PDA

View Full Version : Crash



NZHawk
14-01-2010, 04:27 PM
Toshiba Satellite Pro L300
1Gb ram
Windows XP Pro
ran successfully for almost 2 hours scanning with SuperAntiSpyware,
removed infections
on the reboot got to the Windows windows - turned off
test of ram: turned off
Hirens PC Doctor: test CPU: passed
Hirens PC Doctor: test motherboard: crashed

boots: ok

currently updating & scanning with Spyware Terminator.

Can anyone help me understand why the notebook is crashing.
This type of crashing generally indicates and over-heat to me.

Any help would be greatly appreciated.

Speedy Gonzales
14-01-2010, 04:27 PM
What was it infected with? Thats probably the cause

NZHawk
14-01-2010, 04:31 PM
This is from an Avast boot scan:
01/11/2010 12:23
Scan of all local drives

File C:\Documents and Settings\New user\desktop\Sue M7may09\Documents and Settings\Suzanne\Local Settings\Temp\UACe798.tmp is infected by Win32:Patched-KG [Trj], Deleted
File C:\Documents and Settings\New user\desktop\Sue M7may09\Documents and Settings\Suzanne\Local Settings\Temporary Internet Files\Content.IE5\VWUBB7V1\player[1].htm is infected by JS:Agent-CK [Trj], Deleted
File C:\Documents and Settings\New user\desktop\Sue M7may09\Program Files\Kazaa\kzscan.dll is infected by Win32:Trojan-gen, Deleted
File C:\Documents and Settings\New user\desktop\Sue M7may09\Program Files\VirusRanger\VirusRanger.exe is infected by Win32:MailBot-N [Trj], Deleted
File C:\Documents and Settings\New user\desktop\Sue M7may09\WINDOWS1\system32\drivers\UACtoirrfuxjdsbo rd.sys is infected by Win32:Alureon-AP [Rtk], Deleted
File C:\System Volume Information\_restore{B1454770-AA00-4413-AC7F-3C398C9D335B}\RP140\A0034747.dll is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information\_restore{B1454770-AA00-4413-AC7F-3C398C9D335B}\RP140\A0034748.exe is infected by Win32:MailBot-N [Trj], Deleted
File F:\autoexec.exe is infected by Win32:Trojan-gen, Deleted
File F:\Documents and Settings\User\Application Data\CCenter\ccagent.exe is infected by Win32:Malware-gen, Deleted
File F:\Documents and Settings\User\Application Data\CCenter\ccmain.exe is infected by Win32:Malware-gen, Deleted
File F:\Documents and Settings\User\Application Data\SystemProc\lsass.exe is infected by Win32:Rootkit-gen [Rtk], Deleted
File F:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\AEAZ9OH7\dfghfghgfj[1].dll is infected by Win32:Trojan-gen, Deleted
File F:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\J0MC0KU0\update4303[1].exe is infected by Win32:Trojan-gen, Deleted
File F:\hiberfil.sys is infected by Int 13-512, Deleted
File F:\System Volume Information\_restore{B1454770-AA00-4413-AC7F-3C398C9D335B}\RP140\A0034749.exe is infected by Win32:Trojan-gen, Deleted
File F:\System Volume Information\_restore{B1454770-AA00-4413-AC7F-3C398C9D335B}\RP140\A0034750.exe is infected by Win32:Malware-gen, Deleted
File F:\System Volume Information\_restore{B1454770-AA00-4413-AC7F-3C398C9D335B}\RP140\A0034751.exe is infected by Win32:Malware-gen, Deleted
File F:\System Volume Information\_restore{B1454770-AA00-4413-AC7F-3C398C9D335B}\RP140\A0034752.exe is infected by Win32:Rootkit-gen [Rtk], Deleted
File F:\System Volume Information\_restore{B1454770-AA00-4413-AC7F-3C398C9D335B}\RP140\A0034753.dll is infected by Win32:Trojan-gen, Deleted
File F:\System Volume Information\_restore{B1454770-AA00-4413-AC7F-3C398C9D335B}\RP140\A0034754.exe is infected by Win32:Trojan-gen, Deleted
File F:\WINDOWS\system32\helper32.dll is infected by Win32:Trojan-gen, Deleted
File F:\WINDOWS\system32\smss32.exe is infected by Win32:Trojan-gen, Deleted
File F:\WINDOWS\system32\winlogon32.exe is infected by Win32:Trojan-gen, Deleted
Number of searched folders: 28541
Number of tested files: 308469
Number of infected files: 23

