Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I am unable to boot in safe mode since I receive the blue screen with the inaccessible boot message. I was trying to boot in safe mode since none of my anti-virus programs, to include a newly installed one, will run - the hour glass blinks. Also, we are unable to use our Office program.
I have previously saved off our files onto an external hard drive. I have a Dell CD which gives the option to upgrade or reinstall Win 2000. Do you think the best option would be to try the upgrade option or have another idea I should try first? I do not see a repair option on my Dell Win 2000 CD. As you may have guessed this is our old computer which we do not use often anymore, but is nice to have as a 2nd PC.
Thanks so much in advance for any advice you can provide.
Pam
If it is a virus or spyware there is a chance that it can be removed. If you would like for us to take a look post a Hijack This log
Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
0 
Yes, I can still get into normal Windows. Sorry, I did not mention that earlier. I will post a hijack this log.
Thanks,
Pam
0
Here is my hijack log. I do not know about this area with computers so I will not be attempting to fix anything on this.
Thanks again, Pam
Logfile of HijackThis v1.99.1
Scan saved at 8:50:40 PM, on 1/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\aspi2761112.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\ISHOST.exe
C:\WINNT\system32\ismini.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wral.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccomm...
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/ap...
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/...
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yah...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/...
O20 - AppInit_DLLs:
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: rpccd - C:\WINNT\system32\rpccd.dll (file missing)
O21 - SSODL: GhgLvI - {A0055519-0AAF-FFB3-4CB0-00829998AD5E} - C:\WINNT\system32\vphvr.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\system32\aspi2761112.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - Unknown owner - D:\Program Files\ewido\security suite\ewidoctrl.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\Documents and Settings\Administrator.JAMESANDPAMELA\Local Settings\Temp\ieupdate.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
0
You have two major things wrong that appear in this scan and can be fixed easier than reinstalling your operating system. This will take several scans and some clean up.
Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop. Open the "SmitfraudFix" folder again and double-click "smitfraudfix.cmd"
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing " Y " and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if "wininet.dll " is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing "Y" and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txtAlso post back with a new Hijack This log.
0
jabuck
Not interefering but that SmitFraud link didn't work for me. Wonder if you meant the zip file rather than exe.
DerekW
0
Thanks Derek, didn't notice the bad link.
Please download SmitFraudFix from this link instead of the link previously posted. http://siri.urz.free.fr/Fix/Smitfra...
0
jabuck, Thanks for replying back so quickly and Derek thank you for your input. Unfortunately, I was unable to complete the directions.
I downloaded the zip file onto my computer that is working fine and then brought it over to my other computer via a flash drive. Next, I extracted it to the desktop.
However, when I double-clicked on the smitfraudfix.cmd file, the only thing that happened is a DOS window opened with
"C:\WINNT\system32\cmd.exe" in the blue title bar. The window below is all black with a white cursor. I did not receive any prompts. I tried running it with Start - Run and browsing for it, but no luck that way either.Pam
0
I just looked over at my computer I was trying to run smitfraudfix on and I had a message with an "X" that stated malicious script and that my computer has halted and I needed to do something about the script so I exited it. I never did get prompted with the options.
Pam
0
This may not be the exact way to turn off you Norton script blocker(causing the problem most likely) but should be close.
Then turn off Norton's ScriptBlocking:To disable Norton AntiVirus Script Blocking:
Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options.
If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK.Then try running the tool again.
0
Since I was not able to open Norton, but it was apparently there in some way, I removed the program. I'll reinstall Norton before I get the computer back on the Internet. Once I did this, I was able to run the program and saw in the report it took care of some bad files.
Pam
Here is my new hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 5:11:47 PM, on 1/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\aspi2761112.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\HijackThis.exe
C:\WINNT\System32\svchost.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccomm...
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/ap...
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/...
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yah...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/...
