Badly Infected - Explorer keeps shutting down/rebooting [CLOSED] |
Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
  |
 Jul 9 2007, 07:23 PM
Post
#1
|
|
|
Member  Posts: 19 OS: XP  |
My computer is badly infected with something. I've used as many tools as I can, some won't even work. Right now when I log on, the computer is extremely slow and then when loading it will shut down automatically when it is almost done loading. I can only get the computer to stay on in Safe Mode. My HiJackThis log is below. I wasn't able to get a copy of the Uninstall list, because hitting the "save" button closes HiJackThis, even in SafeMode. Please help. If I don't respond initially it is probably because I can't get the computer to work.... Logfile of HijackThis v1.99.1 Scan saved at 5:08:14 PM, on 7/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\CA\CA Internet Security Suite\casecuritycenter.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\caavGUIScan.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq R3 - URLSearchHook: (no name) - {769705C9-7E71-D9B3-D427-3479C65B8D5B} - NsCplTray.dll (file missing) R3 - URLSearchHook: (no name) - {5AC01E0D-A3E1-D81B-DA5B-D8C46A6688DE} - AppMasterCenter.dll (file missing) F2 - REG:system.ini: UserInit=userinit.exe N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\i97s2931.slt\prefs.js) O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\lmhkcpac.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: explorer.exe O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: winlogin.exe O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183577737466 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1183577270325 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{015AD369-5858-4102-AB78-EB099AB24B01}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{C56FF7D1-1FC2-48ED-BEC6-BF751262F1B5}: NameServer = 85.255.116.89,85.255.112.204 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{015AD369-5858-4102-AB78-EB099AB24B01}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\Sandisk\Sansa Updater\SansaSvr.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: VET Message Service (VetMsgNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing) |
 |
 
|
|
Jul 9 2007, 08:15 PM
Post
#2
|
|
 Trusted Helper  Posts: 1,990 OS: Windows XP |
Hello CedarCanoes,
Welcome to Geeks to Go! My name is Stamper19 and I will be helping you with your Malware problem. Please give me some time to look over your log. I will post back soon with instructions on how to proceed. |
|
|
|
|
Jul 9 2007, 08:47 PM
Post
#3
|
|
|
Member Posts: 19 OS: XP |
Thanks Stamper 19. Looking forward to all the help I can get.
|
|
|
|
|
Jul 10 2007, 06:32 AM
Post
#4
|
|
|
Trusted Helper Posts: 1,990 OS: Windows XP |
Hi CedarCanoe,
Lets get to work here. ---------------------------------------------------------------- Please download VundoFix.exe to your desktop
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. ---------------------------------------------------------------- Occasionally malware will hide itself from HiJack This. To make sure thats not happening, lets rename HiJack This and get a fresh log. Rename HijackThis.exe to H.exe.
---------------------------------------------------------------- Information to include in your next post:
|
|
|
|
|
Jul 10 2007, 04:19 PM
Post
#5
|
|
|
Member Posts: 19 OS: XP |
Missed your post before I went to work this morning.
