#1 I can NOT boot in safe mode it (malware?) will not allow you
#2 I have administrative privileges (I'm on the administrative account) and it will not let you install/uninstall most programs and say you do not have administrative powers/permission or it just won't let you install
#3 I was able to install Stinger but it only removed 1 bagel virus and it seems that I have 7. And I cannot find anything about them online. There are named bagel.ci and bagel.gen.
#4 I cannot manage anything (computer>manage)
#5 It will not allow you to install Active X
#6 Will not allow me to run spybot or Symantec Norton Anti-Virus

I do not have Hijack This on the computer and I do not think it will alow me to install it.

^That is all I can think of right now.

#1 I can NOT boot in safe mode it (malware?) will not allow you
#2 I have administrative privileges (I'm on the administrative account) and it will not let you install/uninstall most programs and say you do not have administrative powers/permission or it just won't let you install
#3 I was able to install Stinger but it only removed 1 bagel virus and it seems that I have 7. And I cannot find anything about them online. There are named bagel.ci and bagel.gen.
#4 I cannot manage anything (computer>manage)
#5 It will not allow you to install Active X
#6 Will not allow me to run spybot or Symantec Norton Anti-Virus

Logfile of HijackThis v1.99.1
Scan saved at 6:10:34 PM, on 7/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\administrator.WESTPORT\Local Settings\Temporary Internet Files\Content.IE5\GVO3EVQ9\20060706-021-i32[1].exe
C:\DOCUME~1\ADMINI~1.WES\LOCALS~1\Temp\RarSFX0\updat32.exe
C:\Documents and Settings\administrator.WESTPORT\Local Settings\Temporary Internet Files\Content.IE5\GVO3EVQ9\20060706-021-i32[1].exe
C:\DOCUME~1\ADMINI~1.WES\LOCALS~1\Temp\RarSFX1\updat32.exe
C:\Documents and Settings\administrator.WESTPORT\Local Settings\Temporary Internet Files\Content.IE5\GVO3EVQ9\20060706-021-i32[1].exe
C:\DOCUME~1\ADMINI~1.WES\LOCALS~1\Temp\RarSFX2\updat32.exe
C:\Documents and Settings\administrator.WESTPORT\Local Settings\Temporary Internet Files\Content.IE5\INIDMLMV\20060706-021-x86[1].exe
C:\DOCUME~1\ADMINI~1.WES\LOCALS~1\Temp\RarSFX3\wrap32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\administrator.WESTPORT\Local Settings\Temporary Internet Files\Content.IE5\INIDMLMV\HijackThis[1].exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.trustyhound.com/sidebar-search.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKLM\..\Run: [firewall_anti] C:\WINDOWS\firewall_anti.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} - http://www.funnytaf.com/fun/installer/Install.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = westport.dom
O17 - HKLM\Software\..\Telephony: DomainName = westport.dom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = westport.dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = westport.dom
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = westport.dom
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Hi,

Welcome to GeekstoGo. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a GeekstoGo Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!

Thank You. So much!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

More information on Remote Access Trojans can be found here

I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

*************************************

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, apart from ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

*************************************

You are currently using HijackThis from a temporary directory, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder

1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

2. Download HijackThis to the new folder:

3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

4. Close ALL windows except HJT

5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

6. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')

Please make sure you post the entire log including the top portion:

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

***************************

In your next post, please include

• new hijackthis log
• gmer log

*please use separate posts to post each log. The gmer log will be very long, so split it up into a few posts to make sure it doesn't get cut off.

Thanks!

^this is the error when I try to run Gmer. I am doing the Hijack This Now.

I get this error when I try to scan with Hijack This



When I press ok in that error ^ I get this error



This post has been edited by hellslayer: Jul 7 2006, 07:20 AM

I cannot boot in safe mode anymore (I couldnt anyway but it gave me the illusion that it was booting in safe mode but it wouldnt boot in safe mode) now it hangs at mup.sys.

This post has been edited by hellslayer: Jul 7 2006, 08:12 AM

Hi Hellslayer,

You do have some nasty malware on your system, but in order to clean that out, we'll need to be able to get into safe mode. As you mentioned, the system hangs at mup.sys when attempting to boot into safe mode.

The mup.sys problem you mention is not a malware problem. According to this article, the solution is to reset ESCD in bios. However, because each bios is different, and in the malware forum we are not experienced in addressing non malware-related issues, I invite you to post in the Windows XP OS forum to get help from some of our Trusted Techs.

After you fix the mup.sys problem and are able to boot into safe mode, I'll be able to help you with your malware problems.

Thank You. Im working on it.

We copied the documents to a new harddrive and reformatted it. No more help is required. Thank you for all of your efforts!

Since this issue appears to be resolved ... this Topic has been closed.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

This post has been edited by agrarianmonk: Jul 11 2006, 02:47 PM