O20 - AppInit_DLLs:
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: rpccd - C:\WINNT\system32\rpccd.dll (file missing)
O21 - SSODL: GhgLvI - {A0055519-0AAF-FFB3-4CB0-00829998AD5E} - C:\WINNT\system32\vphvr.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\system32\aspi2761112.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - Unknown owner - D:\Program Files\ewido\security suite\ewidoctrl.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\Documents and Settings\Administrator.JAMESANDPAMELA\Local Settings\Temp\ieupdate.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
0
If possible this tool needs to be run in safe mode. It is a rootkit removal tool. If you cannot access safe mode run it once in normal mode then try to boot into safe mode and run it again. If you were not able to boot into safe mode just post the results of the scan.
Please download SDFix by AndyManchesta and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following:
Restart your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in "Safe Mode", then press "Enter".
Choose your usual account.
Once in Safe Mode, please do the following:
In Safe Mode, right-click the SDFix.zip folder and choose Extract All.
Open the extracted folder and double-click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
0
I still can't boot in safe mode, so I tried to run it in Normal mode.
I am prompted to choose 1 of 2 command line scanners. First, I tried option 1 - SAV32CLI (Sophos - 9.75 Mb). I was prompted with 413_ides.zip:
Then, I tried option 2 - a-squared (EMSI software 10.5 Mb). I was prompted with a2cmd.zip: and then a series of messages stating this was unable to be downloaded.
I did reconnect to the Internet since the script stated I needed to be connected to download these. However, I ended up with both of these zip files showing in Win explorer with 0 Mb.
So, to sum up, I was unable to run this script. I sure wish I could at least get into Safe Mode at this point to be able to do more.
Pam
0
We can get some more baddies deleted which may get us into safe mode.
Please download Killbox by Option^Explicit and install in on the desktop.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ and install it on the desktopRun Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
O20 - AppInit_DLLs:
O21 - SSODL: GhgLvI - {A0055519-0AAF-FFB3-4CB0-00829998AD5E} - C:\WINNT\system32\vphvr.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\system32\aspi2761112.exe
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\Documents and Settings\Administrator.JAMESANDPAMELA\Local Settings\Temp\ieupdate.exe (file missing)
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\WINNT\system32\vphvr.dll
C:\WINNT\system32\aspi2761112.exe
C:\Documents and Settings\Administrator.JAMESANDPAMELA\Local Settings\Temp\ieupdate.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt.If your computer does not restart automatically, please restart it manually.
Run ATF-Cleaner.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Try booting into safe mode and if possibale run sdfix.
0
Well, I was able to run Killbox and take care of those Hijack entries. I ran the ATF Cleaner, but had to click very quickly since it kept closing soon after I opened it. I still can't get into safe mode - blue screen with inaccessible boot message.
I have noticed after changing my desktop screen settings, that I have some icons which showed me I have the IOGuyou virus on this which you probably figured out by my hijack log. Also, I noticed that my spyware program shortcut icons have the same icon - blue and white - as the IOG one instead of their correctly associated icons.
Pam
0
Temporarily disable any of the following anti-spyware realtime protection programs that you may have as they will reinstall the malware we removed in some cases. Disable Realtime Protection
Could you post a new Hijack This log please.
Then try to run the following two tools as they are not required to run in safe mode.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the combofix.txt log.
Please download Dr Web CureIt to your desktop from this link ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives.
A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable.
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log on your desktop.
0
The Dr. Web program is going to town finding lots and lots of problems. Wow! A question I have is that when right-clicking when it is done to select move incurable will that move all my incurable files at once? Also, if it says "cured" over to the side does that mean it is definitely cured or is that why I need to do the move incurable step?
I will be posting all my results later today as I have to leave now. I'll also try to boot in safe mode again. If I can, you still want me to try to run sdfix, right?
Pam
0
Yes on sdfix. Cured usually means able to delete or will be delete on reboot, if uncureable they will be quarantined.
0
Well, I still can't boot in safe mode, but I can use my Microsoft Office programs again.
As I said earlier, there were a lot of cures and a good amount of deletes with this round.
