PC cant SHUTDOWN,after Virus scan

mikael_schiffer · 13-08-2008, 09:57 AM

Yesterday night, i did a full System Scan through AVG Free and guess what, lots of Trojans were found. After removing the pests, my bro shut down the PC.

Guess what, IT CANT SHUT DOWN!

The PC automatically restarts.

And ever since that AVG scan, these two messages keep poping up whenever i start my PC.

This problem has really made everyone panic. After all, not being able to SHUT DOWN a PC s*cks. The only remedy for now is switching off the PC through UPS, by just cutting the power line.

SO is this Hardware related problem or software?

asdasd

afonofa · 13-08-2008, 07:02 PM

It's not a solution but you can try

Code:

start > run > cmd > ENTER > shutdown -s -f > ENTER

An HJT log will be useful to help you remove those error messages at startup and/or any other malware which AVG might have missed. Or you can search through the registry for those file names and delete the entries if you know what your doing.

The shutdown problem is most definitely software.

anandk · 13-08-2008, 09:04 PM

the malware does not appear to have been completely removed. rescan again with your av and an anti-spy in safe mode. run ccleaner. if reqd analyse your HJT log at www.hijackthis.de

mikael_schiffer · 13-08-2008, 10:49 PM

I have made a log of the HijackThis scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:56 PM, on 13-Aug-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\kek.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\mpxa.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wz5dcb\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7ECF8EC7-A121-416E-998B-C3F484F91DF9} - C:\WINDOWS\system32\jkkKccby.dll (file missing)
O2 - BHO: {ddacec84-3e24-e5aa-0644-2ffb767d9248} - {8429d767-bff2-4460-aa5e-42e348cecadd} - C:\WINDOWS\system32\wgxusw.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FFFB03AD-A461-4B99-9A23-D3B127D7C995} - C:\WINDOWS\system32\nnnmnOgE.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [295f164f] rundll32.exe "C:\WINDOWS\system32\idrqqvwe.dll",b
O4 - HKLM\..\Run: [BM2a6c25d3] Rundll32.exe "C:\WINDOWS\system32\vbiebwtg.dll",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mpt] c:\WINDOWS\system32\mpt.exe
O4 - HKCU\..\Run: [kek] c:\WINDOWS\system32\kek.exe
O4 - Global Startup: DriveGuard.lnk = C:\Program Files\WinDriveGuard\DriveGuard.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{59ED37FF-65C6-48DF-A4B8-35A07D774830}: NameServer = 218.248.255.162 218.248.255.139
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: nnnmnOgE - nnnmnOgE.dll (file missing)
O20 - Winlogon Notify: winwil32 - C:\WINDOWS\SYSTEM32\winwil32.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

WHAT TO DO NOW??

afonofa · 14-08-2008, 06:42 AM

Here's what I think must go:

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:56 PM, on 13-Aug-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\kek.exe
C:\WINDOWS\system32\mpxa.exe

O2 - BHO: (no name) - {7ECF8EC7-A121-416E-998B-C3F484F91DF9} - C:\WINDOWS\system32\jkkKccby.dll (file missing)

O2 - BHO: {ddacec84-3e24-e5aa-0644-2ffb767d9248} - {8429d767-bff2-4460-aa5e-42e348cecadd} - C:\WINDOWS\system32\wgxusw.dll (file missing)

O2 - BHO: (no name) - {FFFB03AD-A461-4B99-9A23-D3B127D7C995} - C:\WINDOWS\system32\nnnmnOgE.dll (file missing)

O4 - HKLM\..\Run: [295f164f] rundll32.exe "C:\WINDOWS\system32\idrqqvwe.dll",b

O4 - HKLM\..\Run: [BM2a6c25d3] Rundll32.exe "C:\WINDOWS\system32\vbiebwtg.dll",s

O4 - HKCU\..\Run: [mpt] c:\WINDOWS\system32\mpt.exe

O4 - HKCU\..\Run: [kek] c:\WINDOWS\system32\kek.exe

O4 - Global Startup: DriveGuard.lnk = C:\Program Files\WinDriveGuard\DriveGuard.exe

O20 - Winlogon Notify: nnnmnOgE - nnnmnOgE.dll (file missing)
O20 - Winlogon Notify: winwil32 - C:\WINDOWS\SYSTEM32\winwil32.dll

It's best to disconnect from the internet till you get rid of this malware and exit all programs(even from system tray), close all open windows, except for your security software. But read through this, download the files required(or not) then disconnect from the net.

1. Turn off System Restore. My Computer > right click Properties > System Restore tab > check Turn off system restore on all drives > OK > answer Yes to the prompt.

