PC reboots in 60 secondsClosed

Question

Hello,
I have had a virus problem going on for over a week.  The core of my problem is this:  anytime I attempt to connect my PC to the internet either via wireless or wired connection, I get a popup message stating "Windows has encountered a critical problem and will restart automatically in 1 minute.  Please save your work now."  Then 60 seconds later the Pc reboots.

I have Vipre AV and AS installed on my PC.  That scan is now clean (but did find stuff earlier in the week).  I have tried Malwarebytes, UnHackMe and SuperAntiSpyware.  All of them find things that the others don't (not sure why that is so).  

Things I have noticed:

1.  My Windows Firewall gets disabled after conntecting to the www and then rebooting.
2.  I am unable to successfully run windows update in that 1 minute window.  Throws me an error about not being able to connect.
3.  I am not able to successfully update Vipre during this 1 minute window.  It's like something is shutting down all activity once this virus takes over when the www is accessible.
4.  Malewarebytes continues to flag a file in c:\windows\system32\drivers directory (yddfrxj.sys) and says it detected and cleaned, but it never goes away.  Also the timestamp on this file continually changes.  Anytime I open windows explorer and look at this directory, the timestamp is the current date and time on this file.  I am unable to rename or delete this file.

Any other ideas I can try?

jeff

Ambucias · Answer

Hello Jeff,

Please lets try a in depth analysis.

Please download and install Hyjackthis.  It will give an indication of the processes and registry entries possibly associated with a virus.

From the welcome page, request a scan and save a log. Copy the log and paste here.  

Here is the link to Hyjackthis.  Please download the beta version, thank you.

http://free.antivirus.com/hijackthis/

ImInPCVirusHell · Answer

This is taken while I am NOT connected to the WWW.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:11:13 AM, on 3/18/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32	askeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\mobsync.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://blackboard.matc.edu/webapps/login/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [kidulakaga] Rundll32.exe "govabifo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: gerimili.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\aestsrv.exe
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CLDTVHNService - Unknown owner - C:\Program Files\DIRECTV\DirecTV\Kernel\DMP\CLDTVHNService.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

Ambucias · Answer

Hi Jeff,

I see you are from Canada, am I wrong?

Thank you for the log.  I have not noticed any signs of malware, but don't know what this is, perhaps you know: kidulakaga] Rundll32.exe "govabifo.dll.

You are running Vipre and Superantispyware and the same time and in my opinion, they will certainly conflict.

The c:\windows\system32\drivers directory (yddfrxj.sys) flagged by Malwarebyte does not figure in the known virus lists.

I suggest that your Windows has been damaged.  I therefore suggest that you either attempt, in order:

1. Click start, run and type chkdsk for a check disk 
2. Do a non-destructive system restore back to a date where your system worked properly  
3.insert your XP disk a choose the option to repair

Let me know

Regards

ImInPCVirusHell · Answer

Ambucias -

I am actually located in the US.

I ran GMER which allowed me to stop the service for that yddfrxj.sys file and it is now off my system and I no longer have to reboot when connected to the internet.

That's the good news.  Bad news is system is painfully slow at times and I got a couple BSOD's today.  I will try to run chkdsk and see what it finds, if anything.

I also thought kidulakaga] Rundll32.exe "govabifo.dll looked suspicious.  Not sure what it is.

I also uninstalled SuperAntispyware.  I was getting desperate and trying anything I could find to help.  I have a paid subscription for Vipre, so I am sticking with that.  They are also working with me to resolve.

I will report back on the chkdsk if something screwy appears.

Jeff

Ambucias · Answer

Hello Jeff,

I thought you were from Canada because of Intuit based in Calgary, Alberta.

Glad you were able to stop the service yddfrxj.sys which permitted your system to regain some life back.

A slow system is often due to excessive RAM consumption which may be caused by to many applications running in the background and spyware.

Here are some suggestions which I strongly recommend to you.

From my recent research, 

O4 - HKUS\S-1-5-19\..\Run: [kidulakaga] Rundll32.exe "govabifo.dll",s (User 'LOCAL SERVICE)

Is signaled as a Trojan of the Vundo, Virtumonde type.

1. Rerun Hyjackthis, only a scan, after the scan check mark:
O4 - HKUS\S-1-5-19\..\Run: [kidulakaga] Rundll32.exe "govabifo.dll",s (User 'LOCAL SERVICE)

2. Click on Fix checked (no need to worry, Hyjackthis always make a back up.

3. Download and Install Spybot Search and Destroy

https://ccm.net/downloads/security-and-maintenance/4561-spybot-search-destroy/

During the installation process you will be given some options on components, uncheck "Tea Timer" which has real time scanner which may interfere with Vipre, you don't need it.

4. Run a scan with Spybot and delete the items found.

5. To ensure that only necessary applications start at boottime, downlaod, install and run StartupLite, just follow the prompts.

https://www.malwarebytes.com/mwb-download/

6. Once your computer is clean and working normally just to be on the safe side 
*Turn off system restore and wait 30 seconds, 
*Turn it back on and create a new restore point. 

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed. 
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process. 

I am pretty sure that the above will work for you.

I appreciate your feedback.

PC reboots in 60 seconds

5 responses

Subscribe To Our Newsletter!