Here is the combofix.txt log:
"Administrator" - Sat 01/20/2007 11:42:48 Service Pack 4
ComboFix 07-01-18 - Running from: "C:\Documents and Settings\Administrator.JAMESANDPAMELA\Desktop"[color=red] ERROR !!! /wow section not completed[/color]
((((((((((((((((((((((((((((((( Files Created from 2006-12-20 to 2007-01-20 ))))))))))))))))))))))))))))))))))
2007-01-19 21:23 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\Application Data\TEMP
2007-01-19 21:12 <DIR> d-------- C:\SDFix
2007-01-19 07:13 470 --a------ C:\WINNT\system32\tmp.reg
2007-01-19 07:12 79,360 --a------ C:\WINNT\system32\swxcacls.exe
2007-01-19 07:12 53,248 --a------ C:\WINNT\system32\Process.exe
2007-01-19 07:12 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-01-19 07:12 40,960 --a------ C:\WINNT\system32\swsc.exe
2007-01-19 07:12 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-01-19 07:12 135,168 --a------ C:\WINNT\system32\swreg.exe
2007-01-18 05:49 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-01-18 05:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\PC Tools
2007-01-15 13:32 9,804 --a------ C:\WINNT\system32\z1239.exe
2007-01-15 13:32 5,477 --a------ C:\WINNT\system32\drivers\fkoimm.sys
2007-01-15 13:32 41,984 --a------ C:\WINNT\system32\z2925.exe
2007-01-15 13:32 40,960 --a------ C:\WINNT\system32\wmdrtc32.dll
2007-01-15 13:32 20,480 --a------ C:\WINNT\system32\z3938.dll
2007-01-05 03:57 9,804 --a------ C:\WINNT\system32\z1983.exe
2007-01-05 03:57 20,480 --a------ C:\WINNT\system32\z3532.dll
2007-01-02 00:36 9,804 --a------ C:\WINNT\system32\z1611.exe
2007-01-02 00:36 20,480 --a------ C:\WINNT\system32\z3993.dll
2007-01-02 00:21 20,480 --a------ C:\WINNT\system32\z3656.dll
2007-01-01 12:22 20,480 --a------ C:\WINNT\system32\z3186.dll
2006-12-28 15:12 20,480 --a------ C:\WINNT\system32\z3170.dll
2006-12-27 18:48 2,560 --a------ C:\WINNT\system32\z277.exe
2006-12-27 13:17 33,792 --------- C:\WINNT\system32\aspi2761112.exe
2006-12-27 07:51 20,480 --a------ C:\WINNT\system32\z3126.dll
2006-12-27 01:30 41,472 --a------ C:\ieupdate.exe
2006-12-23 09:23 <DIR> d-------- C:\WINNT\trace
2006-12-23 09:23 <DIR> d-------- C:\WINNT\gui
2006-12-23 09:20 20,480 --a------ C:\WINNT\system32\z3873.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-19 17:04 -------- d-a------ C:\Program Files\symantec
2007-01-19 17:04 -------- d-a------ C:\Program Files\Common Files\symantec shared
2007-01-19 17:04 -------- d-------- C:\Program Files\norton systemworks
2007-01-17 19:13 30208 --a------ C:\WINNT\system32\rpcc.dll
2007-01-15 18:06 -------- d-------- C:\Program Files\spyware cleaner
2007-01-15 17:32 -------- d-------- C:\Program Files\norton personal firewall
2007-01-15 15:19 -------- d-------- C:\Program Files\ccleaner
2006-12-27 08:09 -------- d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\mozilla
2006-12-10 08:10 38400 --a------ C:\WINNT\system32\z1262.exe
2006-12-10 08:10 38069 --a------ C:\WINNT\system32\z2241.exe
2006-12-10 08:10 20480 --a------ C:\WINNT\system32\z379.dll
2006-11-23 19:21 9291 --a------ C:\WINNT\system32\z1806.exe
2006-11-23 19:21 9216 --a------ C:\WINNT\system32\dgflib.dll
2006-11-23 19:21 7680 --a------ C:\WINNT\system32\z2838.exe
2006-11-23 19:21 42831 --a------ C:\WINNT\system32\z2940.exe
2006-11-23 19:21 36352 --a------ C:\WINNT\rundll.exe
2006-11-23 19:21 20480 --a------ C:\WINNT\system32\z3713.dll
2006-11-18 11:43 8749 --a------ C:\WINNT\system32\z2764.exe
2006-11-18 11:43 57064 --a------ C:\WINNT\system32\z2603.exe
2006-11-18 11:42 9804 --a------ C:\WINNT\system32\z1259.exe
2006-11-18 11:42 23552 --a------ C:\WINNT\system32\z2791.exe
2006-11-18 11:42 20480 --a------ C:\WINNT\system32\z3189.dll
2006-11-18 11:42 192512 --a------ C:\WINNT\system32\z2369.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"GhgLvI"="{A0055519-0AAF-FFB3-4CB0-00829998AD5E}"[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpccd[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints\F]
Shell\AutoRun\command F:\setup.exe
Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\HP Usg Daily FY04.jobCompletion time: Sat 2007-01-20 11:44:28
Here is my new hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 6:18:20 PM, on 1/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccomm...
