[jclynn67]

My brother has been having issues and brought me his computer to fix! Upon starting his computer it come up with the warning of the worm.win32.netsky problem and his background has the warning on it ... also Internet Security 2010 warning of viruses ... it wont go away. I downloaded Hijack This and copied the log. My brother installed Norton360 and I was able to get it to run a scan and it said it found and fixed 3 problems ... so I restarted the computer because it still had the popups from Internet Security 2010 and thought maybe restarting would take care of it. Fat chance ... now it wont load ... comes up the login and when I enter the password it opens for a second then logging off and goes back to needing the password again. Fudge ... I tried to shut it off and restart it so I could try to load in safe mode and now nothing happens ... nothing ... wont power up at all, please help!!! What flipping kind of virus is this??? Computer totally dead HELP PLEASE!!!!
Thanks,
Jody

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:47 AM, on 12/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\winupdate86.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\dell\E-center\gtb2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.......&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.......&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.googl...back.html?hl=en
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [totadoveg] Rundll32.exe "c:\windows\system32\suwidusu.dll",a
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.wea....ransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec....scbase5483.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB985AE6-B9BE-4009-9652-9794DBD879F4}: NameServer = 75.116.63.154 75.116.127.154
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O20 - AppInit_DLLs: zujopuhe.dll c:\windows\system32\,buvoyaki.dll c:\windows\system32\suwidusu.dll
O21 - SSODL: jutojuzam - {2beb4833-ee9c-4931-bcc5-36341996f367} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {2beb4833-ee9c-4931-bcc5-36341996f367} - (no file)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 10675 bytes

[Advertisements]

There are reports of a bootkit virus which could infect the BIOS. Hopefully it's not one of them. Normally even they do not keep the PC from starting up but I suppose there is always a first time.

http://www.ehow.com/...bios-virus.html



What PC (make and model) is this? Do you get any lights at all?

I can see why it stopped booting after Norton messed it up.

In case you ever get it to power up again these were the obvious evil doers:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe

O4 - HKLM\..\Run: [totadoveg] Rundll32.exe "c:\windows\system32\suwidusu.dll",a
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe

O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll

O20 - AppInit_DLLs: zujopuhe.dll c:\windows\system32\,buvoyaki.dll c:\windows\system32\suwidusu.dll
O21 - SSODL: jutojuzam - {2beb4833-ee9c-4931-bcc5-36341996f367} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {2beb4833-ee9c-4931-bcc5-36341996f367} - (no file)

Removing the file mentioned in F2 is what kept it from booting. Norton should know better. This line refers to a registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Usually it has an entry in the right column called userinit. Normally this will say (after the REG_SZ) C:\windows\system32\userinit.exe,

so Norton should have fixed the registry entry and made sure there was a file C:\windows\system32\userinit.exe but it dropped the ball. It's not alone. AVG is doing the same thing judging by the number of posts I'm seeing.

It depends on what exactly Norton did, what you need to do to fix it. If it just removed the file then you can copy userinit.exe to C:\WINDOWS\system32\winlogon86.exe and it will use the renamed userinit and boot OK. If it also removed the entry then you will need to edit the registry to replace it.

If you have an XP CD you can boot into the recovery console and copy the files.

The Offline NT Password & Registry Editor would be useful to check the registry entry in case it did more. You will need to be able to take a .iso file and Burn Image to a CD.

http://pogostick.net/~pnh/ntpasswd/

Click on Bootdisk then down near the bottom of the page you want

cd080802.zip

Download it and Save it somewhere you can find it again. Right click on it and Extract All. You will get a folder named
cd080802. Inside the folder is cd080802.iso tho you may not be able to see the ISO part. On my Emachine I use Roxio to burn CDs so I start Roxio then choose Copy Disk. Under Copy Disk on the left panel is an option Burn Image which I select then I point it at cd080802.iso and hit the burn button (after inserting a blank CD).

Insert the CD in the sick PC and restart. You may need to quickly select Setup or Boot Options in order to get it to boot from a CD. On my emachine it's F12 for the Boot Options and the DVD is the second option so I hit the down arrow once then Enter.

You will get a lot of text with "boot:" at the end. Press Enter. More text. Keep pressing Enter until you get three options. 1 Password Recovery, 2 Recovery Console, 3 quit (? I forget.) Tell it 2 and the next menu will have 9 as a registry editor. Select 9.

I forgot to write this down but you want the option for the SOFTWARE which once you choose it will essentially put you at:
HKEY_LOCAL_MACHINE\SOFTWARE


Tpe:

cd Microsoft

cd Windows NT

cd CurrentVersion

cd Winlogon

cat userinit

(This is Linux which cares about capital and small letters so make sure you type the exact word as written. If I have a typo and a CD command doesn't work you can do
dir
and it will list the possible subfolders.

q
to quit
?
for help

It is possible to write to the registry using this program but a little awkward. I wouldn't try it unless the userinit value is missing altogether.)

