Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Will Not Boot Into Safe Mode


  • This topic is locked This topic is locked
113 replies to this topic

#1 Hari25

Hari25

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 15 July 2006 - 07:37 AM

hi , and thanks for your time.
i am using a p3 with windows 2000 pro service pak 4, and ie6

i can not boot into safe mode,i can not use windows update , i couldnt get hjt to work right every time i tried to save a logfile it would crash or close.

i took a chance and deleted 15 entries from hjt and my pc is running much better-- i hope i didnt delete something i needed

i was told to rename hjt so i did, and it worked, i was able to save a logfile and it also showed entries that were not there before-- all the bho's never showed before.

some of the entries i deleted keep coming back i have controll over my pc right now but im sure its temporaray.

this is my hjt log


Logfile of HijackThis v1.99.1
Scan saved at 5:27:28 AM, on 7/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\{6890C894-03E4-1033-0402-010129200001}\Update.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\MMC.exe
C:\hijackthis[1]\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {DA9F722B-1D9E-4F51-B7CE-A32524591416} - C:\WINNT\system32\efeed.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152962177184
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: efeed - C:\WINNT\system32\efeed.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Remote Index (Remote Call Procedure) - Unknown owner - C:\WINNT\msexplore.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: WKSSVC (Windows Kernel System Service) - Unknown owner - C:\WINNT\cplmcm.exe (file missing)

i deleted a lot of stuff alredy because my pc kept shutting down on me
another problem im having is with my video filels.. all of them no matter what kind...when i place my cursor over the file(any video file) the folder that holds them closes. i can move them from folder to folder using "select all" but it doesnt matter which folder i put them in ' as soon as my cursor rests on one the folder containing it closes. i can play theses files with wmp if i access them through wmp however i cant delete any of them and some of these files are taking a lot of room(i had this problem before i started deleting stuff from hjt
i ran panda active scan.. and.. it wasnt pretty here is the log

Incident Status Location

Virus:Trj/Ranky.NJ Disinfected Operating system
Virus:W32/Gaobot.NDB.worm Disinfected Operating system
Adware:Adware/Mytoolbar Not disinfected C:\Program Files\ToolBar888\MyToolBar.dll
Adware:Adware/MaxFiles Not disinfected C:\Program Files\ipwins\ipwins.exe
Virus:Bck/Sdbot.GLD Disinfected Operating system
Adware:adware/maxifiles Not disinfected c:\program files\ToolBar888
Spyware:spyware/surfsidekick Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jofo\Desktop\SmitfraudFix\Process.exe
Virus:W32/Bagle.pwdzip Disinfected C:\Documents and Settings\jofo\Desktop\SmitfraudFix.zip
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jofo\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jofo\Desktop\smitRem.exe[smitRem/Process.exe]
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\jofo\Local Settings\Application Data\949cdafc.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\jofo\Local Settings\Temp\b102.exe[SSK3_B5.exe]
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\jofo\Local Settings\Temp\i8.tmp
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\jofo\Local Settings\Temp\nsw4.tmp\nsProcess.dll
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\jofo\Local Settings\Temporary Internet Files\Content.IE5\U1BLAKOP\102[1].net[SSK3_B5.exe]
Virus:W32/Bagle.pwdzip Disinfected C:\Documents and Settings\jofo\SmitfraudFix.zip
Adware:Adware/Maxifiles Not disinfected C:\mc-110-12-0000144.exe
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\ipwins\Uninst.exe[≤‹«\nsProcess.dll]
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\ToolBar888\Uninst.exe[≤‹«\nsProcess.dll]
Virus:Bck/Sdbot.GLD Disinfected C:\WINNT\csrss.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINNT\system32\949cdafc.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\system32\i
Virus:Bck/Poebot.HZ Disinfected C:\WINNT\system32\Isass.exe
Virus:Bck/Poebot.BJ Disinfected C:\WINNT\system32\kyxpr.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\system32\Process.exe
Virus:W32/Gaobot.NDB.worm Disinfected C:\WINNT\system32\wins\SVCHOST.EXE
Virus:Bck/Poebot.BJ Disinfected C:\WINNT\system32\yrgenbjf.exe
i also ran dr.web and it found 3 viruses.. i think i have a logfile for it somewhere but i dont know where


everytime i restart my pc i get a spyware guard warning saying a bho objct has been added, its usualy efeed.dll, when i click on remove i get warning again until i hit ok

if i shut down pc properly every time i restart a diff item is added

ive been using spyware blaster system snapshot to reset my browser settings

any help you can give me is very much appeciated thx

BC AdBot (Login to Remove)

 


#2 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 17 July 2006 - 02:18 AM

Hi,

Welcome to BleepingComputer. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a BleepingComputer Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If youíre unsure of anything at all please stop and ask!
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 17 July 2006 - 09:29 AM

It appears that your computer has been severely compromised. You have clearly been infected by more than one backdoor trojan.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans may be identified and can be killed, because of their backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

******************************

If you are interested in cleaning your computer, please follow these instructions:


Please install an antivirus and firewall first, because it doesn't make any sense to remove malware from your system if no scanner is preventing them from reinfecting your computer.