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/ap...
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/...
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yah...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/...
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: rpccd - C:\WINNT\system32\rpccd.dll (file missing)
O21 - SSODL: GhgLvI - {A0055519-0AAF-FFB3-4CB0-00829998AD5E} - C:\WINNT\system32\vphvr.dll (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\system32\aspi2761112.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - Unknown owner - D:\Program Files\ewido\security suite\ewidoctrl.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\Documents and Settings\Administrator.JAMESANDPAMELA\Local Settings\Temp\ieupdate.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - D:\Program Files\Spyware Doctor\sdhelp.exe (file missing)Thanks!
Pam
0
Please follow the next set if instructions very carefully- this is very important.
Navigate to the following folder using Windows Exoplorer:
C:\sUBs
In this folder you can find Combofix.exe. Select this file and press CTRL+X from your keyboard.
Now close all open windows and click any where in the Desktop's empty section.
From your keyboard press CTRL+V to move Combofix.exe to Desktop.
So now you have Combofix.exe on your Desktop. Now delete C:\sUBs folder.
Double click on the file combofix.exe saved on your desktop and follow the prompts and post the content of the log it produces with your next reply.
Do not mouse click combofix's window whilst it's running. That may cause it to stall.So with your next post please provide combofix.txt.
0
I looked for the sUBs folder on my C drive, but I can't find it. I do have combofix.exe on my desktop (not a shortcut to it). Do you want me to run it again and post the contents of combofix.txt?
Pam
0
Go to start> control panel> administrative tools> sevices> scroll down to "Microsoft ASPI Manager" and double click it> click stop (if it is running)> on the far right of startup type click the drop down arrow>click disable> click apply> ok.
Then do the same for this one:
ieupdater
Next boot into safe mode again.
Run Hijack This and remove these items:
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: rpccd - C:\WINNT\system32\rpccd.dll (file missing)
O21 - SSODL: GhgLvI - {A0055519-0AAF-FFB3-4CB0-00829998AD5E} - C:\WINNT\system32\vphvr.dll (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\system32\aspi2761112.exe (file missing)
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\Documents and Settings\Administrator.JAMESANDPAMELA\Local Settings\Temp\ieupdate.exe (file missing)
Exit Hijack This but remain in safe mode.
Navigate to and delete these files if found:
C:\WINNT\system32\rpcc.dll
C:\WINNT\system32\vphvr.dll
C:\WINNT\system32\aspi2761112.exe
z1239.exe
C:\WINNT\system32\z2925.exe
C:\WINNT\system32\z3938.dll
C:\WINNT\system32\z1983.exe
C:\WINNT\system32\z3532.dll
C:\WINNT\system32\z1611.exe
C:\WINNT\system32\z3993.dll
C:\WINNT\system32\z3656.dll
C:\WINNT\system32\z3186.dll
C:\WINNT\system32\z3170.dll
C:\WINNT\system32\z277.exe
C:\WINNT\system32\z3126.dll
C:\ieupdate.exe
C:\WINNT\system32\z1262.exe
C:\WINNT\system32\z2241.exe
C:\WINNT\system32\z379.dll
C:\WINNT\system32\z1806.exe
C:\WINNT\system32\dgflib.dll
C:\WINNT\system32\z2838.exe
C:\WINNT\system32\z2940.exe
C:\WINNT\system32\z3713.dll
C:\WINNT\system32\z2764.exe
C:\WINNT\system32\z2603.exe
C:\WINNT\system32\z1259.exe
C:\WINNT\system32\z2791.exe
C:\WINNT\system32\z3189.dll
C:\WINNT\system32\z2369.exe
C:\WINNT\system32\wmdrtc32.dll
Reboot the computer and try safe mode again, run sdfix if you can, post a new Hijack This log and a new Combofix log please.