----------------------------------------
01/13/2010 16:26
Scan of F:\

File F:\Program Files\tdkmnbd\winchk.dll is infected by Win32:PureMorph [Cryp], Deleted
File F:\System Volume Information\_restore{B1454770-AA00-4413-AC7F-3C398C9D335B}\RP141\A0034908.exe is infected by Win32:Zbot-MJB [Trj], Deleted
File F:\System Volume Information\_restore{B1454770-AA00-4413-AC7F-3C398C9D335B}\RP141\A0034912.dll is infected by Win32:PureMorph [Cryp], Deleted
File F:\WINDOWS\system32\sdra64.exe is infected by Win32:Zbot-MJB [Trj], Deleted
Number of searched folders: 9693
Number of tested files: 89012
Number of infected files: 4

Also, SuperAntiSpyware found:
Trojan.DNSChanger-Codec
Trojan.Agent/Gen

pctek
14-01-2010, 04:33 PM
What was it infected with? Thats probably the cause

Yes. After scanning and cleaning with everything and if it won't boot even in safe mode, then its trashed system files - do a repair install.

NZHawk
14-01-2010, 05:20 PM
Spyware Terminator found only 1:
Remove Invalid Startup Items
Deleted Registry : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NDSTray.exe
Closing System Restore Point

Driftwood
14-01-2010, 05:35 PM
Had you concidered removing the hard drive & scanning it on another system.

NZHawk
14-01-2010, 05:36 PM
Done 1st thing
that is how I got the Avast report above.

Thank you

Driftwood
14-01-2010, 05:39 PM
Might need something stronger.

NZHawk
14-01-2010, 05:44 PM
Such as?
10lb hammer?

Speedy Gonzales
14-01-2010, 05:50 PM
If its been infected by Alureon-AP, then atapi.sys has probably been screwed. It needs to be replaced. I guess thats what you get, if you use Kazaa

NZHawk
14-01-2010, 05:53 PM
I have done a chkdsk /r
Should I just copy this file from the install CD?

Speedy Gonzales
14-01-2010, 05:56 PM
Copy it from the PC you connected to if its the same version of the file and the same version of windows

NZHawk
14-01-2010, 05:57 PM
Thank you
Will do
anything else?

Driftwood
14-01-2010, 05:58 PM
Well you could try that but you might damage the hard drive.
Perhaps check it with a trojan remover or Malwarebytes.
MSSE seems to be better than Avast at finding things.
If none of that helps you are looking at reinstall I guess.
I'm no expert though.

Speedy Gonzales
14-01-2010, 06:01 PM
I would say atapi.sys is infected, which is the file that windows needs. There's a similar post here a few days ago. The same worm or virus was on the system, it did the same thing

NZHawk
14-01-2010, 06:01 PM
Thank you!
Have already run Malwarebytes
will give TrojanRemover a run as well.

NZHawk
14-01-2010, 08:09 PM
I copied the file per suggestion.
I ran Trojan remover - nothing detected.

I just installed Glary Utilities & started to run the 1-Click Maintenance and the computer shut down.

Can anyone help me understand - why it crashed & suggest a solution.

NZHawk
14-01-2010, 08:37 PM
I am sorry, I need to go home now,

BUT

I truly am interested in anything anyone can contribute.
and I will access it 1st thing Friday morning.


Many thanks,
Good Nite.