AVG Anti-Virus, Avira OR Avast Home Edition are good FREE antivirus scanners.
After installing ONE antivirus program, download the latest signatures, and do a full system scan.

Without a firewall your computer is susceptible to being hacked and taken over:
Kerio Personal Firewall OR ZoneAlarm are good FREE firewalls.

Read Understanding and using firewalls to learn more about using firewalls

VERY IMPORTANT: Never install more than ONE antivirus scanner and firewall on your system! Several together can give problems and decrease their reliability and effectiveness!


*************************

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.


*************************

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

*************************

Let's restore the hijackthis backups to make sure you didn't remove anything legitimate. We will remove only the bad ones once I take a look at your new log.

To restore the backups:
  • Open HiJackThis
  • Click on "View the list of Backups"
  • Place a check mark next to everything in that window
  • Click Restore
  • Click Yes
  • Reboot your computer
  • Run HiJackThis and post a new HiJackThis log for review.
*************************

In your next post, please include
  • new hijackthis log
  • uninstall list
  • gmer log
*You may need to use separate posts to ensure that the logs don't get cut off!
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 19 July 2006 - 09:25 AM

hi again thanks for your help
it is not possible for me to follow your instructions completely because i could not boot into safe mode

i also have problems downloading programs because my pc is shutting down all the time.

so what i have done is updated windows from a cd i have ... i was very reluctant to do this because i believe this disk was the root of my problemsms

i then ran a hjt scan and deleted 10 items... (some of these items i can't delete - they keep showing up)

then i booted into safe mode :thumbsup:

i ran spybot, activescan and clean up!

i ran hjt , tried to delete more stuff then ran it again

this is where i am now, i am saving this reply on a notepad so that i can post it quickly when i am online

i also now have controll over my documents and video files

i was able to free up some space so i can try to load an anti-virus program

i used to have shaw-secure but i found it caused my pc to freeze all the time

i will now go online and try to run windows update,activescan,dr-web and ewido,,
...

i still can't update windows

i ran activescan.. it found lots

dr web found nothing

ewido got half-way through scan.. had found 7 items.. and my pc shut down
it did not say that it had cleaned infections, but when i rav it again i found several items with todays date on them in quarintine file
it seems ewido is quarintining my hjt backup files

i ran ewido again and it found 4 infections..it says it cleaned them but i think they are back

i installed avg and ran it and it found 1 virus.. and then my pc shut down again

i have a problem with avg it tells me i must update roxio cd/dvd burner but roxio asks me for a registration code.

i bought my pc used from a store and do not have reg key

i placed roxio in my recycle bin before i used scanner.. do you have any suggestions?

i will run another hjt scan and post all my logs in the order i ran the scans

i know you asked me to restore everything i deleted from hjt.. but i am worried that if i do that i wont be able to get online
isnt there another way to do this? is there a way to save a logfile of hjt back-ups? or mabe i could copy my back-up file and e-mail it to you?


hjt#1

Logfile of HijackThis v1.99.1
Scan saved at 4:56:20 AM, on 7/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\hijackthis[1]\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {DBC2D736-26F4-4E11-BF48-3A4AF3FE2EB2} - C:\WINNT\system32\efeed.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\system32\lssas.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152962177184
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: efeed - C:\WINNT\system32\efeed.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Remote Index (Remote Call Procedure) - Unknown owner - C:\WINNT\msexplore.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: WKSSVC (Windows Kernel System Service) - Unknown owner - C:\WINNT\cplmcm.exe (file missing)

hjt#2

Logfile of HijackThis v1.99.1
Scan saved at 4:59:52 AM, on 7/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\hijackthis[1]\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {DBC2D736-26F4-4E11-BF48-3A4AF3FE2EB2} - C:\WINNT\system32\efeed.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152962177184
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: efeed - C:\WINNT\system32\efeed.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Remote Index (Remote Call Procedure) - Unknown owner - C:\WINNT\msexplore.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: WKSSVC (Windows Kernel System Service) - Unknown owner - C:\WINNT\cplmcm.exe (file missing)



