Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP keeps restarting


  • This topic is locked This topic is locked
17 replies to this topic

#1 chrism

chrism

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 14 September 2005 - 04:10 PM

Hi all,

My XP system keeps restarting when I try to get in to normal windows. Only safe mode works, but I get popups in IE. Can anyone help?

Thanks in advance,
-Chris

Here is my hijackthis log (from safe mode with networking):

Logfile of HijackThis v1.99.1
Scan saved at 4:59:15 PM, on 9/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\nbqkafa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshocmy.dll
O2 - BHO: (no name) - {796B48D2-E949-2ECB-0BAB-18B2CBB38E7C} - C:\WINDOWS\system32\khvrgjar\putcwuvw.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsd80.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Tomcat_5_5\bin\tomcat5w.exe" //MS//Tomcat5
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [yovst] C:\WINDOWS\system32\rfsch\yovst.exe
O4 - HKLM\..\Run: [qtdm] C:\WINDOWS\system32\fucinf\qtdm.exe
O4 - HKLM\..\Run: [lvcmll] C:\WINDOWS\system32\pirk\lvcmll.exe
O4 - HKLM\..\Run: [cmiwyvvd] C:\WINDOWS\system32\ebwp\cmiwyvvd.exe
O4 - HKLM\..\Run: [DibbA4] "C:\WINDOWS\system32\sav2.exe" /PC=CP.SAV2 /PC=CP.SAV2 /PC=CP.SAV2
O4 - HKLM\..\Run: [ckdpha] C:\WINDOWS\system32\ctavlarr\ckdpha.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [prkjqka] C:\WINDOWS\system32\nbqkafa.exe r
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://E:\components\Liquid.ocx
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122472500765
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/603828.exe
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: qtdmfucinf - Unknown owner - C:\WINDOWS\system32\fucinf\qtdm.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat_5_5\bin\tomcat5.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:04 AM

Posted 18 September 2005 - 10:21 PM

Heillo chrism,

You have a nail.exe infection on your computer. It is like a malware magnet and you now have quite a collection of nasty stuff. :thumbsup:

*******************************************


On the Windows XP taskbar:
Click Start > Control Panel.
In the Control Panel window, double-click Add or Remove Programs.
Click Surf Sidekick
Click Add/Remove, Change/Remove, or Remove (this varies with the operating system).

*******************************************

We have to stop some services.

Click Start > Run and type in Services.msc
Click OK
In the Sevices box, click the Extended tab.

Scroll down to:
System Startup Service
Click Stop, then Disable

Reboot your computer.

*******************************************


Open HijackThis. Click on 'Open the miscellaneous tools section'
Click on 'Delete an NT Service'
Paste in this;
SvcProc
and click 'OK'

Reboot your computer.

*******************************************


Click Start > Run and type in Services.msc
Click OK
In the Sevices box, click the Extended tab.

Scroll down to:
qtdmfucinf
Click Stop, then Disable

Reboot your computer.


*******************************************

Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here: http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.

If you have trouble with the nailfix download, let me know. We have mirror sites that we can download from.

Download CCleaner and install it. (default location is best). do NOT run it yet.

*******************************************

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml

*******************************************

Once in Safe Mode, please double-click on Nailfix.cmd.

Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

*******************************************

Then please run Ewido, and run a full scan.
Let it remove everything it finds.

Save the logfile from the scan, as I need to see it.

*******************************************

Go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each.

