Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Failed XP Logon


  • Please log in to reply

#1
Pixc

Pixc

    New Member

  • Member
  • Pip
  • 9 posts
Hiya Poppits

I've recently scanned my PC with all the suggested scanners and was a rather surprised at how infested the pc was.

I ran most of them 2 - 3 times through in safe mode, untill they have come up all clear.

I restarted the PC and now it wont let me log on. I enter the password, it starts to load then after I see the desktop for 2 secs it logs me off again. I can log in with same user and password in safe mode.

I have tried the fix as suggest by Lavasoft Knowledge Base Article 04060901
(fixing userinit.exe in registry)
and i have tried repairing xp installation but i still cant log in.

Any ideas would be appreciated
  • 0

Advertisements


#2
Pixc

Pixc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
As directed by GeneralAres here is my Hijackthis Log. I can only access XP by safe mode so Im hoping this will be OK

Logfile of HijackThis v1.99.1
Scan saved at 10:52:11 a.m., on 6/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1C77EA96-CD57-07B4-1C0F-5ED870E77EC8} - C:\WINDOWS\drvi\nhomskyxvp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\DSE\ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\Run: [FG5hJ] C:\documents and settings\donna\local settings\temp\FG5hJ.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [K0@]"iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cyoqq.exe
O4 - HKLM\..\Run: [K04W
}zigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cyoqq.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Timer] C:\WINDOWS\fw_304.exe /i
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [bioijds] c:\windows\system32\jzbfmm.exe r
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\RunServices: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [Microsoft Sinsup] odjiwjf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Sesl] C:\Documents and Settings\Donna\Application Data\z?sg.exe
O4 - HKCU\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/d...onale_ver15.CAB
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
  • 0

#3
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
:tazz:

Didn't see it is already in the malware forum

Edited by Keith, 06 August 2005 - 02:54 AM.

  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {1C77EA96-CD57-07B4-1C0F-5ED870E77EC8} - C:\WINDOWS\drvi\nhomskyxvp.dll (file missing)

O4 - HKLM\..\Run: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\Run: [FG5hJ] C:\documents and settings\donna\local settings\temp\FG5hJ.exe

O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [‰K0@]"‰žiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cyoqq.exe
O4 - HKLM\..\Run: [‰K04W
}zžigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cyoqq.exe

O4 - HKLM\..\Run: [Timer] C:\WINDOWS\fw_304.exe /i

O4 - HKLM\..\Run: [bioijds] c:\windows\system32\jzbfmm.exe r
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp

O4 - HKLM\..\RunServices: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [Microsoft Sinsup] odjiwjf.exe

O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Sesl] C:\Documents and Settings\Donna\Application Data\z?sg.exe
O4 - HKCU\..\Run: [CT Control Settings] CTSVCCD.EXE

O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/d...onale_ver15.CAB

Run Process Guard from the Start menu.
- Make sure it is not in Learning mode (Main Screen)
- On the Security tab rightclick and remove the following (if present)
C:\Program Files\ISTsvc\istsvc.exe
odjiwjf.exe
CTSVCCD.EXE
C:\WINDOWS\fw_304.exe
C:\WINDOWS\comm.exe
C:\WINDOWS\cyoqq.exe
C:\documents and settings\donna\local settings\temp\FG5hJ.exe


Reboot into safe mode and delete:
C:\Program Files\ISTsvc <= entire folder
C:\WINDOWS\drvi <= entire folder
C:\WINDOWS\fw_304.exe
C:\WINDOWS\comm.exe
c:\windows\system32\jzbfmm.exe

And (still in safe mode) use the DiskCleanup Tool to empty all your Temp folders.

Boot back to normal and post a new HijackThis log.

Regards,
  • 0

#5
Pixc

Pixc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
:tazz: I can log on again..

Im technologically retarded and I followed your instructions as best I could. Posted is new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:26:31 p.m., on 6/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DSE\ADSL\CnxDslTb.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\DSE\ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
You did a great job. :tazz:
That log is clean.

I have some reading material for you:

Please do have a look at my site about removing and preventing spyware.

How to effectively use ProcessGuard:
http://www.commontol...secure_pg3.html

Regards,
  • 0

#7
Pixc

Pixc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Oh Metallica your a GOD SEND!!

Thank-you ever so kindly for your help...I prolly sound much like the other hundreds of people you have probably helped, but THANKS A BILLION

My faith in humanity is slowly being restorded. To see people like you helping tech' retards like me for free is so refreshing. I was going to be charged $100 per virus at the local PC store! ( Do you folks get payed to do this or is this out of pure kindness???)
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Thanks for the kind words.

Our help is for free. Donations are voluntary.

We do it to help people and raise awareness. :tazz:

Take care,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP