78374c795b65347220250f15186b5c67)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (925696 115332a83ac2726fa974d30db4bfd8de)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (15360 5f1d5f88303d4a4dbc8e5f97ba967cc3)
O4 - HKCU\..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\Wcescomm.exe (1289000 5515eb5e3a8b073f66cfc697eb0d4b55)
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe (9442584 23d7b8c29b86861e9dcba0cbbc5da4d1)
O4 - HKCU\..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (5724184 bbfba2c7d867d11669ff6ae775f0dd09)
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (1695232 3e930c641079443d4de036167a69caa2)
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (204288 7eaed08ccca4ddde61a388c82598cfa9)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [PostBootReminder] C:\WINDOWS\system32\SHELL32.dll (8461312 0cf50b1f45dab08430c1dbb79fe2ca5b)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [CDBurn] C:\WINDOWS\system32\SHELL32.dll (8461312 0cf50b1f45dab08430c1dbb79fe2ca5b)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [WebCheck] C:\WINDOWS\system32\webcheck.dll (233472 963362c552a52bf5a9885e8f68703c07)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [SysTray] C:\WINDOWS\system32\stobject.dll (121856 50512fc9b7878e3c2c147bc17326a7db)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [WPDShServiceObj] C:\WINDOWS\system32\WPDShServiceObj.dll (133632 045e228f71c31901084b64be59093499)
O4 - HKLM\..\Run: [dlxdyc.exe] C:\WINDOWS\system32\dlxdyc.exe (38502 35ba35dec433e42bd3a495**1762ab32)
O4 - HKLM\..\Run: [xgsslm.exe] C:\WINDOWS\system32\xgsslm.exe (38502 35ba35dec433e42bd3a495**1762ab32)


O16 - DPF: (Microsoft XML Parser for Java)- file://C:\WINDOWS\Java\classes\xmldso.cab
O16 - DPF: {08b0e5c0-4fcb-11cf-aaa5-00401c608500} (Microsoft VM)- http://games.hinet.net/webgame/manual/msjavx86.exe
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class)- http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab - C:\WINDOWS\Downloaded Program Files\as2stubie.inf (289 111437964545dc8e4bd0585ba7bc06ed)
O16 - DPF: {2dad3559-2923-4935-ad49-b673d2539944} (IASRunner Class)- https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {3ac7f64e-6154-47b0-82b5-764ed4077f77} (DataStorage Class)- http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class)- http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168300187046
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Plug-in 1.4.2)- http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll (77824 31cfe610fd747b4515213db2409d6c9f)
O16 - DPF: {8ffbe65d-2c9c-4669-84bd-5829dc0b603c} - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {cafeefac-0014-0002-0000-abcdeffedcba} (Java Plug-in 1.4.2)- http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll (77824 31cfe610fd747b4515213db2409d6c9f)
O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object)- http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {d91afab8-165a-11d6-b481-00b0d03f6d12} (rtf.rtfControl)- http://www.med.hku.hk/ideal/include/rtfControl.cab

020 - HKLM\..\Notify: [ACNotify] C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll (32768 210da66ca4d2579e9220b1a8e57f8681)
020 - HKLM\..\Notify: [AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll (122880 d74301954d86528a08d65c98c8017939)
020 - HKLM\..\Notify: [crypt32chain] C:\WINDOWS\system32\crypt32.dll (599040 bdaaf79dd63f194434d31a74b9bb8b77)
020 - HKLM\..\Notify: [cryptnet] C:\WINDOWS\system32\cryptnet.dll (64512 c14350fc0d47d806699c4f907fc6785b)
020 - HKLM\..\Notify: [cscdll] C:\WINDOWS\system32\cscdll.dll (101888 515a7fae2070c2b0242b2353443e2f11)
020 - HKLM\..\Notify: [dimsntfy] C:\WINDOWS\System32\dimsntfy.dll (19456 e2092f0a1d7abc243f9c2362483d150d)
020 - HKLM\..\Notify: [NavLogon]
020 - HKLM\..\Notify: [ScCertProp] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e1264**96)
020 - HKLM\..\Notify: [Schedule] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e1264**96)
020 - HKLM\..\Notify: [sclgntfy] C:\WINDOWS\system32\sclgntfy.dll (20480 63ff9068e5bda0bc9ecd38fbbb216e24)
020 - HKLM\..\Notify: [SensLogn] C:\WINDOWS\system32\WlNotify.dll (92672 2cc34e8bb667eef78899546e1264**96)
020 - HKLM\..\Notify: [termsrv] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e1264**96)
020 - HKLM\..\Notify: [tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll (34344 0c3e484bf4aec2749a9f4d0a91870780)
020 - HKLM\..\Notify: [tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll (28672 451cd42b003ab6a04346db4abc624717)
020 - HKLM\..\Notify: [WB] C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll (24576 9f884c45f10aaee442d4370ba90a1f89)
020 - HKLM\..\Notify: [WgaLogon] C:\WINDOWS\system32\WgaLogon.dll (236928 d7dcfb4d0c58ffb569de93e1681fd37a)
020 - HKLM\..\Notify: [wlballoon] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e1264**96)


I've also posted this in Techsupportforum and I'll update you all if I received any updates from there. Once again thank you in advance.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Blocked Autorun

by jameswesleycheng In reply to OK then you need somethin ...