C:\WINDOWS\system32\nbqkafa.exe

*******************************************

Next run HijackThis, click Scan, and check:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshocmy.dll
O2 - BHO: (no name) - {796B48D2-E949-2ECB-0BAB-18B2CBB38E7C} - C:\WINDOWS\system32\khvrgjar\putcwuvw.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsd80.dll
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [yovst] C:\WINDOWS\system32\rfsch\yovst.exe
O4 - HKLM\..\Run: [qtdm] C:\WINDOWS\system32\fucinf\qtdm.exe
O4 - HKLM\..\Run: [lvcmll] C:\WINDOWS\system32\pirk\lvcmll.exe
O4 - HKLM\..\Run: [cmiwyvvd] C:\WINDOWS\system32\ebwp\cmiwyvvd.exe
O4 - HKLM\..\Run: [DibbA4] "C:\WINDOWS\system32\sav2.exe" /PC=CP.SAV2 /PC=CP.SAV2 /PC=CP.SAV2
O4 - HKLM\..\Run: [ckdpha] C:\WINDOWS\system32\ctavlarr\ckdpha.exe
O4 - HKLM\..\Run: [prkjqka] C:\WINDOWS\system32\nbqkafa.exe r
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/603828.exe
O20 - AppInit_DLLs: repairs.dll
O23 - Service: qtdmfucinf - Unknown owner - C:\WINDOWS\system32\fucinf\qtdm.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe



Close all open windows except for HijackThis and click Fix Checked.

*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\pkshocmy.dll <==file
C:\WINDOWS\system32\khvrgjar\ <==folder
C:\WINDOWS\system32\nsd80.dll <==file
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe <==file
C:\WINDOWS\system32\PSof1.exe <==file
C:\WINDOWS\system32\exp.exe <==file
C:\WINDOWS\system32\wintask.exe <==file
C:\WINDOWS\system32\rfsch\ <==folder
C:\WINDOWS\system32\pirk\ <==folder
C:\WINDOWS\system32\ebwp\ <==folder
C:\WINDOWS\system32\sav2.exe <==file
C:\WINDOWS\system32\ctavlarr\ <==folder
C:\WINDOWS\system32\nbqkafa.exe <==file
C:\WINDOWS\system32\pshwr.exe <==file
C:\Program Files\SurfSideKick 3\ <==folder
C:\WINDOWS\system32\fucinf\ <==folder
C:\WINDOWS\svcproc.exe<==file
repairs.dll <==file You will have to search for this file. It may be in C:\WINDOWS\system32\ or C:\windows.

*******************************************


Let's empty the temp files:

Run CCleaner.

Select the Windows Tab, Run CCleaner, (click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues button and the Applications Tab. Uncheck everything under the Applications tab.

*******************************************


Restart your computer in normal mode and please post a new HijackThis log, as well as the Ewido scan log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 chrism

chrism
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 19 September 2005 - 04:01 PM

Thank you for helping me. I really appreciate it. I had some trouble following your steps:

1) Surf Sidekick did not appear in CP->Add/Remove Programs.
2) I could not delete the Surf Sidekick 3 folder as requeted. Dialog appeared that said ssk3 was in use.
3) Could not delete repairs.dll. Again. dialog appeared saying it was in use.
4) Process nbqkafa.exe was not found when I tried to kill it via HijackThis.

Ewido and CCleaner removed a lot of stuff. Logs will appear later. When I tried to remove the surf Sidekick related entries using Hijack this, they would always reappear.

I still can get into "Normal" windows mode. Computer still restarts by itself before the desktop appears. I have to boot into safe mode. I therefore did all of your stemp in safe mode.

Here is the new HijackThis log (Ewido log will follow...):
Logfile of HijackThis v1.99.1
Scan saved at 4:50:39 PM, on 9/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Tomcat_5_5\bin\tomcat5w.exe" //MS//Tomcat5
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nrywln] C:\WINDOWS\system32\aucxpe.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://E:\components\Liquid.ocx
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122472500765
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat_5_5\bin\tomcat5.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Here is the ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:26:23 PM, 9/19/2005
+ Report-Checksum: C43671B2