StartupList report, 7/19/2006, 5:00:44 AM
StartupList version: 1.52.2
Started from : C:\hijackthis[1]\test.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v5.00 SP4 (5.00.2920.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\hijackthis[1]\test.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

CleanUp! = C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

SpywareGuard Download Protection - (no file) - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINNT\system32\efeed.dll - {DBC2D736-26F4-4E11-BF48-3A4AF3FE2EB2}

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINNT\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[WUWebControl Class]
InProcServer32 = C:\WINNT\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1152962177184

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash8a.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flash...ent/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINNT\system32\wins\DLLHOST.EXE => C:\DOCUME~1\jofo\LOCALS~1\Temp\temp.frB822|C:\WINNT\system32\wins\SVCHOST.EXE => C:\DOCUME~1\jofo\LOCALS~1\Temp\temp.fr70B2|||

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

{6890C894-03E4-1033-0402-010129200001} = "C:\Program Files\Common Files\{6890C894-03E4-1033-0402-010129200001}\Update.exe" mc-110-12-0000144

--------------------------------------------------

End of report, 4,766 bytes
Report generated in 0.020 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MY PC IS SHUTTING DOWN I WILL TRY TO SAVE THIS


back again, my pc shut down twice,, the second time i wasn't able to save my post edit

i don't think you really want the results of all my scans.. if you do let me know
but can you please explain this to me ?

---------------------------------------------------------
ewido anti-malware - Connection report
---------------------------------------------------------

+ Created on: 7:12:10 AM, 7/19/2006
+ Report-Checksum: 560B717F

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 24.65.35.12:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445
UDP 24.65.35.12:137
UDP 24.65.35.12:138
UDP 24.65.35.12:500

what does "listening" mean?

here is gmer scan


GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-19 09:21:27
Windows 5.0.2195 Service Pack 4


---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [ED56A85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [ED56A85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [ED56A85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [ED56A85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [ED56A85A] avgtdi.sys

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----


here is my hjt log... i did not restore it.. isn't there another way of you looking at my backups?

Logfile of HijackThis v1.99.1
Scan saved at 9:31:56 AM, on 7/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\hijackthis[1]\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {869F7319-382A-416E-A034-2307F123FA98} - C:\WINNT\system32\efeed.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152962177184
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: efeed - C:\WINNT\system32\efeed.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Remote Index (Remote Call Procedure) - Unknown owner - C:\WINNT\msexplore.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: WKSSVC (Windows Kernel System Service) - Unknown owner - C:\WINNT\cplmcm.exe (file missing)

everytime i shut down my pc properly it says"executing winit/system32/crypnet.dll" in the shutdown box.. i don't remeber seeing that before


thanks for your help

Edited by Hari25, 19 July 2006 - 10:30 AM.


#5 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 19 July 2006 - 12:00 PM

Hi Hari25,

Please read through these instructions in their entirety so that you know exactly what I'm asking for. If you do not understand anything, please ask any questions you have before you do anything else!

I have a couple of preliminary steps for you to go through, and then I have some questions for you.

First,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next,

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
***************************

Ok, time for some questions:

Did you uninstall Internet explorer 6 and install version 5? Version 5 will not let you update, which is why you can't update windows. You will need to download and install Internet Explorer 6 before we can move on.


I also need you to restore Hijackthis backups. This is really important because I need to know exactly what is on your system. Deleting Hijackthis entries does not usually delete the associated files, so its likely the files are still on your computer.

it is not possible for me to follow your instructions completely because i could not boot into safe mode


I don't see anywhere in my instructions that I ask you to boot into safe mode. The gmer instructions say to run the scan in safe mode only if the scan doesn't work in normal mode. If the previous gmer scan was run in safe mode, please run it again in normal mode and post the log.