I installed VundoFix in safe mode and and ran it. The computer rebooted, and I was scanning again with VundoFix when the computer shut down again. I rebooted in safe mode and ran VundoFix again, but I think there is still some stuff it couldn't remove. The log is here: Attempting to delete C:\windows\system32\wygwekqp.ini C:\windows\system32\wygwekqp.ini Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.5.4 Checking Java version... Sun Java not detected Scan started at 4:49:32 PM 7/10/2007 Listing files found while scanning.... VundoFix V6.5.4 Checking Java version... Sun Java not detected Scan started at 4:58:58 PM 7/10/2007 Listing files found while scanning.... C:\windows\system32\ilnmp.ini C:\WINDOWS\System32\ilnmp.ini2 C:\WINDOWS\System32\pmnli.dll C:\WINDOWS\System32\vtsqn.dll C:\WINDOWS\system32\wvurpmk.dll Beginning removal... Attempting to delete C:\windows\system32\ilnmp.ini C:\windows\system32\ilnmp.ini Has been deleted! Attempting to delete C:\WINDOWS\System32\ilnmp.ini2 C:\WINDOWS\System32\ilnmp.ini2 Has been deleted! Attempting to delete C:\WINDOWS\System32\pmnli.dll C:\WINDOWS\System32\pmnli.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\wvurpmk.dll C:\WINDOWS\system32\wvurpmk.dll Could not be deleted. Performing Repairs to the registry. Done! And the new HiJackThis log after renaming it to "H" in safe mode again. Logfile of HijackThis v1.99.1 Scan saved at 5:09:10 PM, on 7/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\H.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq R3 - URLSearchHook: (no name) - {769705C9-7E71-D9B3-D427-3479C65B8D5B} - NsCplTray.dll (file missing) R3 - URLSearchHook: (no name) - {5AC01E0D-A3E1-D81B-DA5B-D8C46A6688DE} - AppMasterCenter.dll (file missing) F2 - REG:system.ini: UserInit=userinit.exe N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\i97s2931.slt\prefs.js) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {18AD3CC7-DAD6-4329-8D00-1B45DFEEF1F6} - C:\WINDOWS\System32\pmnli.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5FC1E6B3-29B5-4789-955E-CC2C5B9B8E76} - C:\WINDOWS\System32\vtsqn.dll (file missing) O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\wvurpmk.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\dvoktcru.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {B45FC20D-6906-4E72-AA59-392CC61FDAA9} - C:\WINDOWS\system32\reginix86b.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xcnbgwuo.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Nathan.YOUR-PA86Z1I3G7.000\Desktop\vundofix.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Startup: explorer.exe O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: winlogin.exe O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183577737466 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1183577270325 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{015AD369-5858-4102-AB78-EB099AB24B01}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{C56FF7D1-1FC2-48ED-BEC6-BF751262F1B5}: NameServer = 85.255.116.89,85.255.112.204 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{015AD369-5858-4102-AB78-EB099AB24B01}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - Winlogon Notify: dvoktcru - C:\WINDOWS\SYSTEM32\dvoktcru.dll O20 - Winlogon Notify: hgghebb - hgghebb.dll (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: lmhkcpac - C:\WINDOWS\SYSTEM32\lmhkcpac.dll O20 - Winlogon Notify: ownjikmr - C:\WINDOWS\SYSTEM32\ownjikmr.dll O20 - Winlogon Notify: pmnli - C:\WINDOWS\System32\pmnli.dll O20 - Winlogon Notify: vtsqn - C:\WINDOWS\System32\vtsqn.dll (file missing) O20 - Winlogon Notify: wvurpmk - C:\WINDOWS\SYSTEM32\wvurpmk.dll O20 - Winlogon Notify: xcnbgwuo - C:\WINDOWS\SYSTEM32\xcnbgwuo.dll O20 - Winlogon Notify: ynedvtnh - C:\WINDOWS\SYSTEM32\ynedvtnh.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\Sandisk\Sansa Updater\SansaSvr.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: VET Message Service (VetMsgNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing) |
|
|
|
|
Jul 10 2007, 08:40 PM
Post
#6
|
|
|
Trusted Helper Posts: 1,990 OS: Windows XP |
Hi CedarCanoe,
You have quite a Vundo infection here, to go along with some other possible infections as well. Lets see if we can't make some headway here. You should print out, or save these directions to a notepad file, as you will not be able to access this website when in safe mode. ---------------------------------------------------------------- First we need to download Killbox by Option^Explicit. Please download the Killbox by Option^Explicit and save it to your desktop. We will run this later. Note: In the event you already have Killbox, this is a new version that I need you to download. ---------------------------------------------------------------- Please download FixWareout from here: http://downloads.subratam.org/Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead. Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log ---------------------------------------------------------------- Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O2 - BHO: (no name) - {18AD3CC7-DAD6-4329-8D00-1B45DFEEF1F6} - C:\WINDOWS\System32\pmnli.dll O2 - BHO: (no name) - {5FC1E6B3-29B5-4789-955E-CC2C5B9B8E76} - C:\WINDOWS\System32\vtsqn.dll (file missing) O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\wvurpmk.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\dvoktcru.dll O2 - BHO: (no name) - {B45FC20D-6906-4E72-AA59-392CC61FDAA9} - C:\WINDOWS\system32\reginix86b.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xcnbgwuo.dll O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - Startup: explorer.exe O4 - Global Startup: winlogin.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{015AD369-5858-4102-AB78-EB099AB24B01}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{C56FF7D1-1FC2-48ED-BEC6-BF751262F1B5}: NameServer = 85.255.116.89,85.255.112.204 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{015AD369-5858-4102-AB78-EB099AB24B01}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - Winlogon Notify: dvoktcru - C:\WINDOWS\SYSTEM32\dvoktcru.dll O20 - Winlogon Notify: hgghebb - hgghebb.dll (file missing) O20 - Winlogon Notify: lmhkcpac - C:\WINDOWS\SYSTEM32\lmhkcpac.dll O20 - Winlogon Notify: ownjikmr - C:\WINDOWS\SYSTEM32\ownjikmr.dll O20 - Winlogon Notify: pmnli - C:\WINDOWS\System32\pmnli.dll O20 - Winlogon Notify: vtsqn - C:\WINDOWS\System32\vtsqn.dll (file missing) O20 - Winlogon Notify: wvurpmk - C:\WINDOWS\SYSTEM32\wvurpmk.dll O20 - Winlogon Notify: xcnbgwuo - C:\WINDOWS\SYSTEM32\xcnbgwuo.dll O20 - Winlogon Notify: ynedvtnh - C:\WINDOWS\SYSTEM32\ynedvtnh.dll Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode. Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. ---------------------------------------------------------------- Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present): WildTangent Please note any other programs that you dont recognize in that list in your next response ---------------------------------------------------------------- Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these FOLDERS (if present): C:\Program Files\WildTangent ---------------------------------------------------------------- Lets delete some ill mannered files.
If your computer does not restart automatically, please restart it manually to normal mode. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again. ---------------------------------------------------------------- Information to include in your next post:
|
|
|
|
|
Jul 11 2007, 06:40 PM
Post
#7
|
|
|
Member Posts: 19 OS: XP |
Well I think we made a little progress, because I don't get as many IE popup boxes, but still gettting some of the other pop warnings and still can't get the computer to run in normal mode. In chronological order here is what happened:
1) Ran the Fixwareout.exe in Safe mode; upon reboot (in normal) Fixware out started running again, but before completing, the system rebooted. So I don't have a "report.txt" to share. 2.) Ran the HiJackThis scan and checked the boxes that were present. I got an error message that it was unable to delete 04 Global Startup winlogin.exe 3.) Rebooted again into Safe mode and tried to remove Wild Tangent Channel Mixer, got an error that program may already been deleted. Would you like to remove from Programs list - selected yes Didn't recongize a bunch of files so I tried deleting some of those, but got the same error as above for the following: Atomic Pop Kuldox OuterInfo (this was a 406MB program) Python 2.2.1 Also removed Tiny Soft, but got a different error message. 4.) Ran Killbox.exe and got the PendingFileRenameOperations warning. 5.) Tried rebooting in Normal mode and while starting up a VundoFix box open, which I entered Removed Vundo on, the program ran to completion and prompted a reboot which I did. Rebooting in normal the computer shut down again. 6.) Rebooted in Safe mode and tried running Fixwareout.exe again, with the same result - upon rebooting in Normal mode Fixwareout starts but does not complete before the computer shuts down. 7. Rebooted in Safe mode ran HiJackThis and the report is below. Logfile of HijackThis v1.99.1 Scan saved at 7:24:29 PM, on 7/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Hijackthis\H.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...c02&lc=0409 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq R3 - URLSearchHook: (no name) - {769705C9-7E71-D9B3-D427-3479C65B8D5B} - NsCplTray.dll (file missing) R3 - URLSearchHook: (no name) - {5AC01E0D-A3E1-D81B-DA5B-D8C46A6688DE} - AppMasterCenter.dll (file missing) F2 - REG:system.ini: UserInit=userinit.exe N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\i97s2931.slt\prefs.js) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5068D10B-C5D8-4DEE-A505-1E0A7CD6F8D1} - C:\WINDOWS\System32\pmnli.