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{55A7E687-A677-11d3-A773-00C04F68F44E}\Pins\Input\Types\{e73be17c-8a0d-0125-d7a4-f683f5191a01} -> Spyware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InternetOffers -> Spyware.LZIO : Cleaned with backup
[232] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[280] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[292] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[456] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[524] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[576] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[984] C:\WINDOWS\system32\naxheqh.exe -> Trojan.Agent.cp : Cleaned with backup
[1196] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1340] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0002.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\system32\60001.exe -> TrojanDownloader.Small.bkr : Cleaned with backup
C:\WINDOWS\system32\CLEANexp.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\system32\ctavlarr\ckdpha.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\WINDOWS\system32\drivers\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\WINDOWS\system32\EDowST3.exe -> TrojanDownloader.QDown.z : Cleaned with backup
C:\WINDOWS\system32\naxheqh.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINDOWS\system32\netlanm.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\nsd80.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\pkshocmy.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\pshwr.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\PSof1.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\rfsch\yovst.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\WINDOWS\system32\sav2.exe -> TrojanDownloader.Apropo.aj : Cleaned with backup
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\VB3.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\wintask.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup


::Report End


Thank you again for your help.
-Chris

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:04 AM

Posted 19 September 2005 - 05:38 PM

Hi chrism,

Looks like your nail.exe infection is gone. :thumbsup: Now for the SurfSideKick 3 infection.

The reason you are having trouble deleting SurfSideKick is that a process is still running, and you cannot delete a running process.

I still can get into "Normal" windows mode.


I assume that you mean "can't get into Normal Mode". :flowers:

*******************************************


Let's look in a different place for signs of infection.

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press 'save list'
A notepad file will open.

Post the content here in your reply.

Close HijackThis.

*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [nrywln] C:\WINDOWS\system32\aucxpe.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://E:\components\Liquid.ocx
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O20 - AppInit_DLLs: repairs.dll



*******************************************

Download the following reg file to your desktop.
When it is finished downloading double-click on it and say Yes when it asks if you would like to merge the data.

Fixssk.reg http://www.bleepingcomputer.com/files/spyware/fixssk.reg

*******************************************

Killbox tutorial: http://forum.malwareremoval.com/viewtopic.php?t=320

Download KillBox to the desktop, that can be found here: http://www.downloads.subratam.org/KillBox.exe
Run Killbox program, in the field labeled "Full Path of File to Delete" enter

C:\Program Files\SurfSideKick 3\SskBho.dll

select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, press the No button


Repeat with these:
C:\WINDOWS\system32\aucxpe.exe
C:\WINDOWS\system32\repairs.dll

Sskknwrd.dll
Ssk.log
SskUpdater.exe



For last file In the field labeled "Full Path of File to Delete" enter
C:\Program Files\SurfSideKick 3\Ssk.exe


select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, this time press Yes button

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


*******************************************


Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner, (click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done.

I recommend that you DO NOT run anything under the Issues button and the Applications Tab. Uncheck everything under the Applications tab.

*******************************************


Finally, reboot to the Normal Mode and post a new Hijackthis log, your installed program log, and tell me how your computer is running.

Edited by SifuMike, 19 September 2005 - 06:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 chrism

chrism
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 23 September 2005 - 09:37 PM

Thanks again for the help. By the way, I did mean that I couldn't boot into normal mode in my previous post - sorry for any confusion.

Still can't boot into normal mode after following your last post.

Still can't seen to get rid of surfsidekick either. When I tried to "fix" the files using Hijack, I got the following error message:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: repairs.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