In your next post, please include
  • new hijackthis log (you need to restore backups before you post your new log!)
  • gmer scan(in normal mode, please)
  • c:\vundofix.txt
*please do not post any logs that aren't requested.

let me know if you have any questions before you start carrying out these instructions.


thanks!
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 19 July 2006 - 04:00 PM

hi
im having problems getting online and staying online so i figured i would post now while i can
i ran atf cleaner but i did not empty recycle bin because my roxio files are in there
as i said before those files conflict with avg but i dont want to delete them

i have tried to run vundofix.. but it never restarts itself.. i will try again in safe mode after this post- if i can still get into safe mode

while re-installing ie6 i got message saying"files that require windows to work properly have been replaced by unrecognized versions please insert service pack 4 cd"
i don't have a service pack 4 cd.. i got it online from ms site
however this is how my problems started.. at one time i was recieving the same message and it was asking me to insert windows 2000 pro cd .. but i did not have one as i bought this pc used from a store with windows 2000 already installed. the only thing they gave me was a reg key.
i managed to get a windows 2000 cd and used it to update my pc.. this is when my major problems started
it is also where i got ie5 from. i will continue to try to carry out your instructions and post again

this gmer scan you want me to do.. i am assuming you want me to run it the same way i did before?

#7 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 19 July 2006 - 04:07 PM

did you run the gmer scan in normal mode last time?
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 19 July 2006 - 04:56 PM

yes i ran gmer in normal mode last time

how do i get sunbelt firewall and spywareguard to launch on start-up?
right now i have to run them after i start pc

i am now going to restore my hjt files... but soime of them were quarintined by ewido.. do you need those ones too?

#9 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 19 July 2006 - 05:03 PM

here is my hjt log

Logfile of HijackThis v1.99.1
Scan saved at 4:07:32 PM, on 7/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\spooIsv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis[1]\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40F777B5-033F-4C80-A6D9-8923175DCADF} - C:\WINNT\system32\efeed.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {806B175B-B83A-440F-A456-12A9E25CC85B} - C:\WINNT\system32\efeed.dll
O2 - BHO: (no name) - {DA9F722B-1D9E-4F51-B7CE-A32524591416} - C:\WINNT\system32\efeed.dll
O2 - BHO: (no name) - {DBC2D736-26F4-4E11-BF48-3A4AF3FE2EB2} - C:\WINNT\system32\efeed.dll
O2 - BHO: (no name) - {F1D3A37F-03BE-4BB1-865E-65086703F16D} - C:\WINNT\system32\efeed.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\system32\spooIsv.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\system32\lssas.exe
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINNT\system32\firewall.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\system32\logon.exe
O4 - HKLM\..\Run: [File Mapping Services] hp-1003.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\RunServices: [File Mapping Services] hp-1003.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [File Mapping Services] hp-1003.exe
O4 - HKCU\..\RunServices: [File Mapping Services] hp-1003.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152962177184
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: efeed - C:\WINNT\system32\efeed.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: csrss - Unknown owner - C:\WINNT\csrss.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Remote Index (Remote Call Procedure) - Unknown owner - C:\WINNT\msexplore.exe (file missing)
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\TELUSE~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: WKSSVC (Windows Kernel System Service) - Unknown owner - C:\WINNT\cplmcm.exe (file missing)
O23 - Service: Windows web messenger - Unknown owner - C:\WINNT\msnwebmgr.exe (file missing



not all the files were able to be restored

#10 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 19 July 2006 - 05:20 PM

the ones quarantined by ewido do not need to be restored.

i am checking your logs now and will be back as soon as I have reviewed all of the items.

thanks for your patience,
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#11 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 19 July 2006 - 05:26 PM

Download this file - combofix.exe

and save it to your desktop.

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /v efeed

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next post, please include
  • new hijackthis log
  • combofix log
*use separate posts to ensure the logs don't get cut off!
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#12 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 19 July 2006 - 11:48 PM

well this is interesting, i restored 63 hjt entries from this month,not all of them were able to be rtestored
i then saved a logfile and attempted to post a reply

at this point i do not know if it worked because my pc crashed

i was unable to do anything, i could not open my computer, i could not search for files,i could not open ie' i could not open any online programs on my desktop

i was able to boot into safe mode

i ran spybot and ad-aware

i ran hjt deleted a bunch of stuff and saved a logfile

i opened a notepad and typed out this reply which i will try to post if i can get online..

btw.. my pc is online the rd and td lights on my modem were on solid

im going to try to boot normaly now

well it worked im online, and i see that you did get my last post.

i will post a recent hjt log then read your instructions and try to follow them

Logfile of HijackThis v1.99.1
Scan saved at 10:08:02 PM, on 7/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\hijackthis[1]\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {66AD10B6-DA28-4745-A3F7-9BE3A2B2C3A4} - C:\WINNT\system32\efeed.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\system32\spooIsv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: efeed - C:\WINNT\system32\efeed.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Remote Index (Remote Call Procedure) - Unknown owner - C:\WINNT\msexplore.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: WKSSVC (Windows Kernel System Service) - Unknown owner - C:\WINNT\cplmcm.exe (file missing)

