Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable To Boot In Safe Mode And Spyaxe Probs


  • This topic is locked This topic is locked
8 replies to this topic

#1 the doomed

the doomed

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 09 January 2006 - 03:44 PM

Mates pc is infected with spyaxe, atleast. However when I attempt to put pc into safe mode it restarts in any profile (admin or his) just as the desktop appears. An error message appears and disappears without the chance of reading even the first word.

HijackThis log is below:


Logfile of HijackThis v1.99.1
Scan saved at 20:24:44, on 09/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\windows\redirect9.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hpDF63.tmp
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [redirect] C:\windows\redirect9.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm103YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128961959812
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89633550-72A0-4EDC-A37B-97DE554C0A86}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 15 January 2006 - 12:36 PM

Hello & welcome to Bleepings.

It's been a while since you last posted the HJT log. If you still require assistance, please post a fresh HJT log.
I'm subscribed to this thread & will receive almost immediate notification once that comes in.

Thanks.
sUBs

#3 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 15 January 2006 - 04:14 PM

cheers.


Logfile of HijackThis v1.99.1
Scan saved at 19:03:28, on 15/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm103YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128961959812
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89633550-72A0-4EDC-A37B-97DE554C0A86}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 15 January 2006 - 04:33 PM

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Before we do anything else, please ensure that you have already patch your system against the recent WMF exploit. Please refer to my sig. No point we fix anything only for it to return tomorrow.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install - CleanUp.exe (not recommended for WinXP64)

Download & extract it to it's own folder - smitRem.exe

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido

If you have not already installed Ad-Aware SE 1.06, download and update aawsepersonal.exe


'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order.

Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the Microsoft AntiSpyware icon located in the system tray
  • Click on Security Agents Status (Enabled)
  • Click on Disable Real-time Protection
* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm103YYGB



* * * * * * USING HIJACKTHIS' DELETE ON REBOOT * * * * * *


Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
  • In the popup box that appears, copy/paste in:
    • C:\WINDOWS\csrss.exe
  • Click the Open button.
  • Click YES when prompted to restart your computer.
* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


* * * *


Next go to Control Panel click Display>Desktop>Customize Desktop>Website
Under the 'Web pages' box, Uncheck everything present.


* * * *

Open Ad-aware and close ALL other windows.

1. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
  • In the General window make sure the following are selected in green:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
    • Prompt to update outdated definitions - set the number of days = 7
  • Click on the Scanning button on the left and select in green:
    • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
  • Click on the Advanced button on the left and select in green:
    • Move deleted files to recycle bin
    • include addtional object information
    • DeSelect - include negligible objects information
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the Tweak button:
    • Under Scanning Engine:
      • Unload recognized processes during scanning
      • Ignore spanned files when scanning cab archives
      • Scan registry for all users instead of current user only
    • Under Cleaning Engine:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Include computer & username in logfile
      • Please DeSelect: Include Module list in logfile
2. Click on Proceed to save the settings.
3. Click Start
4. Choose - Perform Full System Scan
5. DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
6. Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
7. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
8. Right-click on the list and choose Select All
9. Click Next to finish removing the items that were found

* * * * *

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh copies of:
  • HiJackThis log
  • Online scan
  • Smitfiles.txt
  • Ewido's log
Let us know if any problems persist.

#5 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 17 January 2006 - 04:23 PM

Still unable to boot into Safe Mode, so ran applications in normal mode. Logs are below. Any idea on why cant login to safe mode? On occassion it is even rebooting before any login profile is even selected. Have tried setting up new profile but no success.


