[GKeeper959]

Nope, nope, nope... I re-ran Killbox with only the guard.tmp file... same error message. Used VX2.Finder and rebooted, but still wouldn't boot up in normal mode. Created and ran recyclerem.bat (I think... a command screen popped up again for only a half a second, so I assume it worked and didn't kill itself like the other program) and rebooted, but I still can't get into normal mode.

Any other ideas?


Thanks so much, Pieter, for your continued (and incredibly prompt) help

[Advertisements]

Please read as reference:
http://techsupt.winb...00001045F1.html

So add to your wininit.ini

[rename]
NULL=C:\WINDOWS\system32\guard.tmp

Then reboot.

Regards,

Pieter

[Metallica]

Please read as reference:
http://techsupt.winb...00001045F1.html

So add to your wininit.ini

[rename]
NULL=C:\WINDOWS\system32\guard.tmp

Then reboot.

Regards,

Pieter

[GKeeper959]

Nope. Still doesn't seem to do the trick.

Here's what my wininit.ini file looks like. Maybe I did something wrong? I've never tinkered with this file before...

[Rename]
NUL=C:\WINDOWS\bdl94126.exe
NULL=C:\WINDOWS\system32\guard.tmp

Also, just for the heck of it, I searched my hard drive and the registry for "guard.tmp". Nothing was found on the hard drive. Here's what I found in the registry:


Key Name: HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
Class Name: <NO CLASS>
Last Write Time: 1/25/2005 - 4:24 PM
Value 0
Name: 000
Type: REG_SZ
Data: guard.tmp

Value 1
Name: 001
Type: REG_SZ
Data: fixvx2.reg

Value 2
Name: 002
Type: REG_SZ
Data: output.txt



Key Name: HKEY_USERS\S-1-5-21-2216726386-3485517607-2614902147-1005\Software\Microsoft\Search Assistant\ACMru\5603
Class Name: <NO CLASS>
Last Write Time: 1/25/2005 - 4:24 PM
Value 0
Name: 000
Type: REG_SZ
Data: guard.tmp

Value 1
Name: 001
Type: REG_SZ
Data: fixvx2.reg

Value 2
Name: 002
Type: REG_SZ
Data: output.txt


Do these output.txt files have anything to do with the output.txt that didn't show up after running FindIt?


Thanks

Edited by GKeeper959, 25 January 2005 - 03:37 PM.

[Metallica]

That extra L could be wrong, please try:

NUL=C:\WINDOWS\system32\guard.tmp

guard.tmp is hidden so good that only a special program incorporated in FindIt is able to show it's presence.

Can you download, unzip and run:
http://www.diamondcs...p?page=asviewer

Click Main > Save to get a textfile.
Copy the content into your next post.

Regards,

Pieter

[GKeeper959]

Wow! Finally a program that my computer won't kill!

I tried renaming the NULL pointer in wininit.ini (you can see below) and reboot, but still no positive results...

Here's the log from asviewer:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for 01-26-2005
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=C:\WINDOWS\bdl94126.exe
NUL=C:\WINDOWS\system32\guard.tmp
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CARPService
C:\WINDOWS\system32\carpserv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CPQEASYACC
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Smapp
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\srmclean
C:\Cpqs\Scom\srmclean.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Works Portfolio
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Works Update Detection
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PivotSoftware
C:\Program Files\WinPortrait\wpctrl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdaptecDirectCD
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinampAgent
C:\Program Files\Winamp\Winampa.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LVCOMS
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ViewMgr
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Software Update
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Component Manager
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mmtask
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SESync
C:\Program Files\SED\SED.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
C:\WINDOWS\system32\dumprep 0 -k
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2500 series#1097186090.job
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\NAVW32.exe
C:\WINDOWS\Tasks\Registration reminder 1.job
C:\WINDOWS\System32\OOBE\oobebaln.exe
C:\WINDOWS\Tasks\Registration reminder 2.job
C:\WINDOWS\System32\OOBE\oobebaln.exe
C:\WINDOWS\Tasks\Registration reminder 3.job
C:\WINDOWS\System32\OOBE\oobebaln.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
C:\Program Files\America Online 9.0\aoltray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD


Also, can you tell me what this SED.exe file is? A description I read said it has something to do with being able to Alt+click on a word in a browser to get a search of that word, and that it also works as an ad server. If I don't need it, I'd rather not have it.

Hope that log helps!

Edited by GKeeper959, 26 January 2005 - 07:09 AM.

[Metallica]

SED is spyware http://doxdesk.com/p...wnloadWare.html

It's a problem, but not what I suspect is stopping your computer from booting normally.
In fact, I don't see anything really wrong or missing in that log.

Can you download TDS-3 from http://tds.diamondcs...p?page=download
and update it following the instructions here:
http://tds.diamondcs...php?page=update
Then click System Testing > Full System scan.
Have it remove everything it gives you a positive identification of.

If there are any files TDS can't remove, let me know which one(s).

Regards,

Pieter

[GKeeper959]

Well, TDS definitely removed a lot of stuff that the other programs didn't catch. It was able to remove all infections. But the boot-up problem still remains...

Here's a log from TDS:

Scan Control Dumped @ 10:01:32 26-01-05
(DELETED) Positive identification: TrojanDownloader.Win32.Presario
File: c:\windows\system32\mscmtsrvc.exe

(DELETED) Positive identification (DLL): Adware.Coreak (dll)
File: c:\documents and settings\barbara besal\local settings\temp\akcore.dll

(DELETED) Positive identification (DLL): Adware.VirtuMonde (dll)
File: c:\documents and settings\barbara besal\local settings\temp\aklsp.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Agent.bt (dll)
File: c:\documents and settings\barbara besal\local settings\temp\akrules.dll

(DELETED) Positive identification (DLL): Adware.MetaDirect (dll)
File: c:\documents and settings\barbara besal\local settings\temp\nsdtmp09.dll

(DELETED) Positive identification: Adware.Altnet.b
File: c:\documents and settings\barbara besal\local settings\temp\__unin__.exe

(DELETED) Positive identification <Adv>: Possible WebDownloader
File: c:\program files\dell\dell dj explorer\appsetup.exe

(DELETED) Positive identification (DLL): Adware.ToolBar.MyWay.f (dll)
File: c:\program files\myway\mybar\2.bin\npmyway.dll

(DELETED) Positive identification <Adv>: Possible WebDownloader
File: c:\windows\cp14.exe

(DELETED) Positive identification <Adv>: Possible WebDownloader
File: c:\windows\d8.exe

(DELETED) Positive identification: TrojanDropper.Win32.SurfSide.a
File: c:\windows\ssk_b5.exe

(DELETED) Positive identification (DLL): Adware.PopCap (dll)
File: c:\windows\downloaded program files\popcaploader.dll

(DELETED) Positive identification (DLL): Adware.Coreak (dll)
File: c:\windows\system32\akcore.dll

(DELETED) Positive identification (DLL): Adware.VirtuMonde (dll)
File: c:\windows\system32\aklsp.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Agent.bt (dll)
File: c:\windows\system32\akrules.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Agent.br1 (dll)
File: c:\windows\system32\akupd.dll

(DELETED) Positive identification (embedded in file): Adware.Look2Me.r2 (dll)
File: c:\windows\system32\ffinst.exe

(DELETED) Positive identification: Adware.Look2Me.r
File: c:\windows\system32\ffinst.exe

(DELETED) Positive identification: TrojanDownloader.Win32.Presario
File: c:\windows\system32\mscmtsrvc.exe

[Metallica]

OK. That probably means it's time to lay our trust in MicroSofts hands.

Click Start > Run > type or copy&paste sfc /scannow > OK
(Note the space after sfc)
Windows will scan all important system files for presence and if they are undamaged.
It will prompt you for the install CD if it finds one that needs to be replaced.
Have the CD handy if you have one. Report which files it wanted to replace if you don't have one.

Regards,

Pieter

[GKeeper959]

Hmm... I tried running sfc /scannow, but the same thing happened that has been happening to the other programs. The command screen pops up for only half a second and then nothing happens...

Time to resort to System Restore?

Edited by GKeeper959, 26 January 2005 - 09:26 AM.

[Metallica]

No. That is probably a CD the vendor used. That is not the same as a Windows CD. Using that will make your computer back to how it was when it was new. Fast, clean and empty

That is our last resort.

Check if you have a folder called i386 holding the install files. That will do instead of a Windows CD.

Regards,

Pieter

[GKeeper959]

Okey dokey. Wiping it clean it is. Thanks so much, Pieter, for all your help. If nothing else, I've definitely learned more from this experience! Maybe I was overdue for a system restore anyway


I really appreciate all your help! Rock on, GTG!

[Metallica]

Your choice.
I wish I would have been able to solve it for you.

Regards,

Pieter