#13 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 20 July 2006 - 12:06 AM

here are the logs you asked for

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\efeed.dll
C:\WINNT\system32\deefe.bak1
C:\WINNT\system32\deefe.bak2
C:\WINNT\system32\deefe.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINNT\system32\deefe.ini

23:02:19.59
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-19 23:00 3,602 C:\WINNT\system32\deefe.ini
2006-07-19 23:00 3,551 C:\WINNT\system32\deefe.ini.vir
2006-07-19 21:56 77,312 C:\WINNT\system32\vundofix.exe
2006-07-19 14:48 <DIR> C:\Program Files\sunbelt software
2006-07-19 14:40 188,928 C:\WINNT\system32\ghkzej.exe
2006-07-19 14:34 <DIR> C:\Program Files\internet explorer
2006-07-19 14:33 <DIR> C:\Program Files\outlook express
2006-07-19 14:33 <DIR> C:\Program Files\Common Files\system
2006-07-19 14:33 <DIR> C:\Program Files\Common Files\services
2006-07-19 14:32 <DIR> C:\Program Files\Common Files\microsoft shared
2006-07-19 14:32 <DIR> C:\Program Files\common files
2006-07-19 14:19 0 C:\WINNT\system32\setup_42311.exe
2006-07-19 09:36 714,238 C:\WINNT\system32\deefe.bak2.vir
2006-07-19 09:06 64,625 C:\WINNT\system32\drivers\gmer.sys
2006-07-19 09:06 528,446 C:\WINNT\gmer.dll
2006-07-19 09:06 250 C:\WINNT\gmer.ini
2006-07-19 08:07 0 C:\WINNT\system32\setup_75258.exe
2006-07-19 07:25 <DIR> C:\Program Files\windows media player
2006-07-19 07:24 776,096 C:\WINNT\system32\drivers\avg7core.sys
2006-07-19 07:24 4,992 C:\WINNT\system32\drivers\avgtdi.sys
2006-07-19 07:24 4,288 C:\WINNT\system32\drivers\avg7rsw.sys
2006-07-19 07:24 27,776 C:\WINNT\system32\drivers\avg7rsxp.sys
2006-07-19 07:24 26,848 C:\WINNT\system32\drivers\avg7rsnt.sys
2006-07-19 07:24 23,424 C:\WINNT\system32\drivers\avgmfrs.sys
2006-07-19 07:24 <DIR> C:\Program Files\grisoft
2006-07-19 07:24 <DIR> C:\Documents and Settings\jofo\Application Data\avg7
2006-07-19 07:23 <DIR> C:\Documents and Settings\jofo\Application Data\microsoft
2006-07-19 05:58 <DIR> C:\Program Files\spywareguard
2006-07-19 05:58 <DIR> C:\Program Files\spybot - search & destroy
2006-07-19 05:57 <DIR> C:\Program Files\ewido anti-malware
2006-07-19 05:57 <DIR> C:\Program Files\Common Files\{6890c894-03e4-1033-0402-010129200001}
2006-07-19 03:29 <DIR> C:\Program Files\edonkey2000
2006-07-19 02:04 117 C:\WINNT\system32\lwle.bat
2006-07-18 12:02 91,672 C:\WINNT\system32\drivers\khips.sys
2006-07-18 12:02 284,184 C:\WINNT\system32\drivers\fwdrv.sys
2006-07-17 12:44 128 C:\WINNT\system32\sfssyp.bat
2006-07-17 12:22 4,073 C:\WINNT\odbcinst.ini
2006-07-17 12:21 452,558 C:\WINNT\system32\perfstringbackup.ini
2006-07-17 12:21 271 C:\WINNT\system32\desktop.ini
2006-07-17 12:21 271 C:\WINNT\desktop.ini
2006-07-17 12:20 73 C:\WINNT\win.ini
2006-07-17 12:20 <DIR> C:\Program Files\netmeeting
2006-07-17 12:12 150 C:\WINNT\system.ini
2006-07-17 11:10 0 C:\WINNT\system32\setup_85478.exe
2006-07-16 22:30 <DIR> C:\Program Files\msn messenger
2006-07-16 21:12 0 C:\WINNT\system32\setup_24666.exe
2006-07-16 20:38 0 C:\WINNT\system32\setup_68458.exe
2006-07-16 16:00 0 C:\WINNT\system32\setup_14445.exe
2006-07-16 14:26 0 C:\WINNT\system32\setup_13575.exe
2006-07-16 14:05 0 C:\WINNT\system32\setup_73336.exe
2006-07-15 16:08 <DIR> C:\Program Files\spywareblaster
2006-07-15 15:19 <DIR> C:\Program Files\lavasoft