0
Still blue screen with "inaccessible boot device" error upon attempting to get into safe mode.
Is there a way I can boot to get into the C prompt and then perform the deletes you have listed?
I am re-running the Dr. Web antivirus now.
Pam
0
I am able to get through Dr. Web with no viruses found and still can't get into Safe Mode. I ran Dr. Web and rebooted several times. As I did, the number of files infected went down until it reached 0. Also, I ran the killbox with those files.
Here is my combofix log:
"Administrator" - Sun 01/21/2007 13:39:27 Service Pack 4
ComboFix 07-01-18 - Running from: "C:\Documents and Settings\Administrator.JAMESANDPAMELA\Desktop"[color=red] ERROR !!! /wow section not completed[/color]
((((((((((((((((((((((((((((((( Files Created from 2006-12-21 to 2007-01-21 ))))))))))))))))))))))))))))))))))
2007-01-21 13:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\McAfee
2007-01-20 17:58 <DIR> d-------- C:\Program Files\Hijackthis
2007-01-20 11:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JAM\DoctorWeb
2007-01-19 21:23 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\Application Data\TEMP
2007-01-19 21:12 <DIR> d-------- C:\SDFix
2007-01-19 07:13 470 --a------ C:\WINNT\system32\tmp.reg
2007-01-19 07:12 79,360 --a------ C:\WINNT\system32\swxcacls.exe
2007-01-19 07:12 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-01-19 07:12 40,960 --a------ C:\WINNT\system32\swsc.exe
2007-01-19 07:12 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-01-19 07:12 135,168 --a------ C:\WINNT\system32\swreg.exe
2007-01-18 05:49 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-01-18 05:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\PC Tools
2007-01-15 13:32 13,312 --a------ C:\WINNT\system32\z2925.exe
2006-12-23 09:23 <DIR> d-------- C:\WINNT\trace
2006-12-23 09:23 <DIR> d-------- C:\WINNT\gui
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-21 13:32 -------- d-------- C:\Program Files\lavasoft
2007-01-21 13:32 -------- d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\lavasoft
2007-01-21 13:25 -------- d-a------ C:\Program Files\Common Files\symantec shared
2007-01-20 12:55 -------- d-------- C:\Program Files\symnetdrv
2007-01-19 17:04 -------- d-a------ C:\Program Files\symantec
2007-01-19 17:04 -------- d-------- C:\Program Files\norton systemworks
2007-01-17 19:13 30208 --a------ C:\WINNT\system32\rpcc.dll
2007-01-15 18:06 -------- d-------- C:\Program Files\spyware cleaner
2007-01-15 15:19 -------- d-------- C:\Program Files\ccleaner
2006-12-27 08:09 -------- d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\mozilla
2006-11-23 19:21 9291 --a------ C:\WINNT\system32\z1806.exe
2006-11-23 19:21 42831 --a------ C:\WINNT\system32\z2940.exe
2006-11-18 11:42 23552 --a------ C:\WINNT\system32\z2791.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"GhgLvI"="{A0055519-0AAF-FFB3-4CB0-00829998AD5E}"[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpccd[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\HP Usg Daily FY04.jobCompletion time: Sun 2007-01-21 13:41:05
C:\ComboFix2.txt ... 07-01-21 13:06
C:\ComboFix3.txt ... 07-01-20 11:44Here is my hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 1:42:13 PM, on 1/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccomm...
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/ap...
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/...
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yah...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/...
