Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi, need help really bad. any help is very appreciated


  • This topic is locked This topic is locked
39 replies to this topic

#1 delluser

delluser

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 13 December 2008 - 01:08 AM

I really need help, last week my computer started getting slow and now it freezes a soon as it starts up. I try going in safe mode but after awhile gives a message that the computer will shut down in 1 min. After about 20 tries to start up my laptop on safe mode with networking i have finally been able to do it so i came to this forum for help. im afraid if i shut down or restart it will take forever to get it to work in safe mode. here is the hijack this log. Any help is appreciated. Thank everyone for your time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:23 AM, on 12/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\JESUSA~1\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [9c9767c4] rundll32.exe "C:\WINDOWS\system32\fkybgpas.dll",b
O4 - HKLM\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlogun.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Jesus Alvarado\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\JESUSA~1\LOCALS~1\Temp\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sandie Alvarado\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: dpvzdi.dll ngapgr.dll
O22 - SharedTaskScheduler: lke3iemrl490kgfgdsfd - {C5AF42A3-94F3-42BD-F434-3604832C897D} - C:\WINDOWS\system32\hsd63geff.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8326 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 13 December 2008 - 05:46 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post these logs in your next reply..

1. ComboFix
2. A fresh HijackThis log
3. Attach GMER report


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 13 December 2008 - 05:48 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post these logs in your next reply..

1. ComboFix
2. A fresh HijackThis log
3. Attach GMER report


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 delluser

delluser
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 13 December 2008 - 11:03 AM

Thank you very much for your help. I downloaded both combofix and gmer however i cant get either of them to work, combo fix wont start up at all after i click to open it and gmer gives me this error message when extracting the files: ! C:\Documents and Settings\Administrator\Desktop\gmer.zip: The archive is either in unknown format or damaged. I tried deleting and reinstalling both programs but i get the same results, is there something i'm doing wrong? Thanks again Fenzodahl512

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 13 December 2008 - 02:27 PM

Delete both ComboFix and GMER and download a fresh copy of each...

Rename ComboFix into ComboFox

Rename GMER into GAMER

Then try run them both (one at a time) and post the logs here :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 delluser

delluser
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 13 December 2008 - 04:54 PM

ok, i deleted them both and downloaded a fresh copy of them both. i then renamed them like you said and started up combofix and it installed a recovery console. after that i got a message saying combofix had found a "rootfix" or something like that and it restarted my laptop. Now i cant start up xp on regular mode or safe mode, as soon as i try to start up again it just stays on a dark screen.im typing this from a different computer. is there any way i can get back on xp to finish cleaning my laptop? thanks for your help :thumbsup:

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 13 December 2008 - 11:12 PM

Can you boot into "Last Known Good Configuration"? mode?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 delluser

delluser
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 14 December 2008 - 01:25 AM

no, i tried all the modes and it stops loading on a black screen with the "safe mode" words bordering the top and bottom of the screen. oh and it was "rootkit" not rootfix that combofix found and made it restart.

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 14 December 2008 - 12:20 PM

It means that you manage to get into Safe Mode right?..

Can you go to My Computer >> find the C:\qoobox folder?

And before you get to the "Safe Mode" screen, do you get the option to enter to Recovery Console option?

Do you have Windows CD with you? :thumbsup:

Edited by fenzodahl512, 14 December 2008 - 12:22 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 delluser

delluser
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 14 December 2008 - 11:10 PM

Yeah it gets into safe mode but it wont load up any icons or anything, just a black screen with the safe mode borders on it. It doesnt even get to where it asks which user settings i want to use, or to where it asks you to click ok if you want to work in safe mode. yea, it does ask me if i want to start window xp home or recovery console but when i chose recovery console all i get is a black screen no borders with this symbole flashing on the upper left hand corner _ i have the cd in storage with all the paper work that came with the laptop, i'll try and look for it in the mean time. once again thanks alot for your help im really appreciative :thumbsup:

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 15 December 2008 - 03:27 AM

Please Re-Boot into the Recovery Console by following these steps:

1. Insert the Windows CD and restart your computer. Follow your computer's prompts to boot from the CD. (You might need to adjust settings in the computer's BIOS to enable the option to boot from a CD.)
2. Follow the setup prompts to load the basic Windows startup files. At the Welcome To Setup screen press R to start the Recovery Console.
3. Enter the number (most likely 1) of the Windows installation you want to access from the Recovery Console.
4. When prompted, type the Administrator password. If you're using the Recovery Console on a system running Windows XP Home Edition, this password is blank by default, so just press Enter.

At the command prompt, type the following command and press Enter:

cd erdnt\hiv-backup

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying.

Type exit when finished, and then press ENTER to quit Recovery Console. Remove the CD and let the computer start.

Let me know how it goes.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 delluser

delluser
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 18 December 2008 - 03:21 AM

ok, i got the cd and followed instructions. I typed in both commands and it started saving files. I then exited, removed the cd, and let the computer start up on its own but i still got the same problems, black screen with only the cursor and in safemode just a blank screen with the "safemode' borders.

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 18 December 2008 - 07:33 AM

Hello, some quick questions..

1. Is this a laptop or desktop?

2. Do you have Windows CD in your hand? (you can borrow any Windows CD -similar to your computer OS- if you don't have one)

3. Upon rebooting, whan you get into the "incomplete Safe Mode", do you get an option to run "System Restore"?

4. Please go to below website and do the "System Restore" via "Safe mode with a Command prompt"..

http://support.microsoft.com/kb/304449

Please read on the How to start System Restore by using the Command prompt section..


Then tell me more about it..

Edited by fenzodahl512, 18 December 2008 - 07:37 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 18 December 2008 - 12:24 PM

In addition of information above, please do below..

Press Ctrl + Alt + Del button at the same time.. Can you see Task Manager open?.. If yes, go to File >> New Task (Run..) >> Copy/paste below >> press Enter.. Then, tell me what you see..

explorer.exe

Edited by fenzodahl512, 18 December 2008 - 12:24 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 delluser

delluser
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 22 December 2008 - 01:13 AM

its a laptop and yes i have the windows cd in hand. I don't get an option to run system restore when i enter the "incomplete" safe mode. I tried to start the system restore by using the command prompt in safe mode but it wont load up to the command promt screen. I also dont get "task manager" open when i do ctrl+alt+delete. I cant do anything but move the mouse cursor around.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users