Here is the install log you requested:
Ad-Aware SE Personal
Adobe Acrobat 5.0
Apache Tomcat 5.5 (remove only)
ASUS Probe V2.20.07
AsusUpdate
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI Multimedia Center 8.5.0.0
ATI RADEON 9700 Car Paint Demo v1.1
ATI RADEON 9700 Debevec RNL Demo v1.1
ATI RADEON 9700 Pipe Dream Demo v1.1
ATI RADEON 9800 Chimp Demo v1.1
ATI Remote Wonder 1.5
Bonus Movie Looks
CCleaner (remove only)
Core FTP Lite 1.3
Corel Uninstaller
DAO
Disney's Mickey Mouse Toddler
Disney's Winnie the Pooh Toddler
DVD Shrink 3.1.7
Easy CD & DVD Creator 6
EPSON Print CD
EPSON Printer Software
ewido security suite
GUIDE PLUS+™ for Windows® System - ATI
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HydraVision
Intel® PRO Network Adapters and Drivers
Intel® PROSet
InterActual Player
Internet Update
iPod Updater 2004-10-20
iTunes
J2SE Development Kit 5.0 Update 2
J2SE Runtime Environment 5.0 Update 2
Jasc Paint Shop Photo Album
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 8
Jasc Paint Shop Pro 8.10 Update Patch
Linksys PrintServer Driver
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Microsoft Picture It! Express 7.0
Movie Looks for Vegas
MUSICMATCH® Jukebox
MySQL Connector/ODBC 3.51
Namo WebEditor 5.5
Need For Speed Hot Pursuit 2
NetBeans IDE 4.0
Norton AntiVirus 2003 Professional Edition
Norton WMI Update
Power Scan
PShow
QuickTime
Scrapbook Factory Deluxe
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Select CashBack
SiSoftware Sandra Standard MAX3! (OCTools: `One tool to rule th
Sony DVD Architect 1.0d
Sony DVD Architect 2.0
Sony Vegas 4.0e
Sony Vegas 5.0b
SoundMAX
The Best Offers
Tokuoitu
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 9 Series SDK
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinSQL Lite
WinZip

Here is the hijack log after I tried all the steps in your last post. Again, this log is from safe mode because I still can't get into normal mode:
Logfile of HijackThis v1.99.1
Scan saved at 10:28:15 PM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Tomcat_5_5\bin\tomcat5w.exe" //MS//Tomcat5
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nrywln] C:\WINDOWS\system32\aucxpe.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122472500765
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat_5_5\bin\tomcat5.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)



This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Anything else we can try?

Thanks again,
-Chris

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:04 AM

Posted 23 September 2005 - 10:51 PM

Hi Chris,

Try this to get into Normal Mode:

go to Start> Run> type in MSConfig.exe
On the Boot.INI Tab, uncheck /SAFEBOOT (and any other boxes too).
Exit and reboot to normal mode: there will be a message about 'System
Configuration'
. Check the 'Do not show again' box and exit


please delete following folders:
C:\Program Files\SurfSideKick 3

Do you know what the program Tokuoitu is? Did you install it?


Open HijackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Uninstall Manager"
Click on

Select CashBack

Click on Delete this entry
Click "Yes"Close HijackThis.


Boot to the Normal Mode, post a fresh Hijackthis log. I am working on the SurfSideKick 3 problem now. :thumbsup:

Edited by SifuMike, 24 September 2005 - 01:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 chrism

chrism
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 25 September 2005 - 10:25 AM

Hi SifuMike,

Thanks for the suggestions. Still can't get into normal mode...

1) Tried MSConfig. Boot.ini tab already had all options in the "Boot Options" section unchecked.

2) Deleting folder c:\Program Files\SurfSideKick 3. Got an "Error Deleting File or Folder" dialog. "Can not delete Ssk.exe: It is being used by another person or program." ...

3) I have no idea what Tokuoito is. I don't recall ever installing anything with that name.

4) Removed Select CashBack using HijackThis

You may already know this from the logs that you asked for, but just in case you don't... I took a peek in the startup tab of MSConfig and there are several curious entries...
  • aucxpe, C:\WINDOWS\system32\aucxpe.exe r - I don't know what this is.
  • Ssk C:\Program Files\SurkSideKick 3\Ssk.exe - This is there twice.
  • 3 entries with their checkboxes checked, but no text in the "Startup Item" or "Command" columns...
Maybe the above info will help...