2006-07-15 15:19 <DIR> C:\Documents and Settings\jofo\Application Data\lavasoft
2006-07-14 00:31 <DIR> C:\Program Files\cleanup!
2006-07-13 23:51 841,525 C:\WINNT\system32\deefe.bak1.vir
2006-07-13 23:51 573,492 C:\WINNT\system32\efeed.dll.vir
2006-07-13 23:26 38,925 C:\WINNT\system32\yayayay.dll
2006-07-13 16:21 0 C:\WINNT\control.ini
2006-07-07 20:38 <DIR> C:\Program Files\Common Files\motive
2006-06-23 01:49 277,328 C:\WINNT\system32\odc.dll
2006-06-19 07:49 <DIR> C:\Program Files\msn gaming zone
2006-06-17 04:12 <DIR> C:\Program Files\winzip
2006-06-12 02:21 <DIR> C:\Documents and Settings\jofo\Application Data\f-secure
2006-06-08 07:43 <DIR> C:\Documents and Settings\jofo\Application Data\ispnews
2006-06-06 20:49 745,531 C:\WINNT\gmer.exe
2006-05-26 11:48 <DIR> C:\Program Files\telus ecare
2006-04-29 00:56 <DIR> C:\Program Files\mystic island
2006-04-27 23:56 <DIR> C:\Program Files\messenger
2006-04-27 17:49 288,417 C:\WINNT\system32\srchsts.exe
2006-04-27 05:34 <DIR> C:\Program Files\divx
2006-04-27 05:13 3,350 C:\WINNT\system32\kgygaavl.sys
2006-04-26 09:36 <DIR> C:\Program Files\brownie
2006-04-26 09:15 <DIR> C:\Program Files\accessories
2006-04-23 01:01 726,800 C:\WINNT\system32\msdtcprx.dll
2006-04-23 01:01 19,216 C:\WINNT\system32\xolehlp.dll
2006-04-23 01:01 1,202,448 C:\WINNT\system32\msdtctm.dll
2006-04-16 17:44 <DIR> C:\Documents and Settings\jofo\Application Data\corel
2006-04-02 00:51 <DIR> C:\Documents and Settings\jofo\Application Data\adobeum
2006-04-01 09:57 <DIR> C:\Documents and Settings\jofo\Application Data\macromedia
2006-03-14 18:29 <DIR> C:\Program Files\Common Files\installshield
2006-03-14 18:27 <DIR> C:\Program Files\uninstall information
2006-03-14 18:18 <DIR> C:\Program Files\wordperfect office x3 installer
2006-03-14 17:46 <DIR> C:\Documents and Settings\jofo\Application Data\brother
2006-03-14 17:45 <DIR> C:\Program Files\installshield installation information
2006-03-06 03:20 <DIR> C:\Documents and Settings\jofo\Application Data\adobe
2006-02-11 10:29 <DIR> C:\Documents and Settings\jofo\Application Data\vlc
2006-02-11 10:02 <DIR> C:\Program Files\videolan
2006-01-03 05:28 <DIR> C:\Documents and Settings\jofo\Application Data\help
2006-01-02 09:17 <DIR> C:\Program Files\3ivx
2005-12-24 17:00 <DIR> C:\Program Files\java
2005-12-24 17:00 <DIR> C:\Documents and Settings\jofo\Application Data\sun
2005-12-24 16:58 <DIR> C:\Program Files\Common Files\java
2005-12-24 14:00 <DIR> C:\Program Files\theweathernetwork
2005-12-21 21:49 <DIR> C:\Program Files\brother
2005-12-20 20:51 <DIR> C:\Program Files\Common Files\ziiu
2005-12-18 21:41 <DIR> C:\Documents and Settings\jofo\Application Data\google
2005-12-17 23:52 <DIR> C:\Documents and Settings\jofo\Application Data\motive
2005-12-17 23:30 <DIR> C:\Documents and Settings\jofo\Application Data\identities
2005-11-10 10:20 <DIR> C:\Program Files\intel
2005-11-10 10:14 <DIR> C:\Program Files\microsoft frontpage
2005-11-10 10:13 <DIR> C:\Program Files\Common Files\adobe
2005-11-10 10:13 <DIR> C:\Program Files\Common Files\adaptec shared
2005-11-10 10:13 <DIR> C:\Program Files\adobe
2005-11-10 10:09 <DIR> C:\Program Files\complus applications
2005-11-10 10:08 <DIR> C:\Program Files\windowsupdate
2005-11-10 10:08 <DIR> C:\Program Files\windows nt
2005-11-10 03:02 <DIR> C:\Program Files\Common Files\odbc