Let us know what you find out.

Ron

[RKinner]

There are reports of a bootkit virus which could infect the BIOS. Hopefully it's not one of them. Normally even they do not keep the PC from starting up but I suppose there is always a first time.

http://www.ehow.com/...bios-virus.html



What PC (make and model) is this? Do you get any lights at all?

I can see why it stopped booting after Norton messed it up.

In case you ever get it to power up again these were the obvious evil doers:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe

O4 - HKLM\..\Run: [totadoveg] Rundll32.exe "c:\windows\system32\suwidusu.dll",a
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe

O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll

O20 - AppInit_DLLs: zujopuhe.dll c:\windows\system32\,buvoyaki.dll c:\windows\system32\suwidusu.dll
O21 - SSODL: jutojuzam - {2beb4833-ee9c-4931-bcc5-36341996f367} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {2beb4833-ee9c-4931-bcc5-36341996f367} - (no file)

Removing the file mentioned in F2 is what kept it from booting. Norton should know better. This line refers to a registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Usually it has an entry in the right column called userinit. Normally this will say (after the REG_SZ) C:\windows\system32\userinit.exe,

so Norton should have fixed the registry entry and made sure there was a file C:\windows\system32\userinit.exe but it dropped the ball. It's not alone. AVG is doing the same thing judging by the number of posts I'm seeing.

It depends on what exactly Norton did, what you need to do to fix it. If it just removed the file then you can copy userinit.exe to C:\WINDOWS\system32\winlogon86.exe and it will use the renamed userinit and boot OK. If it also removed the entry then you will need to edit the registry to replace it.

If you have an XP CD you can boot into the recovery console and copy the files.

The Offline NT Password & Registry Editor would be useful to check the registry entry in case it did more. You will need to be able to take a .iso file and Burn Image to a CD.

http://pogostick.net/~pnh/ntpasswd/

Click on Bootdisk then down near the bottom of the page you want

cd080802.zip

Download it and Save it somewhere you can find it again. Right click on it and Extract All. You will get a folder named
cd080802. Inside the folder is cd080802.iso tho you may not be able to see the ISO part. On my Emachine I use Roxio to burn CDs so I start Roxio then choose Copy Disk. Under Copy Disk on the left panel is an option Burn Image which I select then I point it at cd080802.iso and hit the burn button (after inserting a blank CD).

Insert the CD in the sick PC and restart. You may need to quickly select Setup or Boot Options in order to get it to boot from a CD. On my emachine it's F12 for the Boot Options and the DVD is the second option so I hit the down arrow once then Enter.

You will get a lot of text with "boot:" at the end. Press Enter. More text. Keep pressing Enter until you get three options. 1 Password Recovery, 2 Recovery Console, 3 quit (? I forget.) Tell it 2 and the next menu will have 9 as a registry editor. Select 9.

I forgot to write this down but you want the option for the SOFTWARE which once you choose it will essentially put you at:
HKEY_LOCAL_MACHINE\SOFTWARE


Tpe:

cd Microsoft

cd Windows NT

cd CurrentVersion

cd Winlogon

cat userinit

(This is Linux which cares about capital and small letters so make sure you type the exact word as written. If I have a typo and a CD command doesn't work you can do
dir
and it will list the possible subfolders.

q
to quit
?
for help

It is possible to write to the registry using this program but a little awkward. I wouldn't try it unless the userinit value is missing altogether.)

Let us know what you find out.

Ron

[jclynn67]

Those are the steps of the day ... I was able to get the hijack log prior to Norton scan/fix. After Norton scan I could not log in ... I tried to log in with the password half a dozen times before turning it off and then it went dead ... I tried to turn it on to no avail ... so I unplugged it for 5 minutes and it still wouldn't turn on ... no lights ... nothing! We had a Christmas supper to go to so I unplugged it while we were gone (5 hours). I plugged it in when we got home and lights lit up on front ... all kinds ... then quit ... nothing ... never booted ... just a bunch of lights flashed on and off again ... first and only sign of life since it died! I unplugged it again and waiting for some assistance and what to do next! BTW it is a Dell Dimension 3100.

Thanks a million,
Jody

[RKinner]

Sounds like the power supply has given up the ghost.

Following link talks about your lights:

http://support.dell....t.htm#wp1124478

They think either power or processor.



At the bottom of the following link is how to change the battery. Follow it and leave the battery out for a few minutes then put it back.

http://support.dell....0.htm#wp1043338

It's a long shot but you never know.

Ron

[jclynn67]

How do you tell what light deal it they flash so fast and all seem to flutter a second and then nothing ... they should stay on for 30 seconds to show what they are meaning hehehe.