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: rpccd - C:\WINNT\system32\rpccd.dll (file missing)
O21 - SSODL: GhgLvI - {A0055519-0AAF-FFB3-4CB0-00829998AD5E} - C:\WINNT\system32\vphvr.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - D:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
I tried to remove Spyware Doctor, but there is a problem deleting the rest of it through Add/Remove programs.I have purchased McAfee Internet Security Suite 2007. Does it seem like it would be fine to install it now and see if it helps? I could disable the settings when running these other programs.
Also, can Dr. Web be run on XP machines, too?
Pam
0
I need to edit my previous apply to state that Dr. Web has found no viruses now on my C partition. I am running it now on my D and E partitions and will continue again to reboot and rerun until these are hopefully gone, too.
Pam
0
Yes DR Web will run on XP. Run Hijack this and remove these items:
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: rpccd - C:\WINNT\system32\rpccd.dll (file missing)
O21 - SSODL: GhgLvI - {A0055519-0AAF-FFB3-4CB0-00829998AD5E} - C:\WINNT\system32\vphvr.dll (file missing)
Run Killbox again and delte these files:
C:\WINNT\system32\z2925.exe
C:\WINNT\system32\rpcc.dll
C:\WINNT\system32\rpccd.dll
C:\WINNT\system32\vphvr.dll
C:\WINNT\system32\z1806.exe
C:\WINNT\system32\z2940.exe
C:\WINNT\system32\z2791.exe
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpccd][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"GhgLvI"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXGo to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
And please post a new HJT and Combofix log.
0
I ran killbox and then the fix.reg prior to rebooting. Is that alright or did I need to reboot after killbox and then do the fix.reg?
I noticed there are PCPitStop and Spyware Doctor entries on the HJT log. Is it OK to remove these since I am not using these and the 2 programs will not fully uninstall?
Here are my new HJT and Combofix.logs ...
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 3:03:43 PM, on 1/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccomm...
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/ap...
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/...
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yah...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/...
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - D:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
Combofix:"Administrator" - Sun 01/21/2007 15:01:18 Service Pack 4
ComboFix 07-01-18 - Running from: "C:\Documents and Settings\Administrator.JAMESANDPAMELA\Desktop"[color=red] ERROR !!! /wow section not completed[/color]
((((((((((((((((((((((((((((((( Files Created from 2006-12-21 to 2007-01-21 ))))))))))))))))))))))))))))))))))
2007-01-21 14:09 40,960 --a------ C:\WINNT\system32\wmdrtc32.dll
2007-01-21 13:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\McAfee
2007-01-20 17:58 <DIR> d-------- C:\Program Files\Hijackthis
2007-01-20 11:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JAM\DoctorWeb
2007-01-19 21:23 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\Application Data\TEMP
2007-01-19 21:12 <DIR> d-------- C:\SDFix
2007-01-19 07:13 470 --a------ C:\WINNT\system32\tmp.reg
2007-01-19 07:12 79,360 --a------ C:\WINNT\system32\swxcacls.exe
2007-01-19 07:12 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-01-19 07:12 40,960 --a------ C:\WINNT\system32\swsc.exe
2007-01-19 07:12 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-01-19 07:12 135,168 --a------ C:\WINNT\system32\swreg.exe
2007-01-18 05:49 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-01-18 05:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\PC Tools
2006-12-23 09:23 <DIR> d-------- C:\WINNT\trace
2006-12-23 09:23 <DIR> d-------- C:\WINNT\gui
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-21 13:32 -------- d-------- C:\Program Files\lavasoft
2007-01-21 13:32 -------- d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\lavasoft
2007-01-21 13:25 -------- d-a------ C:\Program Files\Common Files\symantec shared
2007-01-20 12:55 -------- d-------- C:\Program Files\symnetdrv
2007-01-19 17:04 -------- d-a------ C:\Program Files\symantec
2007-01-19 17:04 -------- d-------- C:\Program Files\norton systemworks
2007-01-15 18:06 -------- d-------- C:\Program Files\spyware cleaner
2007-01-15 15:19 -------- d-------- C:\Program Files\ccleaner
2006-12-27 08:09 -------- d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\mozilla
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\HP Usg Daily FY04.jobCompletion time: Sun 2007-01-21 15:03:09
C:\ComboFix2.txt ... 07-01-21 13:41
C:\ComboFix3.txt ... 07-01-21 13:06Pam
0
Remove this item with Hijack This
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll (file missing)
Use killbox and delete this file.
