Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please Can Only Boot In Safe Mode


  • Please log in to reply
4 replies to this topic

#1 dloveaz

dloveaz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 19 May 2008 - 08:01 PM

I am working on my sister's computer and her kids got a virus on it or bad malware. I can only boot in safe mode. She has Vista. I am not turning up much on any kind of scan with panda active scan or spybot or kaspersky online. I would like to post my HJT log and get started that way. I can not install and uninstall certain things in Safe mode, like Norton. Don't know where to go. Please help. I Have also tried Combo fix and Vundo Fix and it has found or fixed nothing, also cleaned temp and used ccleaner. When I boot up normal, all I see is dollar signs $$ across the screen. Thank you. I believe the only thing Panda Active Scan found was cookies, and the exe for the combo fix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:37 PM, on 5/19/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7639 bytes




I Have also tried Combo fix and Vundo Fix and it has found or fixed nothing. When I boot up normal, all I see is dollar signs $$ across the screen. Thank you.

BC AdBot (Login to Remove)

 


#2 dloveaz

dloveaz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 19 May 2008 - 08:10 PM

Here is ActiveScan 2.0 report from last night, I think the last thing it found NirCmdC.cfexe is part of Combofix i downloaded so i think its a false positve, I just cant find where or what virus i have:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-18 20:21:51
PROTECTIONS: 1
MALWARE: 29
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Norton Internet Security 2007 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00101555 Application/KillApp.B HackTools No 0 Yes No C:\hp\bin\KillIt.exe
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@atdmt[3].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@mediaplex[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@xiti[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@statcounter[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@bs.serving-sys[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@server.iad.liveperson[1].txt
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@fl01.ct2.comclick[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@media.adrevolver[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@questionmarket[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@zedo[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@bluestreak[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Users\Laurie\AppData\Roaming\Microsoft\Windows\Cookies\laurie@bluestreak[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@adrevolver[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Users\Brett\AppData\Roaming\Microsoft\Windows\Cookies\Low\brett@atwola[2].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\$Recycle.Bin\S-1-5-21-1630248594-483719516-4063969034-1000\$RDYJAQ7.exe[327882R2FWJFW\NirCmdC.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location �45��
3
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description �45��
3
;===================================================================================================================================================================================
;===================================================================================================================================================================================

#3 dloveaz

dloveaz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 19 May 2008 - 08:13 PM

Also, I can not seem to turn off system restore in vista in safe mode, which is all i can get to. I get to a system properties screen with computer name, remote, etc.

#4 dloveaz

dloveaz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 19 May 2008 - 08:46 PM

also, this seems to have happened after my nephew was playing Runescape. the computer shut down on him, screen said going to sleep and next bootup has all the $$ signs after the HP boot logo screen

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 14 June 2008 - 03:58 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
As you can probably see our HijackThis Team is incredibly busy at the moment, but I apologise for the delay you have experienced. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:
Preparation Guide For Use Before Posting A HijackThis Log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users