Logfile of HijackThis v1.99.1
Scan saved at 19:03:28, on 15/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm103YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128961959812
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89633550-72A0-4EDC-A37B-97DE554C0A86}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 17, 2006 21:05:31
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/01/2006
Kaspersky Anti-Virus database records: 171545
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 67490
Number of viruses found: 31
Number of infected objects: 93
Number of suspicious objects: 0
Duration of the scan process: 5648 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP499\A0083786.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083903.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083905.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083906.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083907.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.z
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083908.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083909.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083910.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083911.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083912.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.v
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083913.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083914.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083915.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083916.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083917.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083918.DLL Infected: not-a-virus:AdWare.Win32.IWon.a
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083919.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083920.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083921.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083923.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ab
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083924.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083926.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083927.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.p
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083928.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083929.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP501\A0083945.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.p
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP519\A0088056.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP522\A0088077.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP522\A0088086.exe Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.d
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP522\A0088167.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP522\A0088191.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP522\A0088205.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP522\A0088241.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP524\A0088259.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP524\A0088277.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP526\A0088314.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP526\A0088338.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP527\A0088378.tlb Infected: Trojan-Downloader.Win32.Zlob.do
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP527\A0088391.tlb Infected: Trojan-Downloader.Win32.Zlob.do
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP527\A0088404.exe Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.d
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP527\A0088414.tlb Infected: Trojan-Downloader.Win32.Zlob.do
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP527\A0088432.tlb Infected: Trojan-Downloader.Win32.Zlob.do
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP527\A0088481.tlb Infected: Trojan-Downloader.Win32.Zlob.do
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP527\A0088496.tlb Infected: Trojan-Downloader.Win32.Zlob.do
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP528\A0088531.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP528\A0088539.exe Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.d
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP528\A0088550.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP528\A0088578.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP529\A0088606.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP529\A0088624.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP529\A0088637.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP529\A0088661.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP529\A0088674.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP529\A0088686.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0088710.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0088751.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0088769.tlb Infected: Trojan-Downloader.Win32.Zlob.dx
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0088782.tlb Infected: Trojan-Downloader.Win32.Zlob.dx
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0088798.tlb Infected: Trojan-Downloader.Win32.Zlob.dx
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0088814.tlb Infected: Trojan-Downloader.Win32.Zlob.dx
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0088835.tlb Infected: Trojan-Downloader.Win32.Zlob.dx
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0089837.tlb Infected: Trojan-Downloader.Win32.Zlob.dx
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0089845.exe Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.d
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0089855.tlb Infected: Trojan-Downloader.Win32.Zlob.dz
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP530\A0089879.tlb Infected: Trojan-Downloader.Win32.Zlob.dz
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP531\A0089905.tlb Infected: Trojan-Downloader.Win32.Zlob.dz
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP531\A0089917.tlb Infected: Trojan-Downloader.Win32.Zlob.dz
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP531\A0089931.tlb Infected: Trojan-Downloader.Win32.Zlob.dz
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP531\A0089946.tlb Infected: Trojan-Downloader.Win32.Zlob.eg
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP531\A0089961.tlb Infected: Trojan-Downloader.Win32.Zlob.eg
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP531\A0089975.tlb Infected: Trojan-Downloader.Win32.Zlob.eg
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP531\A0089987.tlb Infected: Trojan-Downloader.Win32.Zlob.eg
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP532\A0090004.tlb Infected: Trojan-Downloader.Win32.Zlob.eg
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP532\A0090016.tlb Infected: Trojan-Downloader.Win32.Zlob.eg
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP532\A0090029.tlb Infected: Trojan-Downloader.Win32.Zlob.eg
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP532\A0090042.tlb Infected: Trojan-Downloader.Win32.Zlob.eg
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP533\A0090100.tlb Infected: Trojan-Downloader.Win32.Zlob.eg
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP533\A0090116.tlb Infected: Trojan-Downloader.Win32.Zlob.eg
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP533\A0090131.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP533\A0090143.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP533\A0090157.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP533\A0090177.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ae
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP533\A0090180.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ac
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP533\A0090181.dll Infected: not-a-virus:AdWare.Win32.Agent.c
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP538\A0090831.exe Infected: Trojan-Clicker.Win32.VB.bh
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP538\A0090835.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP542\A0091050.dll Infected: not-virus:Hoax.Win32.Renos.ak
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP542\A0091057.hta Infected: Trojan.HTA.Zones.a
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP542\A0091058.exe Infected: not-a-virus:AdWare.Win32.WinAD.bv
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP542\A0091059.dll Infected: not-a-virus:AdWare.Win32.Hotbar.f
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP542\A0091060.vbs Infected: Trojan-Downloader.VBS.Psyme.as
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP542\A0091068.exe Infected: not-a-virus:AdWare.Win32.DotCom.c
C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.a

Scan process completed.