THanks for you help any other ideas would be appreciated!

Merry Christmas!
Jody

[RKinner]

I suppose they flash as it goes through different steps in the boot and only the final state is worth noting. Since you have no lights on at the end they say it's either the power supply or the processor. Not much help there I'm afraid.

Did you try pulling the battery?

Ron

[jclynn67]

Ok ... after sitting a couple days ... I plugged in the computer again and it booted to where I needed to enter the password ... it boots then immediately logs off again ... going to try to enter a XP cd and try again ... wish me luck everyone!!!

[jclynn67]

well I spoke too soon ... when I went shut it off and went to turn it back on ... dead again .. no lights flash nothing!

What is going on???

[RKinner]

overheating? Is the fan on the CPU running?

[jclynn67]

OK ... I pulled the battery and it will now boot up to where you enter the password ... logs on then logs right back off ... please help how to get it to boot from here?

CPU fan is running good ... there is a light on the mother board right by the battery? Not sure if that is always on or what it means.

Thanks,
Jody

Edited by jclynn67, 27 December 2009 - 01:32 PM.

[RKinner]

OK What happened was that Norton removed the malware but did not fix the registry entry. This line:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe

Is extremely critical to the logon process. Normally it should say C:\Windows\System32\userinit.exe, but your virus has changed it to say: C:\WINDOWS\system32\winlogon86.exe but then stupid Norton came along and said winlogon86.exe is malware - I'll delete it which would have been OK if it had fixed the registry entry at the same time but it didn't so now windows thinks it needs the file winlogon86.exe in order to log you on. Without it you go in circles like you are doing. The fix is to find a copy of userinit.exe and copy it on to the sick PC as C:\WINDOWS\system32\winlogon86.exe. On an XP system there is usually one in C:\Windows\System32\dllcache\.

Of course the question now is how to do that when you can't log on? If you had the recovery console on your PC or if you can find an XP CD and boot from it into the recovery console then it's simply a matter of:

copy \windows\system32\dllcache\userinit.exe \windows\system32\winlogon86.exe

Then it should boot OK. I think you can also use Kaspersky boot cd.

http://devbuilds.kas...lds/RescueDisk/

You need to download and unzip the file on another PC then do a Disk Copy using a disk image (the file you downloaded.) Then you have to get the sick PC to boot from a CD which may require going into the Setup or Boot Menu (look for F-key options at boot). I think if you click on the K in the bottom left it will give you the option to use a file Manager.



The other option is to edit the registry to fix the value of userinit in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Bit harder to do tho there is an offline tool for this:
http://pogostick.net/~pnh/ntpasswd/

Ron

[jclynn67]

Ok ... I was able to do a repair on the installation and now able to get the computer to boot up ... I went to backup all the pictures and documents and it wont let me ... says the status us not set ... and tries to install something ... after clicking cancell and it restarting 100+ times it stopped and I was able to get it to stop. So I did a Hijack this and posting a log ... please tell me in simple instructions what to do next ... Thanks a million!
Jody

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:13 AM, on 4/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\HP\DIGITA~1\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\Explorer.EXE
c:\dell\E-center\gtb2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.googl...back.html?hl=en
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [totadoveg] Rundll32.exe "c:\windows\system32\suwidusu.dll",a
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.wea...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5483.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O20 - AppInit_DLLs: zujopuhe.dll c:\windows\system32\,buvoyaki.dll c:\windows\system32\suwidusu.dll
O21 - SSODL: jutojuzam - {2beb4833-ee9c-4931-bcc5-36341996f367} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {2beb4833-ee9c-4931-bcc5-36341996f367} - (no file)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 10074 bytes

[RKinner]

See if you can run Combofix and install the Recovery Console while you are at it.

Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Run:

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Ron

[RKinner]

For what it is worth these are the visible problems in HJT.

Check the box in front of each and then Fix Checked. Maybe you will get lucky.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [totadoveg] Rundll32.exe "c:\windows\system32\suwidusu.dll",a
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O20 - AppInit_DLLs: zujopuhe.dll c:\windows\system32\,buvoyaki.dll c:\windows\system32\suwidusu.dll
O21 - SSODL: jutojuzam - {2beb4833-ee9c-4931-bcc5-36341996f367} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {2beb4833-ee9c-4931-bcc5-36341996f367} - (no file)

[jclynn67]

Ok ... I was not able to download combofix ... but was able to download malwarebytes and run that and fix ... I also deleted those files listed above ... then it restarted and now I am locked out of the computer. Says the computer has been locked and only admistrator can unlock ... has for a user name and password but I am unable to type in either of those spots. We seem to keep coming up against the brick wall!

Thanks for the help!
Jody