Here is the new Hijack log. It is from safe mode again though...

Logfile of HijackThis v1.99.1
Scan saved at 11:32:16 AM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Tomcat_5_5\bin\tomcat5w.exe" //MS//Tomcat5
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nrywln] C:\WINDOWS\system32\aucxpe.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122472500765
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat_5_5\bin\tomcat5.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Thanks,
-Chris

Edited by chrism, 25 September 2005 - 10:34 AM.


#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:04 AM

Posted 25 September 2005 - 11:54 AM

Hi chrism,

Since you do not know what Tokuoito, uninstall it.

Pplease download RegLite from here
http://www.resplendence.com/downloads

Reboot into Safe Mode

Open Reglite and Copy&Paste the bold text below into the Address Bar and hit Enter

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

In the smaller left hand pane-> Right Click the Windows folder

Select Rename-> Rename it to Windoz-> Hit Enter

Now look in the larger right hand pane-> locate and double click AppInit_DLLs

Under Value-> Remove(Delete)-> repairs.dll

Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced options

Now under All Files and Folders, enter this into the text box:

repairs.dll

Delete any exact matches

Reboot and Open Reglite again-> go back to the folder you renamed to Windoz and Rename it again, back to Windows


Go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each. (If found) .
C:\WINDOWS\system32\aucxpe.exe
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\Program Files\SurfSideKick 3\SskBho.dll


Have HijackThis fix these entrys (if its still there)

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [nrywln] C:\WINDOWS\system32\aucxpe.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs.dll


Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold

C:\WINDOWS\system32\aucxpe.exe <== file.
C:\Windows\System32\repairs.dll <== file.
C:\Program Files\SurfSideKick 3\ <== folder


Post another HijackThis log and tell me how your computer is running.

Edited by SifuMike, 25 September 2005 - 01:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 chrism

chrism
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 25 September 2005 - 09:16 PM

Hi SifuMike,

Once again, thank you for all your help..

Followed all you steps and I think SSK3 is finally gone ... :thumbsup:

Unfortunately, I still can't seem to get into normal windows mode... :flowers:

Here's my latest hijack log...

Logfile of HijackThis v1.99.1
Scan saved at 10:14:35 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Tomcat_5_5\bin\tomcat5w.exe" //MS//Tomcat5
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122472500765
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat_5_5\bin\tomcat5.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:04 AM

Posted 25 September 2005 - 10:22 PM

Hi chrism,

Now this might or might not work:
Go to msconfig and, under the General tab, click Normal Startup if it's not already selected. Then under the BOOT.INI tab, uncheck SAFEBOOT, if it's not already unchecked.
If either of these items did need to be changed, then OK and reboot. See what happens.

While in safe mode check you boot paths.
Click start\run and type in msconfig and then click the boot.ini tab and then click the "check all boot paths" button.
If it finds an error you will be prompted for what to do next.
Clicking the "check all boot paths" will fix the boot.ini file if it is corrupt


If you still having problems with not going to normal mode, copy an paste your boot.ini file and we will have to edit it (after we make a backup of the boot.ini).

It will be hidden and proteced, so go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Edited by SifuMike, 25 September 2005 - 10:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 chrism

chrism
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 26 September 2005 - 02:57 PM

Hi SifuMike,

Tried your suggestions, still can't get into normal windows. Here's my boot.ini file:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn


Any ideas?

Thanks,
-Chris

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:04 AM

Posted 26 September 2005 - 05:14 PM

Hi Chris,

I still can get into "Normal" windows mode. Computer still restarts by itself before the desktop appears. I have to boot into safe mode. I therefore did all of your stemp in safe mode.


My XP system keeps restarting when I try to get in to normal windows.



I do not see any problems in your boot.ini file. :thumbsup:

Let me ask some other techies in our group if they see anything here.

Tell me exactly what happens when you boot up.