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-19 14:37 188,928 C:\WINNT\system32\ghkzej.exe
2006-07-19 14:19 0 C:\WINNT\system32\setup_42311.exe
2006-07-19 14:12 77,312 C:\WINNT\system32\VundoFix.exe
2006-07-19 09:06 745,531 C:\WINNT\gmer.exe
2006-07-19 09:06 528,446 C:\WINNT\gmer.dll
2006-07-19 09:06 250 C:\WINNT\gmer.ini
2006-07-19 08:07 0 C:\WINNT\system32\setup_75258.exe
2006-07-19 02:04 117 C:\WINNT\system32\lwle.bat
2006-07-17 12:44 128 C:\WINNT\system32\sfssyp.bat
2006-07-17 12:22 94,208 C:\WINNT\system32\odbccp32.dll
2006-07-17 12:22 90,112 C:\WINNT\system32\odbcint.dll
2006-07-17 12:22 61,440 C:\WINNT\system32\odbccu32.dll
2006-07-17 12:22 61,440 C:\WINNT\system32\odbccr32.dll
2006-07-17 12:22 61,440 C:\WINNT\system32\dbnetlib.dll
2006-07-17 12:22 45,632 C:\WINNT\system32\cliconfg.exe
2006-07-17 12:22 41,232 C:\WINNT\system32\odbcconf.exe
2006-07-17 12:22 4,656 C:\WINNT\system32\ds16gt.dll
2006-07-17 12:22 385,024 C:\WINNT\system32\sqlsrv32.dll
2006-07-17 12:22 37,136 C:\WINNT\system32\odbcad32.exe
2006-07-17 12:22 36,864 C:\WINNT\system32\mscpxl32.dll
2006-07-17 12:22 28,672 C:\WINNT\system32\dbnmpntw.dll
2006-07-17 12:22 26,224 C:\WINNT\system32\odbc16gt.dll
2006-07-17 12:22 24,848 C:\WINNT\system32\ds32gt.dll
2006-07-17 12:22 24,576 C:\WINNT\system32\odbcbcp.dll
2006-07-17 12:22 24,576 C:\WINNT\system32\dbmsvinn.dll
2006-07-17 12:22 24,576 C:\WINNT\system32\dbmsrpcn.dll
2006-07-17 12:22 24,576 C:\WINNT\system32\dbmsgnet.dll
2006-07-17 12:22 200,704 C:\WINNT\system32\odbc32.dll
2006-07-17 12:22 20,480 C:\WINNT\system32\msorc32r.dll
2006-07-17 12:22 20,480 C:\WINNT\system32\dbmsadsn.dll
2006-07-17 12:22 180,800 C:\WINNT\system32\sqlunirl.dll
2006-07-17 12:22 16,384 C:\WINNT\system32\odbc32gt.dll
2006-07-17 12:22 155,920 C:\WINNT\system32\odbctrac.dll
2006-07-17 12:22 131,072 C:\WINNT\system32\msorcl32.dll
2006-07-17 12:22 127,552 C:\WINNT\system32\cliconfg.dll
2006-07-17 12:22 126,976 C:\WINNT\system32\msdart.dll
2006-07-17 12:22 122,880 C:\WINNT\system32\odbcconf.dll
2006-07-17 12:21 0 C:\CONFIG.SYS
2006-07-17 12:21 0 C:\AUTOEXEC.BAT
2006-07-17 12:20 72,464 C:\WINNT\system32\isign32.dll
2006-07-17 12:20 63,248 C:\WINNT\system32\ils.dll
2006-07-17 12:20 57,104 C:\WINNT\system32\icwdial.dll
2006-07-17 12:20 53,520 C:\WINNT\system32\msconf.dll
2006-07-17 12:20 5,904 C:\WINNT\system32\icfgnt5.dll
2006-07-17 12:20 49,424 C:\WINNT\system32\icwphbk.dll
2006-07-17 12:20 32,880 C:\WINNT\system32\mnmdd.dll
2006-07-17 12:20 3,072 C:\WINNT\system32\nmevtmsg.dll
2006-07-17 12:20 251,152 C:\WINNT\system32\inetcfg.dll
2006-07-17 12:20 216,848 C:\WINNT\system32\mstask.dll
2006-07-17 12:20 21,776 C:\WINNT\system32\mnmsrvc.exe
2006-07-17 12:20 12,560 C:\WINNT\system32\nmmkcert.dll
2006-07-17 12:20 119,568 C:\WINNT\system32\mstask.exe
2006-07-17 12:20 10,000 C:\WINNT\system32\mstinit.exe
2006-07-17 12:12 148,992 C:\WINNT\system32\spxcoins.dll
2006-07-17 11:10 0 C:\WINNT\system32\setup_85478.exe
2006-07-16 21:12 0 C:\WINNT\system32\setup_24666.exe
2006-07-16 20:38 0 C:\WINNT\system32\setup_68458.exe
2006-07-16 16:00 0 C:\WINNT\system32\setup_14445.exe
2006-07-16 14:26 0 C:\WINNT\system32\setup_13575.exe
2006-07-16 14:05 0 C:\WINNT\system32\setup_73336.exe
2006-07-14 11:53 714,238 C:\WINNT\system32\deefe.bak2.vir
2006-07-13 23:51 841,525 C:\WINNT\system32\deefe.bak1.vir
2006-07-13 23:51 573,492 C:\WINNT\system32\efeed.dll.vir
2006-07-13 23:51 3,602 C:\WINNT\system32\deefe.ini
2006-07-13 23:51 3,551 C:\WINNT\system32\deefe.ini.vir
2006-07-13 23:26 38,925 C:\WINNT\system32\yayayay.dll
2006-07-13 16:21 0 C:\WINNT\control.ini
2006-07-13 16:19 88,848 C:\WINNT\system32\msdtclog.dll
2006-07-13 16:19 68,368 C:\WINNT\system32\stclient.dll
2006-07-13 16:19 625,936 C:\WINNT\system32\comuid.dll
2006-07-13 16:19 591,120 C:\WINNT\system32\catsrvut.dll
2006-07-13 16:19 574,224 C:\WINNT\system32\hypertrm.dll
2006-07-13 16:19 510,224 C:\WINNT\system32\clbcatq.dll
2006-07-13 16:19 146,192 C:\WINNT\system32\msdtcui.dll
2006-07-13 16:19 105,744 C:\WINNT\system32\mtxoci.dll
2006-06-23 01:49 277,328 C:\WINNT\system32\odc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Spooler SubSystem App"="C:\\WINNT\\system32\\spooIsv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"WeatherEye"="C:\\Program Files\\TheWeatherNetwork\\WeatherEye\\WeatherEye"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{6890C894-03E4-1033-0402-010129200001}"="\"C:\\Program Files\\Common Files\\{6890C894-03E4-1033-0402-010129200001}\\Update.exe\" mc-110-12-0000144"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000000
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"
"File Mapping Services"="hp-1003.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"File Mapping Services"="hp-1003.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"NoInternetIcon"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{6890C894-03E4-1033-0402-010129200001}"="\"C:\\Program Files\\Common Files\\{6890C894-03E4-1033-0402-010129200001}\\Update.exe\" mc-110-12-0000144"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"



