[Pixc]

Hiya Poppits

I've recently scanned my PC with all the suggested scanners and was a rather surprised at how infested the pc was.

I ran most of them 2 - 3 times through in safe mode, untill they have come up all clear.

I restarted the PC and now it wont let me log on. I enter the password, it starts to load then after I see the desktop for 2 secs it logs me off again. I can log in with same user and password in safe mode.

I have tried the fix as suggest by Lavasoft Knowledge Base Article 04060901
(fixing userinit.exe in registry)
and i have tried repairing xp installation but i still cant log in.

Any ideas would be appreciated

[Advertisements]

As directed by GeneralAres here is my Hijackthis Log. I can only access XP by safe mode so Im hoping this will be OK

Logfile of HijackThis v1.99.1
Scan saved at 10:52:11 a.m., on 6/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1C77EA96-CD57-07B4-1C0F-5ED870E77EC8} - C:\WINDOWS\drvi\nhomskyxvp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\DSE\ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\Run: [FG5hJ] C:\documents and settings\donna\local settings\temp\FG5hJ.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cyoqq.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cyoqq.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Timer] C:\WINDOWS\fw_304.exe /i
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [bioijds] c:\windows\system32\jzbfmm.exe r
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\RunServices: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [Microsoft Sinsup] odjiwjf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Sesl] C:\Documents and Settings\Donna\Application Data\z?sg.exe
O4 - HKCU\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/d...onale_ver15.CAB
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe

[Pixc]

As directed by GeneralAres here is my Hijackthis Log. I can only access XP by safe mode so Im hoping this will be OK

Logfile of HijackThis v1.99.1
Scan saved at 10:52:11 a.m., on 6/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1C77EA96-CD57-07B4-1C0F-5ED870E77EC8} - C:\WINDOWS\drvi\nhomskyxvp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\DSE\ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\Run: [FG5hJ] C:\documents and settings\donna\local settings\temp\FG5hJ.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cyoqq.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cyoqq.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Timer] C:\WINDOWS\fw_304.exe /i
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [bioijds] c:\windows\system32\jzbfmm.exe r
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\RunServices: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [Microsoft Sinsup] odjiwjf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Sesl] C:\Documents and Settings\Donna\Application Data\z?sg.exe
O4 - HKCU\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/d...onale_ver15.CAB
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe

[Retired Tech]

Didn't see it is already in the malware forum

Edited by Keith, 06 August 2005 - 02:54 AM.

[Metallica]

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {1C77EA96-CD57-07B4-1C0F-5ED870E77EC8} - C:\WINDOWS\drvi\nhomskyxvp.dll (file missing)

O4 - HKLM\..\Run: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\Run: [FG5hJ] C:\documents and settings\donna\local settings\temp\FG5hJ.exe

O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cyoqq.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cyoqq.exe

O4 - HKLM\..\Run: [Timer] C:\WINDOWS\fw_304.exe /i

O4 - HKLM\..\Run: [bioijds] c:\windows\system32\jzbfmm.exe r
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp

O4 - HKLM\..\RunServices: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [Microsoft Sinsup] odjiwjf.exe

O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Sesl] C:\Documents and Settings\Donna\Application Data\z?sg.exe
O4 - HKCU\..\Run: [CT Control Settings] CTSVCCD.EXE

O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/d...onale_ver15.CAB

Run Process Guard from the Start menu.
- Make sure it is not in Learning mode (Main Screen)
- On the Security tab rightclick and remove the following (if present)
C:\Program Files\ISTsvc\istsvc.exe
odjiwjf.exe
CTSVCCD.EXE
C:\WINDOWS\fw_304.exe
C:\WINDOWS\comm.exe
C:\WINDOWS\cyoqq.exe
C:\documents and settings\donna\local settings\temp\FG5hJ.exe

Reboot into safe mode and delete:
C:\Program Files\ISTsvc <= entire folder
C:\WINDOWS\drvi <= entire folder
C:\WINDOWS\fw_304.exe
C:\WINDOWS\comm.exe
c:\windows\system32\jzbfmm.exe

And (still in safe mode) use the DiskCleanup Tool to empty all your Temp folders.

Boot back to normal and post a new HijackThis log.

Regards,

[Pixc]

I can log on again..

Im technologically retarded and I followed your instructions as best I could. Posted is new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:26:31 p.m., on 6/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DSE\ADSL\CnxDslTb.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\DSE\ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe

[Metallica]

You did a great job.
That log is clean.

I have some reading material for you:

Please do have a look at my site about removing and preventing spyware.

How to effectively use ProcessGuard:
http://www.commontol...secure_pg3.html

Regards,

[Pixc]

Oh Metallica your a GOD SEND!!

Thank-you ever so kindly for your help...I prolly sound much like the other hundreds of people you have probably helped, but THANKS A BILLION

My faith in humanity is slowly being restorded. To see people like you helping tech' retards like me for free is so refreshing. I was going to be charged $100 per virus at the local PC store! ( Do you folks get payed to do this or is this out of pure kindness???)

[Metallica]

Thanks for the kind words.

Our help is for free. Donations are voluntary.

We do it to help people and raise awareness.

Take care,