Ghost in machine: Help me out wit this!

[speedyguy]

Well its certainly a virus but im not sure. i just got bk home for vacation n observed my system rebooting at its own randomly...esp while doing some task like copying, decoding, playing media etc. at times even uploading or downloading smthing from net. is it a hardware problem or am i infected here im not too sure...

some more observations r dat after rebooting it runs scandisk n finds errors in temp folders...usually stuff where i was workin b4 it restarted...at times it says file size is unknwn or not valid or bla bla....

plz help me out wit this....ive just formatted my D (xp sp2) drive abt 5 days back n im facing d same....im using airtel gprs n my local intranet dial-up conn...my system is win xp sp2, 512mb, p4 1.8ghz...

thanx

Enjoy~!

 

[~Phenom~]

first use checkdisk with options to fix problems to fix errors in ur C drive , then
1. check ur RAM
2. clean ur system with CCleaner and tuneup utilities
3.scan with McAfee or other good AV.

ur problem should be solved.

 

[Vishal Gupta]

Post ur HijackThis Logfile, though seems some hardware problem to me

 

[speedyguy]

the main problem is i dun get this much enuf time 2 do so...i shudnt be(i guess) a hardware issue coz it reboots only on os operation...i gave thought on cpu cooling but not too sure abt it...newez i will open up 2day n clean my modules n cpu fans etc....

i tried chkdsk it did correct some error but the problem started again next time i booted to xp...and if i try 2 scan wit norton it reboots again...its rebooting randomly...esp on some operation as mentioned...

one more observation is that in scandsk aftr reboot it usually finds errors in temp files...like temp intrnet\ie.***** is cross linked....link resolved by copying....or file is truncated or sumthing i dn rem exactly...is it still a hardware issue...shud i re-format it all as i just did it 6 days back...any other way out....

@vishal_gupta: can u plz precise wat 2 do for hijackthis log.

thanks,
Enjoy~!
__________
@vishal_gupta: ok sry but now i got wat u want...this is my hijackthis logfile...


Logfile of HijackThis v1.99.1
Scan saved at 2:48:41 PM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\OfcpfwSvcs.exe
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\wuauclt.exe
D:\DOCUME~1\AbhinaV\LOCALS~1\Temp\Rar$EX00.235\HijackThis.exe
D:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = *in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *in.rediff.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = *in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 144.0.1.231:80
R3 - URLSearchHook: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\Rediff Toolbar\2.0\redifftoolbar.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - D:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: XBTBPos00 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - D:\PROGRA~1\REDIFF~2\2.0\REDIFF~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - D:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\Rediff Toolbar\2.0\redifftoolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [OfcpfwSvcs.exe] D:\WINDOWS\system32\OfcpfwSvcs.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] D:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - D:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - D:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\Rediff Toolbar\2.0\redifftoolbar.dll
O9 - Extra 'Tools' menuitem: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\Rediff Toolbar\2.0\redifftoolbar.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - *pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {BADA82CB-BF48-4D76-9611-78E2C6F49F03} (BolDownloader Control) - *messenger.rediff.com/newbol/Bol.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{4887D11D-6233-4B6D-B726-3246B7C95D35}: NameServer = 144.0.27.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{4887D11D-6233-4B6D-B726-3246B7C95D35}: NameServer = 144.0.27.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{4887D11D-6233-4B6D-B726-3246B7C95D35}: NameServer = 202.56.230.5 202.56.230.6
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

 

[Vishal Gupta]

Fix these:

D:\WINDOWS\system32\OfcpfwSvcs.exe
R3 - URLSearchHook: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\Rediff Toolbar\2.0\redifftoolbar.dll
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 144.0.1.231:80
O3 - Toolbar: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\Rediff Toolbar\2.0\redifftoolbar.dll
O4 - HKLM\..\Run: [OfcpfwSvcs.exe] D:\WINDOWS\system32\OfcpfwSvcs.exe
O9 - Extra button: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\Rediff Toolbar\2.0\redifftoolbar.dll
O9 - Extra 'Tools' menuitem: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\Rediff Toolbar\2.0\redifftoolbar.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4887D11D-6233-4B6D-B726-3246B7C95D35}: NameServer = 144.0.27.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{4887D11D-6233-4B6D-B726-3246B7C95D35}: NameServer = 144.0.27.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{4887D11D-6233-4B6D-B726-3246B7C95D35}: NameServer = 202.56.230.5 202.56.230.6

 

[speedyguy]

well cant fig out how 2 do dat can u plz explain....n newez im gona format it again...just askin if i require it again...got some time so advices still welcome..

thanx
Enjoy~!

 

[anandk]

OfcpfwSvcs.exe is a suspect...cud be a malware trojan. rtclick and check up on its props to c if its a legit known file. else physically cut-paste it to another loaction and store (zip/rar) it an c if any of ur progs suffer. my guess is it wud be safe to delete it, if reqd use delete doctor to delete it.

as already suggested above :
clear up ur pc junk with ccleaner.
scan ur pc IN SAFE MODE with ur av and also AVG anti-spyware.

 

[amirmsebe]

Look here ... *www.incodesolutions.com/threats/System32Rootofcpfwsvcsexe.php

Is it?

 

[speedyguy]

well abt OfcpfwSvcs.exe...i think ur rite coz ive formatted my drive n reinstalled eveytin to same...now i dun hv that operation in my processes...so it can b...im afraid it mite show up again as i dunno where it originated from...may b my ipod, pendrive or net...coz ive used my pen drives n ipod in lotsa cafes n diff servers in my colg....lets c...thnks guys

Enjoy~!

 

[zotarmit@rediffmail.com]

Norton antivirus had identified this file \windows\system32\OfcpfwSvcs.exe as trojan horse infected, thus quarantined the same.
In my opinion, it also slow down my internet browsing and downloading

any comment, please mail

zotarmit@rediffmail.com

 

[speedyguy]

hi...welcome to digit zotarmit, even i hv norton but it neva identified em....though ive kept it updated wit definations...newez u try all d above steps as i wont suggest mine so early coz i had to format everythin n reinstall all over again....post ur rep once u try it....gud luk

Enjoy~!