2. In the task manager(Ctrl + Shift + Esc) under the processes tab, right click and end the processes kek.exe and mpxa.exe

3. Delete the files kek.exe and mpxa.exe from C:\Windows\system32 folder. You may have to do it in safe mode.

4. I'm unsure of mpt.exe. To be on the safer side, quarantine it in AVG but don't remove its entry from HJT. If quarantining it doesn't cause a problem, you can always remove its startup entry from HJT later. If you know what it is, then leave it be.

5. In task manager, if it's present, end the DriveGuard.exe process and uninstall WinDriveGuard from Control Panel > Add/Remove Programs(I doubt its that easy) so just delete the entire WinDriveGuard folder after ending the DriveGuard.exe process or delete the folder in safe mode.

6. For winwil32.dll, if you can't delete it in safe mode, you may have to use Process Explorer . This winwil32.dll may be what's causing the comp to restart instead of shutdown.
How to:
a. Start Process Explorer
b. In the upper pane, double click winlogon.exe to bring up its properties
c. In properties go to Threads tab, locate(select) every instance of winwil32.dll and hit the Kill button, click OK.
d. Do the same for finding(and killing) winwil32.dll in explorer.exe process and then close process explorer.
e. Try deleting winwil32.dll now.

7. Empty all the temporary folders, use CCleaner if you need to.

8. Do another HJT scan, and Select(place a tick mark) > Fix Selected for the following entries:

Code:

O2 - BHO: (no name) - {7ECF8EC7-A121-416E-998B-C3F484F91DF9} - C:\WINDOWS\system32\jkkKccby.dll (file missing)

O2 - BHO: {ddacec84-3e24-e5aa-0644-2ffb767d9248} - {8429d767-bff2-4460-aa5e-42e348cecadd} - C:\WINDOWS\system32\wgxusw.dll (file missing)

O2 - BHO: (no name) - {FFFB03AD-A461-4B99-9A23-D3B127D7C995} - C:\WINDOWS\system32\nnnmnOgE.dll (file missing)

O4 - HKLM\..\Run: [295f164f] rundll32.exe "C:\WINDOWS\system32\idrqqvwe.dll",b

O4 - HKLM\..\Run: [BM2a6c25d3] Rundll32.exe "C:\WINDOWS\system32\vbiebwtg.dll",s

O4 - HKCU\..\Run: [kek] c:\WINDOWS\system32\kek.exe

O4 - Global Startup: DriveGuard.lnk = C:\Program Files\WinDriveGuard\DriveGuard.exe

O20 - Winlogon Notify: nnnmnOgE - nnnmnOgE.dll (file missing)
O20 - Winlogon Notify: winwil32 - C:\WINDOWS\SYSTEM32\winwil32.dll

9. Copy and paste the following into notepad and save it as "WLN.reg" with the quotes so that it saves with .reg extension and not the default .txt extension of notepad. Double click the file and answer Yes to the prompt to merge it into the registry.

Code:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnmnOgE]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winwil32]

Reboot and post back how it goes. In 2-3 hours a lot more members on this forum will waking up, so expect more suggestions then.

mikael_schiffer · 14-08-2008, 05:23 PM

Dude, one problem --

According to your instructions--

Quote:

c. In properties go to Threads tab, locate(select) every instance of winwil32.dll and hit the Kill button, click OK.

and tried killing it

But whenever i try killing it, PC crashes to BSOD !! With the same BSOD screen i get when i shutdown my PC

Dude, i am really worried.

Moreover, i cant restart anymore. Whenever i shutdown or restart, the PC shutsdown with a BSOD message "System Shutdown"
Before i couldn't Shutdown, now i cant RESTART

I didnt understand this instruction of urs--

8. Do another HJT scan, and Select(place a tick mark) > Fix Selected for the following entries:

The items u gave in CODE are different form the log after i scanned with hijack
For eg- This line doesnt show in my log-
O2 - BHO: {ddacec84-3e24-e5aa-0644-2ffb767d9248} - {8429d767-bff2-4460-aa5e-42e348cecadd} - C:\WINDOWS\system32\wgxusw.dll (file missing)

The rundll messages are gone now.

The only problem now is the SHUTDOWN and restarting.

Why does the fatal error BSOD always come !!!

This si the BSOD message that appears--

STOP: c000021a (Fatal System Error)
The Windows Logon Process System process terminated unexpectedly with a status of 0xc0000005 (0x0000000 0x00000000). The system has been shut down.

cooldudie3 · 17-08-2008, 01:10 PM

I think the software for shutting down and restarting is eaten by a virus. You can try to shutdown by holding down power button on computer or pull the plug

but i recommend to reinstall the system because the system files are corrupted.