Thanks... so that means I'll have to stagger on until I head back to Hong Kong and get my disk.

Yeh it has a recovery partition.

Process Explorer could block the processes the virus opens, while Sophos identifed the virus without being able to eliminate it. Couldn't open autorun though.


(This would have been so much easier if I were at home - just backup and wipe everything out... most of the time no need to see what the heck is happening... but no point in complaining here)

I searched one of the processes sophos found and here's a review from search expert. Basically this process disables safemode...

http://72.14.235.104/search?q=cache:0vc3FeldeAgJ:www.threatexpert.com/report.aspx%3Fuid%3Da9c6be3b-481b-4414-8f90-9655c3bb2dd1+muwdcwm&hl=en&ct=clnk&cd=1

And I guess the registry changes disabled all my antivirus and stuff?

Collapse -

Call IBM

by shhite In reply to OK then you need somethin ...

Why dont you call IBM and see if you can get another recovery disk for your computer. It might not be free but should be worth the cost so you don't have to fight with the computer until august.

Collapse -

PROGRESS, FINALLY, Regedit back up, Browser no longer auto-closes

by jameswesleycheng In reply to OK then you need somethin ...

Okay I guess I'll give that a try as a last resort... Thanks for the suggestion though.. hehe

Btw. I tried indigenously renaming some antivirus files and it could run after that... lemme test the effects now.


Edit:

Made some progress, renamed files and changed registry using autorun,
There was a Debugger = "ntsd -d" for all files mentioned here: http://www.threatexpert.com/report.aspx?uid=a9c6be3b-481b-4414-8f90-9655c3bb2dd1

Edit2: Blocked the virus processes that started in startup and blocked regedit using autoruns, then deleted the registry stuff.

Got Norton back up.

Got bold and reentered all the deleted stuff/modified stuff in the registry - first time I dared myself to do that.. see how desperation changes a man.. hehe

Should be fine now.. I'll keep you posted.

Collapse -

Can you try this

by Jacky Howe In reply to Safemode, Norton Hijackth ...
Collapse -

Whoops.. replied to wrong topic

by jameswesleycheng In reply to Can you try this

But yeh, solved the problem except the overheating problem, ran a few more scans to verify that. But the blue-screen crash still persists though - I guess it's because of overheating?

Collapse -

Can you

by Jacky Howe In reply to Whoops.. replied to wrong ...

PM me your Minidump files. Check below for instructions.

Minidump Files can be found here. C:\WINDOWS\Minidump\Mini122707-02.dmp

My Computer, Properties, Advanced, Startup and Recovery and untick Automatically restart. While you are there make sure that Small memory dump (64 KB) is selected and the output is %SystemRoot%\Minidump. The Blue Screen will dump the Minidump file.

Collapse -

I would really suggest that you invest in a Cool Pad

by OH Smeg Moderator In reply to Whoops.. replied to wrong ...

Personally I don't sell a NB and offer any Guarantee above the makers without one being used. In every case where I sell a Cool Pad and it is used there just are not any problems with the NB sucking in dust and other junk blocking the airways and no chance of the NB picking up anything on the desk blocking the airways. I have not had a single case of Overheating in any NB that I sell with a Cool Pad and now my clients are buying their own for any NB's that I haven't supplied them as they have much better results.

Col

Collapse -

Okies

by jameswesleycheng In reply to I would really suggest th ...

I'll scout for one this weekend =)

Thanks

Collapse -

Along with some excellent advice from OH Smeg

by Jacky Howe In reply to Safemode, Norton Hijackth ...

Can you check the location of these two files and see if they are legitimate. Update all of your Motherboard Device Drivers.ie: Video and Chipset.


intelppm.sys


The process Processor Device Driver belongs to the software Microsoft? Windows? Operating System or Intel Processor Driver by Microsoft Corporation (www.microsoft.com).


Description: intelppm.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 36096 bytes (90% of all occurrence), 39424 bytes.
The driver can be started or stopped from Services in the Control Panel or by other programs. The program has no visible window. The file is a trustworthy file from Microsoft.


Important: Some malware camouflage themselves as intelppm.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the intelppm.sys process on your pc whether it is pest.


NDIS.sys


The process NDIS 5.1 wrapper driver or NDIS 6.0 wrapper driver belongs to the software Microsoft? Windows? Operating System or NDIS System Driver by Microsoft Corporation (www.microsoft.com).


Description: File NDIS.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 182**2 bytes (88% of all occurrence), 167552 bytes, 500840 bytes, 182528 bytes, 266500 bytes.
The driver can be started or stopped from Services in the Control Panel or by other programs. The file is a Windows core system file. The program is not visible. It is a Microsoft signed file. The service has no detailed description. NDIS.sys seems to be a compressed file. Therefore the technical security rating is 1% dangerous, however also read the users reviews.


Important: Some malware camouflage themselves as NDIS.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the NDIS.sys process on your pc whether it is pest.


pifCrawl.exe


Appears to be part of Norton.


ati2mtag.sys


driver from ATI Technologies Inc

Collapse -

Hmm...

by jameswesleycheng In reply to Along with some excellent ...

intelppm.sys: 36352 bytes
ndis.sys: 182656 bytes

Doing a driver update now. What sohuld I do about the NDIS.sys?

Related Discussions

Related Forums