I can't get this computer to go past the user login screen when starting WinXP in normal mode. It doesn't even change the arrow like the user icon is selectable. I ran Spybot and it removed some stuff, one of which was the trojan win32.small.ih. I also ran malwarebytes anti-malware, and it removed several trojans and other items. I also scanned with AVG antivirus in command line mode in safe mode. It comes up clean. I will attach malwarebytes log and hijack this log. ------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.30 Database version: 1360 Windows 5.1.2600 Service Pack 2 11/3/2008 9:17:15 AM mbam-log-2008-11-03 (09-17-15).txt Scan type: Full Scan (C:\|D:\|K:\|) Objects scanned: 148197 Time elapsed: 24 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348a7} (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsys2 (Spyware.OnlineGames) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{1F06F4D3-CF3C-4B2B-A042-B9C6D778A812}\RP605\A0128498.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{1F06F4D3-CF3C-4B2B-A042-B9C6D778A812}\RP605\A0128503.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe (Adware.SmartShopper) -> Quarantined and deleted successfully. C:\WINDOWS\system32\WinSys2.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully. -------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:51:02 AM, on 11/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://tw.msi.com.tw/autobios/VerChk/LSeries.asp?MSIOCXVersion=3.79&WorkFunction=LMonitor R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [InetChk] C:\DOCUME~1\Greek\LOCALS~1\Temp\ms1210241091.exe work O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Slacker Tray App.lnk = C:\Program Files\Slacker\Software Player\slacker.tray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1219613979156 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219613956250 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O21 - SSODL: wWOiRrXPioSFs - {A894236E-023E-89C4-923F-EC3C9DE01489} - C:\WINDOWS\system32\scky.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing) -- End of file - 6665 bytes
Tried to login to windows again normally and I was able to click on the user button to login. Loads to a black screen. No icons, no taskbar. All I get is the arrow. I can get the Windows Task Manager to display, but nothing else. Odd thing in Task Manager is none of the processes show up with User Names except System Idle Process, which is of course SYSTEM. Any help when you get a chance would be awesome.
Hi klassic You most definitely are infected. 1. Please run HijackThis. • Click on the button which says Main Menu, then Do a system scan only. • Please wait for the scan to be completed. • After the scan has completed, check the following entries. Code: O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe O4 - HKCU\..\Run: [InetChk] C:\DOCUME~1\Greek\LOCALS~1\Temp\ms1210241091.exe work O21 - SSODL: wWOiRrXPioSFs - {A894236E-023E-89C4-923F-EC3C9DE01489} - C:\WINDOWS\system32\scky.dll Click on the button Fix checked NOTE:: Close all browsers before fixing anything. 2. Please download Superantispyware Free and install it. Follow the prompts and reboot if required. Launch Superantispyware Free either by running C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.exe or right-click on the SuperAntispyware icon in your task bar (it looks like a bug) and click on Scan for Spyware, Adware, Malware... Configuring SuperAntispyware • Click on Preferences. • In the tab General and Startup, make sure the box Start SuperAntispyware when Windows starts is unchecked. This will prevent SuperAntispyware from starting everytime, because it may interfere with other fixes that may be run. • Navigate to the tab Scanning Control. • Make sure only these boxes are checked: Code: Close browsers before scanning Scan for tracking cookies Terminate memory threats before quarantining Scan Alternate Data Streams Use Kernel Direct File Access (recommended) Use Kernel Direct Registry Access (recommended) Use Direct Disk Access (recommended) • Click on Close. Updating SuperAntispyware • At the main window, click on Check for Updates.... • Wait for SuperAntispyware to be fully updated. Scanning Time • Boot into safe mode by repeatedly pressing the F8 key after you press the power button. If safe mode does not work, tell me and do the scan in normal mode. • Launch SuperAntispyware. • At the main window, click on Scan your Computer.... • Make sure all drives (excluding CD drives) are checked, select Perform Complete Scan, and then click on Next. • Wait for the scan to complete, and then click on Next>. This will quarantine and remove all detected items. • Reboot your computer. Post A Log • Launch SuperAntispyware • Click on Preferences • Navigate to the tab Statistics/Logs. • Choose the latest scan log, and the click on View Log.... • Copy and paste the contents of the log here in your next post. Best Regards
Ok, I removed the 3 items with hijackthis. I was not able to install superantispyware because it cannot be installed in safemode. It could load windows installer. And all I get in normal mode is a black screen. I was able to get run working in normal mode, but it still would not install the program. Same error about windows installer. Finally I removed the harddrive from the computer and put it in another that I already installed SuperAntiSpyware on. I booted in safe mode to the bad drive and ran the scan. Here is the log: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 11/05/2008 at 10:55 AM Application Version : 4.21.1004 Core Rules Database Version : 3555 Trace Rules Database Version: 1543 Scan type : Complete Scan Total Scan Time : 00:37:14 Memory items scanned : 170 Memory threats detected : 0 Registry items scanned : 5291 Registry threats detected : 1 File items scanned : 18744 File threats detected : 0 Adware.UpMedia/SearchTool HKU\S-1-5-21-299502267-602609370-839522115-1003\Software\UptownInstaller I still cannot boot into windows normally.
Hi klassic Please then reboot your computer into Safe Mode With Networking by doing the following: • Restart your computer • After pressing the power button, repeatedly tap the F8 key. • Instead of Windows loading as normal, the Advanced Options Menu should appear; • Select the option to run Windows in Safe Mode With Networking, then press Enter. • Choose the administrator's account. Now, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection. • Run Combo-Fix.exe and follow the prompts. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be completed. • If it requires a reboot, please do it. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. Best Regards