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:24:59, 16/01/2006
+ Report-Checksum: 33ACBBED

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{204F937E-519E-4597-96FA-8F1F59F3CB6D} -> Spyware.HotBar : Cleaned without backup
HKU\S-1-5-21-1163395192-72185382-2018322775-1003\Software\GMSoft -> Dialer.Generic : Cleaned without backup
C:\cmd.hta -> Trojan.HTA.Zones.a : Cleaned without backup
C:\Program Files\MediaGateway\MediaGateway.exe -> Adware.WinAD : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0A3A496F-CBEE-44FC-89C9-F5E2E6\8910AB76-D713-4714-9873-46F12E -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0B8E2A82-D1EA-4881-B750-197F6B\FACFE256-99D8-4BDC-B190-5FD9BC -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0F09B374-282F-4B2B-8E27-E8A80C\5BFD1381-D287-4784-AC00-3C7A10 -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1F88E2DC-063D-4558-80EB-89FF76\8D60C04B-7FA2-45A1-9597-8DF6DA -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3B8A9004-3400-4F58-B34A-C1231A\EF3B7887-33AD-41BC-AD30-FEA09A -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\49DA0ED8-D45A-431E-BE5D-95C306\6026EA9D-9951-4B38-9A32-83EED4 -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5236F9DF-33BD-484D-B64B-5BC4D2\DCE8912D-984D-4EDA-9DD0-9464F1 -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AFDAE122-E727-44FF-BDFD-5CFFD1\1C186C7B-20C4-4C83-A5BA-A9609D -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C227460A-CC8D-47D2-A6B3-50330C\10EE0FB1-CE8F-4E94-8C4B-4A86AF -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DF63F1D1-21C7-43BF-B4D1-6886C1\F23AD9C9-47B1-4BAC-8F22-BB98FC -> Spyware.HotBar : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E4734665-99CC-4FEE-832B-F47633\EE192316-DD5D-4A95-83AB-2738F0 -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E95A6891-277F-47FA-A097-252EC0\F69B12FC-A305-4A0B-BFE7-82FB40 -> Adware.Spyaxe : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\FE987F80-17BD-4C0F-A7C0-3B37D7\EAB0C97D-C218-4DC1-B7B9-E63568 -> Adware.Spyaxe : Cleaned without backup
C:\WINDOWS\KB840315.log:yosae -> Downloader.Agent.bq : Cleaned without backup
C:\WINDOWS\KB842773.log:qhkfg -> Downloader.Agent.bq : Cleaned without backup
C:\WINDOWS\system32\ctor.dll -> Spyware.HotBar : Cleaned without backup
C:\WINDOWS\system32\redirect.vbs -> Downloader.Psyme.as : Cleaned without backup
C:\WINDOWS\Windows Update.log:tldtb -> Downloader.Agent.bq : Cleaned without backup


::Report End



smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 16/01/2006
The current time is: 19:17:37.32

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

SpyAxe


~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url
shopping


~~~ system32 folder ~~~

wbeconm.dll
1024 dir
ld****.tmp
mssearchnet.exe
nvctrl.exe
mscornet.exe
hp***.tmp


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2012 'explorer.exe'
Killing PID 2012 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

#6 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 17 January 2006 - 04:30 PM

Logfile of HijackThis v1.99.1
Scan saved at 19:03:28, on 15/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)

You have mistakenly posted a log scanned much earlier. May I have a fresh re-post

#7 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 17 January 2006 - 04:57 PM

thanks



Logfile of HijackThis v1.99.1
Scan saved at 21:39:53, on 17/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128961959812
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89633550-72A0-4EDC-A37B-97DE554C0A86}: NameServer = 195.92.195.94 195.92.195.95
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 17 January 2006 - 05:12 PM

Go to Start->Run and type in regsvr32 /u occache.dll and hit OK.

Then delete these files if found:

C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll

Go to Start->Run and type in regsvr32 occache.dll and hit OK.


When that's done, your system should be cleansed. I'm still concerned about your inability to get into Safe Mode. Please do this..


Click Start > Run - type sysdm.cpl
In the System Properties page, go to 'Advanced' tab > 'Startup & Recovery' & hit the 'Settings' button
Under System Failure, untick - Automatically restart


Then try rebooting into Safe Mode again.
If you see an error message, note it down & post it here

#9 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 24 January 2006 - 01:23 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users