Contents of the 'Scheduled Tasks' folder

Completion time: Wed 07/19/2006 23:02:35.30
ComboFix ver 06.07.19.2 - This logfile is located at C:\ComboFix.txt

ComboFix.txt




Logfile of HijackThis v1.99.1
Scan saved at 11:08:43 PM, on 7/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\spooIsv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\hijackthis[1]\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {2B9B055A-2055-4943-8CA3-331C1961CE7B} - C:\WINNT\system32\efeed.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\system32\spooIsv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: efeed - C:\WINNT\system32\efeed.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Remote Index (Remote Call Procedure) - Unknown owner - C:\WINNT\msexplore.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: WKSSVC (Windows Kernel System Service) - Unknown owner - C:\WINNT\cplmcm.exe (file missing)

#14 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 20 July 2006 - 12:22 AM

alright, i'm going to go through all your logs and post back instructions hopefully later tonight.

please don't do anything drastic by fixing things yourself. it really confuses me quite a bit (throws me off a bit). i know you're anxious to fix your computer, but please understand that its just easier for me when things don't change so unexpectedly.

thanks for understanding,
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#15 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 20 July 2006 - 12:38 AM

thanks i appreciate your time,

i have a couple questions for you,
how do i get the sunbolt firewall to automatically run on start-up? and that last program i ran emptied my recycle bin where i had the roxio cd burner files stored so that they would not conflict with avg antivirus.
i don't know anything about my cd burner, but i am guessing it wont work now, any suggestions on where i find software for it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users