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ujfismtl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hsahesgv.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: winlogin.exe O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183577737466 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1183577270325 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O20 - Winlogon Notify: hsahesgv - C:\WINDOWS\SYSTEM32\hsahesgv.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: jomxlssn - C:\WINDOWS\SYSTEM32\jomxlssn.dll O20 - Winlogon Notify: ujfismtl - C:\WINDOWS\SYSTEM32\ujfismtl.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\Sandisk\Sansa Updater\SansaSvr.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: VET Message Service (VetMsgNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing) |
|
|
|
|
Jul 11 2007, 08:03 PM
Post
#8
|
|
|
Trusted Helper Posts: 1,990 OS: Windows XP |
Hi CedarCanoe,
Good job working through the previous fix. From the sound of things, it wasnt easy. We did make some progress, but this infection is rather stubborn, so we have more work to do. I am glad to hear that the pop-ups have cooled off a little bit. Lets continue on. You should print out, or save these directions to a notepad file, as you will not be able to access this website when in safe mode. ---------------------------------------------------------------- Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these SHORTCUTS (if present): C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe Please note that winlogin.exe is the entry that HiJack This was unable to delete. Here we are trying to delete the shortcut to the file. Please note any other shortcuts that you dont recognize in that list in your next response, and if .protected is not in the folder please give me a list of everything you see in that directory. ---------------------------------------------------------------- Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O2 - BHO: (no name) - {5068D10B-C5D8-4DEE-A505-1E0A7CD6F8D1} - C:\WINDOWS\System32\pmnli.dll (file missing) O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ujfismtl.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hsahesgv.dll O20 - Winlogon Notify: hsahesgv - C:\WINDOWS\SYSTEM32\hsahesgv.dll O20 - Winlogon Notify: jomxlssn - C:\WINDOWS\SYSTEM32\jomxlssn.dll O20 - Winlogon Notify: ujfismtl - C:\WINDOWS\SYSTEM32\ujfismtl.dll Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode. Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. ---------------------------------------------------------------- Lets delete some ill mannered files.
If your computer does not restart automatically, please restart it manually to normal mode. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again. ---------------------------------------------------------------- Please download Deckard's System Scanner (DSS) to your Desktop.
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus) Post the main.txt from the C:\Deckard\System Scanner folder into your next reply. ---------------------------------------------------------------- Information to include in your next post:
|
|
|
|
|
Jul 11 2007, 09:08 PM
Post
#9
|
|
|
Member Posts: 19 OS: XP |
Thanks for all the help so far. In the ...\program\Startup\ folder I didn't find a shortcut to winlogin.exe and did not see .protected. There was only a shortcut to WinCinema Manager and Adobe Gamma Loader. After running HiJackThis and marking the files, rebooting into Safemode with networking and ran Killbox. Did not get the PendingFileRenameOperations prompt this time, but the reboot in Normal mode still failed on startup. Back in SafeMode with networking, I ran DSSexe and the report is below. Deckard's System Scanner v20070708.52 Run by Nathan on 2007-07-11 at 21:52:04 Computer is in Safe Mode with Networking. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Unable to create System Restore WMI object; error code: 0x00000001 Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Nathan.exe) ---------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 9:54:52 PM, on 7/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Documents and Settings\Nathan.YOUR-PA86Z1I3G7.000\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\Nathan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...c02&lc=0409 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq R3 - URLSearchHook: (no name) - {769705C9-7E71-D9B3-D427-3479C65B8D5B} - NsCplTray.dll (file missing) R3 - URLSearchHook: (no name) - {5AC01E0D-A3E1-D81B-DA5B-D8C46A6688DE} - AppMasterCenter.dll (file missing) F2 - REG:system.ini: UserInit=userinit.exe N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\i97s2931.slt\prefs.js) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\hsahesgv.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ujfismtl.dll (file missing) O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -os |