C:\WINNT\system32\wmdrtc32.dll
C:\WINNT\system32\rpcc.dll
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXGo to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Post new Hijack This and Combofix logs please.
Reboot, try safe mode again and run sdfix if possible.
0
Still can't get into safe mode. I have completed rerunning Dr. Web on my D and E drives which went through more virus messages. Here are my new HJT and combofix logs.
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 5:00:52 PM, on 1/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccomm...
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/ap...
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/...
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yah...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/...
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - D:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
Combofix:"Administrator" - Sun 01/21/2007 17:01:58 Service Pack 4
ComboFix 07-01-18 - Running from: "C:\Documents and Settings\Administrator.JAMESANDPAMELA\Desktop"[color=red] ERROR !!! /wow section not completed[/color]
((((((((((((((((((((((((((((((( Files Created from 2006-12-21 to 2007-01-21 ))))))))))))))))))))))))))))))))))
2007-01-21 13:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\McAfee
2007-01-20 17:58 <DIR> d-------- C:\Program Files\Hijackthis
2007-01-20 11:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JAM\DoctorWeb
2007-01-19 21:23 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\Application Data\TEMP
2007-01-19 21:12 <DIR> d-------- C:\SDFix
2007-01-19 07:13 470 --a------ C:\WINNT\system32\tmp.reg
2007-01-19 07:12 79,360 --a------ C:\WINNT\system32\swxcacls.exe
2007-01-19 07:12 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-01-19 07:12 40,960 --a------ C:\WINNT\system32\swsc.exe
2007-01-19 07:12 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-01-19 07:12 135,168 --a------ C:\WINNT\system32\swreg.exe
2007-01-18 05:49 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-01-18 05:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\PC Tools
2006-12-23 09:23 <DIR> d-------- C:\WINNT\trace
2006-12-23 09:23 <DIR> d-------- C:\WINNT\gui
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-21 13:32 -------- d-------- C:\Program Files\lavasoft
2007-01-21 13:32 -------- d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\lavasoft
2007-01-21 13:25 -------- d-a------ C:\Program Files\Common Files\symantec shared
2007-01-20 12:55 -------- d-------- C:\Program Files\symnetdrv
2007-01-19 17:04 -------- d-a------ C:\Program Files\symantec
2007-01-19 17:04 -------- d-------- C:\Program Files\norton systemworks
2007-01-15 18:06 -------- d-------- C:\Program Files\spyware cleaner
2007-01-15 15:19 -------- d-------- C:\Program Files\ccleaner
2006-12-27 08:09 -------- d-------- C:\DOCUME~1\ADMINI~1.JAM\Application Data\mozilla
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\HP Usg Daily FY04.jobCompletion time: Sun 2007-01-21 17:03:45
C:\ComboFix2.txt ... 07-01-21 15:03
C:\ComboFix3.txt ... 07-01-21 13:41Pam
0
The log looks clean. There is a way to get into safe mode through msconfig but it will probably put you in a boot loop and you will not be able to access windows so I would not try that.
Try getting spyware doctor and pc pitstop uninstalled and if "Nero" is installed uninstall it, as it would most likely be the problem if it is installed.
0
I do not have Nero installed. I will try my best to get those other programs fully uninstalled. In any event, my computer is working much better now thanks to all your help. I am going to install McAfee Internet Security Suite on it and then hook back up to the Net!
Thanks again for all the time you spent helping me get through this!!! There were definitely a lot of problems on my machine and I really appreciate your expertise and patience.
Pam
0
When trying to uninstall PCPitStop from Add/Remove Programs or Win Explorer, I get an error message that the uninstall is corrupt possibly due to a virus. Should I just delete the PCPitStop folder with the related exes and dlls or better to leave it be?
Pam
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