I am not understanding the "computer starts itself". Do you mean that when you turn on the computer it starts but goes to the safe mode automatically?

Or does it not start in normal mode and you press the F8 key (or use MSCONFIG) to start it in Safe Mode. I need a detailed explanation to know what is going on. :flowers:

Tried MSConfig. Boot.ini tab already had all options in the "Boot Options" section unchecked.


Lets try setting the Safe Mode switchs, rebooting, then unsetting the swicth so you go into Normal Mode.

Follow this for setting the switches to Safe Mode and back to Normal Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


If that does not work you, run Microsoft's System File Checker program.

Scannow Tutorial
http://www.updatexp.com/scannow-sfc.html

Go to Start, then Run, type sfc /scannow in the run box and press enter.
Note: there is a space between sfc and the forward slash.

Windows will ask you for your Windows Install CD so put it in...don't worry if the XP setup screen appears, this is not a part of sfc /scannow, your autorun utility in Windows is starting it. Simply minimize the screen and allow sfc to continue.

Edited by SifuMike, 26 September 2005 - 05:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 chrism

chrism
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 27 September 2005 - 07:32 AM

Hi SifuMike,

I'm at work right now so I can't try your suggestions, but I can answer this...

I need a detailed explanation to know what is going on.


When I turn on my PC, this is what happens (Note, I don't touch my PC at all during steps 1-4. The only thing I do is turn on the monitor and press the power button):

1) I get to the screen that says "Windows". This is the screen that has the graphic of the blue rectangles moving left to right.
2) A few seconds later the screen goes black.
3) A few seconds later I hear a beep from the PC speaker.
4) PC goes through the boot process again and I eventually see a black screen with a white text menu with safe mode options. "Normal windows" (<--I don't remember the exact text here but it was something like this) is selected by default. There is a 30 second countdown that will select the default option if I don't press a key. If the "Normal Windows" option is selected, either by default or by me pressing enter, then steps 1-4 will be repeated.
5) In order for me to do anything with the computer I have to select either "Safe Mode" or "Safe Mode with Networking". One of these two options is how I got into safe mode whenever you asked me to do something.

Hope this description helps.

Thanks,
-Chris

Edited by chrism, 27 September 2005 - 08:52 AM.


#14 chrism

chrism
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 27 September 2005 - 03:01 PM

Hi SifuMike,

Tried your suggestions - still no luck... :thumbsup:

Lets try setting the Safe Mode switchs, rebooting, then unsetting the swicth so you go into Normal Mode.

Enabled safe mode, rebooted then disabled safe mode and it still restarted over and over like I described in my previous email.

If that does not work you, run Microsoft's System File Checker program.

Tried this and it failed. Got the following error:

C:\>sfc

Microsoft® Windows XP Windows File Checker Version 5.1
© 1999-2000 Microsoft Corp. All rights reserved

Scans all protected system files and replaces incorrect versions with correct Microsoft versions.

SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/REVERT] [/PURGECACHE] [/CACHESIZE=x]

/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once at the next boot.
/SCANBOOT Scans all protected system files at every boot.
/REVERT Return scan to default setting.
/PURGECACHE Purges the file cache.
/CACHESIZE=x Sets the file cache size.

C:\>sfc /scannow
Windows File Protection could not initiate a scan of protected system files.

The specific error code is 0x000006ba [The RPC server is unavailable.].

Still can't boot into normal mode - any ideas?

Thanks,
-Chris

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:04 AM

Posted 27 September 2005 - 05:41 PM

Hi chris,

Here is information about your error:
http://support.microsoft.com/?kbid=296241

I really hate to tell this but
you should backup all your data and perform a clean install of Windows XP Service Pack 2. :thumbsup:

Do not connect to the internet until XP is installed and the Windows Firewall is on !!

Instructions here: http://www.sans.org/rr/whitepapers/windows/1298.php - Windows XP: Surviving the First Day
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users