I have tried to get rid of this on my desktop for two weeks now. The main problem: Screen (and mouse) shuts down on startup. Earlier the screen shut down during gaming etc. Start meny disapeared one time.
Only way to start the computer now is safe mode (after using the Vista CD). The Vista CD do not report malfunctioning when checking start-up. Problem fixed for a while during my 2 weeks of nightmare when using System Restore, but the problem kept coming back, sometimes after several days. The Nvidia software keeps unistalling itself. It was running fine for a while when I disabled the secondary screen in the software (TV).
Have tried numerous Antivirus scanners. If I remember correctly, my problems started when I switched from AVAST (free Edition) to Microsoft Essentials. I have now bought WEBROOT now.
ESET online scanner finds JS/fraud.NAB and Win32/agent FQRCZBA.
WEBROOT finds Troj/JavaDI-V - ClsLdr-x
I have disabled my external harddrive now as I suspected it was infected.
Here is my system info and log.
##### System Information #####
OS: Windows Vista (TM) Home Premium Service Pack 2 (6.00.6002)
DirectX: 9.0c
CPU name: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+
CPU speed: 2500MHz
Memory: 2048MB
Screen size: 1280x1024 (32bits)
Video card: Nvidia 9500GT
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 08:11:30, on 24.11.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://radarsync.netvibes.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Påloggingshjelp for Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Webroot Browser Helper Object - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\Program Files\Webroot\Security\current\products\WISC\toolbar\LPBar.dll
O2 - BHO: WRCommonBHO - {D93EC24D-8741-4D41-B83D-A5793B998416} - C:\Program Files\Webroot\Security\current\plugins\browserextension\WebrootBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\Program Files\Webroot\Security\current\products\WISC\toolbar\LPBar.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
O4 - HKLM\..\Run: [WPCUMI] "C:\Windows\system32\WpcUmi.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [WebrootTrayApp] "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Vista Start Menu\VistaStartMenu.exe"
O4 - HKCU\..\Run: [Anonymizer Universal] C:\Program Files\Anonymizer\Anonymizer Universal\Anonymizer Universal.exe /hide
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE')
O4 - Global Startup: SetPointII.lnk = ?
O9 - Extra button: Blogg dette - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogg dette i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - http://srtest-cdn.systemrequirementslab ... detect.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/ ... 0773474683
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0773414189
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5224867714
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/stati ... 0.27.0.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/L ... nstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36243CB9-1FCB-4C0C-B7E5-BA3A4E6FD235}: NameServer = 10.9.8.7 10.9.8.7
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
--
End of file - 6875 bytes
Hi, here is my startup log as I see you ask for it a lot:
StartupList report, 24.11.2010, 10:28:19
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HiJackThis\HiJackThis.EXE
Detected: Windows Vista SP2 (WinNT 6.00.1906)
Detected: Internet Explorer v8.00 (8.00.6001.18975)
* Using default options
==================================================
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
SetPointII.lnk = ?
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\Windows\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Kernel and Hardware Abstraction Layer = "KHALMNPR.EXE"
WPCUMI = "C:\Windows\system32\WpcUmi.exe"
WebrootTrayApp = "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe"
Windows Defender = %ProgramFiles%\Windows Defender\MSASCui.exe -hide
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Malwarebytes' Anti-Malware = "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sidebar = "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
VistaStartMenu = "C:\Program Files\Vista Start Menu\VistaStartMenu.exe"
Anonymizer Universal = C:\Program Files\Anonymizer\Anonymizer Universal\Anonymizer Universal.exe /hide
--------------------------------------------------
Shell & screensaver key from C:\Windows\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe
SCRNSAVE.EXE=C:\Windows\system32\Transparent Language.SCR
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
Webroot Browser Helper Object - C:\Program Files\Webroot\Security\current\products\WISC\toolbar\LPBar.dll - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504}
WRCommonBHO - C:\Program Files\Webroot\Security\current\plugins\browserextension\WebrootBHO.dll - {D93EC24D-8741-4D41-B83D-A5793B998416}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Anonymizer Universal Updates.job
GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job
--------------------------------------------------
Enumerating Download Program Files:
[CabBuilder]
CODEBASE = http://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
OSD = C:\Windows\Downloaded Program Files\OSDC5.OSD
[Facebook Photo Uploader 5 Control]
InProcServer32 = C:\Windows\Downloaded Program Files\PhotoUploader5.ocx
CODEBASE = http://upload.facebook.com/controls/200 ... oader5.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\Windows\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/ ... ontrol.cab
[{40F576AD-8680-4F9E-9490-99D069CD665F}]
CODEBASE = http://srtest-cdn.systemrequirementslab ... detect.cab
[DLM Control]
InProcServer32 = C:\Windows\DOWNLO~1\DownloadManagerV2.ocx
CODEBASE = http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
[MUCatalogWebControl Class]
InProcServer32 = C:\Windows\system32\MicrosoftUpdateCatalogWebControl.dll
CODEBASE = http://catalog.update.microsoft.com/v7/ ... 0773474683
[WUWebControl Class]
InProcServer32 = C:\Windows\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/windows ... 0773414189
[MUWebControl Class]
InProcServer32 = C:\Windows\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/microso ... 5224867714
[{7530BFB8-7293-4D34-9923-61A11451AFC5}]
CODEBASE = http://download.eset.com/special/eos/OnlineScanner.cab
[Battlefield Heroes Updater]
InProcServer32 = C:\Windows\Downloaded Program Files\BFHUpdater.dll
CODEBASE = https://www.battlefieldheroes.com/stati ... 0.27.0.cab
[WebSDev Control]
InProcServer32 = C:\PROGRA~1\MSI\MSIWDev\WebSDev.ocx
CODEBASE = http://liveupdate.msi.com.tw/autobios/L ... nstall.cab
[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/fl ... rashim.cab
[Shockwave Flash Object]
InProcServer32 = C:\Windows\system32\Macromed\Flash\Flash10l.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/s ... wflash.cab
[{E2883E8F-472F-4FB0-9522-AC9BF37916A7}]
CODEBASE = http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #2: C:\Windows\system32\napinsp.dll
NameSpace #3: C:\Windows\system32\pnrpnsp.dll
NameSpace #4: C:\Windows\system32\pnrpnsp.dll
NameSpace #5: C:\Windows\system32\wshbth.dll
Protocol #1: C:\Windows\system32\wpclsp.dll
Protocol #2: C:\Windows\system32\wpclsp.dll
Protocol #3: C:\Windows\system32\wpclsp.dll
Protocol #4: C:\Windows\system32\wpclsp.dll
Protocol #5: C:\Windows\system32\wpclsp.dll
Protocol #6: C:\Windows\system32\wpclsp.dll
Protocol #7: C:\Windows\system32\wpclsp.dll
Protocol #8: C:\Windows\system32\wpclsp.dll
Protocol #20: C:\Windows\system32\wpclsp.dll
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: C:\Windows\System32\webcheck.dll
--------------------------------------------------
End of report, 7 777 bytes
Report generated in 0,031 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only